Expert Advice Community

Guest

Mandatory ISO 27001 documents and major nonconformity

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Mandatory ISO 27001 documents and major nonconformity

I have a question, I find a list of mandatory documents and records and Non-mandatory documents that I should prepare for external auditor as I will mentions them below:
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 13, 2016
* Scope of the ISMS (clause 4.3)
* Information security policy and objectives (clauses 5.2 and 6.2)
* Risk assessment and risk treatment methodology (clause 6.1.2)
* Statement of Applicability (clause 6.1.3 d)
* Risk treatment plan (clauses 6.1.3 e and 6.2)
* Risk assessment report (clause 8.2)
* Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
* Inventory of assets (clause A.8.1.1)
* Acceptable use of assets (clause A.8.1.3)
* Access control policy (clause A.9.1.1)
* Operating procedures for IT management (clause A.12.1.1)
* Secure system engineering principles (clause A.14.2.5)
* Supplier security policy (clause A.15.1.1)
* Incident management procedure (clause A.16.1.5)
* Business continuity procedures (clause A.17.1.2)
* Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
* Monitoring and measurement results (clause 9.1)
* Internal audit program (clause 9.2)
* Results of internal audits (clause 9.2)
* Results of the management review (clause 9.3)
* Results of corrective actions (clause 10.1)
* Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

please explain me how can I determine which of this mandatory DOCs are minor and witch of them is major? and I have to prepare all of these DOCs and if i don't have one of them the external audit maybe don't accept and get a Certifation or it is not important if we don't have all of these procedure in our company??

Answer:

I'm not sure what do you mean by "major" and "minor" documents? All the documents and records that you listed are mandatory according to ISO 27001, so if you don't have any of them the certification auditor will raise a major nonconformity.

These articles will help you:

8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016

Suggested Topics