Guest user Created: May 17, 2019 Last commented: May 17, 2019

Mandatory and non-mandatory documents

I'm a collage student and now I'm doing my undergraduates thesis about risk management with ISO 27001 controls as the mitigation guide. Or maybe it can be said ISMS planning. I have analyzed risks and got some high level risks that need to be mitigated. But the problem is I don't understand about ISO 27001 mandatory documents. How can we define the mandatory document for our planning or we have to do all the document list? Is it explained in ISO 27001 Information technology - Security techniques - Information security management systems - Requirements document? Can it be adjusted with the ISO 27001 control that we have chosen?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 17, 2019

Answer:

In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment a nd risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a document related to that control.

Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

These articles will provide you further explanation about ISO 27001 documents and selection of controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 17, 2019

Expert Advice Community