Expert Advice Community

Guest

Mandatory and non-mandatory documents

  Quote
Guest
Guest user Created:   Dec 05, 2018 Last commented:   Dec 05, 2018

Mandatory and non-mandatory documents

I saw your documentation on mandatory and non mandatory documents. I want to know like how do we decide something is mandatory or not like for 7.2 Competence - there is no document in your templates... how will the auditor assume this is non-mandatory?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 05, 2018

Answer:

In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Considering section 7.2 Competence, all requirements are mandatory (from a to d), and the single one requiring documentation is the retention of evidence of competence (item 7.2 d). Examples of evidence are certificates, university degrees, work declarations and attendance lists, which have their own formats, making unfeasible to define a single template for them. This means you have to conduct all the activities mentioned in a to c, but you do not have to document them (this is why there is no policy in our toolkit for that purpose) - what you need to have are records related to 7.2 d) mentioned above.

These a rticles can be helpful for you:
- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 05, 2018

Dec 05, 2018