We have bought your tool kit for implementation ISO27001:2013 and I’ve used the summary enclosed in this mail as guidelines to what we need to implement as we are on a very tight timeline.
Yesterday I was in a meeting with a consultant that we have hired to prepare us for the upcoming certification process. He then asked why I had not produced documents according to the demands in the Annex to which I replied that they are not mandatory to the certification.
He did not agree. My instructions to him has been that we need to apply the least amount of documentation to implement new routines and at the same time get certified. It is our absolute goal to fulfil and implement all requirements but we have to take it slow as I have another fulltime job at our company. I’ve taken on this job as it is often a requirement from my customers and we need to have the certification asap. It is however agreed that we also need the policies and instructions to live by but the further job of implementing och create new ways to get our job done will not be led by me but by a newly recruited CISO (has not yet started).
I’m sorry for the long mail, but I need clarification to this question. We have now 4 weeks left to the pre revision and I must know if I have to make sure that all documentation is produced. I have implemented a lot, and initiated other changes, but the documents are not ready, neither is the implementation completed because I thought I had more time. I would therefore very much like to hear your opinion on the matter.
Examples (not a complete list) that are not mandatory according to your overview is;
A.8.3 Information Classification Policy
A.11.1 Clear Desk and Clear Screen Policy (Note: it may be implemented as part of IT Security Policy)
A.13 Information Transfer Policy (Note: it may be implemented as part of Security Procedures for IT Department)
A.17.2 Business Impact Analysis Methodology