Hi Dejan, how are you doing?
I am implementing ISO 27001 in my organization and hoping if you could help me a guidance
Can you please share/suggest a list of evidence required against each mandatory clauses (4-10) of ISO 27001?
Exactly what kind of evidence will suffice the requirement
Each mandatory clause
In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while nonmandatory requirements/documents are related to the words “may” or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are: - Scope of the ISMS (clause 4.3) - Information security policy and objectives (clauses 5.2 and 6.2) - Risk assessment and risk treatment methodology (clause 6.1.2) - Statement of Applicability (clause 6.1.3 d) - Risk treatment plan (clauses 6.1.3 e and 6.2) - Risk assessment report (clause 8.2) - Records of training, skills, experience and qualifications (clause 7.2) - Monitoring and measurement results (clause 9.1) - Internal audit program (clause 9.2) - Results of internal audits (clause 9.2) - Results of the management review (clause 9.3) - Results of corrective actions (clause 10.1)
Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen: - There are unacceptable risks that justify the application of the control - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control - There is a top management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a document related to that control.
Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.