Mandatory policies
Hi, I have a question re mandatory policies.
Do they need to be stand-alone policies? Or can they be combined? For example, combining Risk assessment and risk treatment methodology (clause 6.1.2), Risk treatment plan (clauses 6.1.3 e and 6.2), and Risk assessment report (clause 8.2) policies into one Risk Management policy?
Assign topic to the user
ISO 27001 does not prescribe how to develop documents but is important to note that you are talking about different types of documents.
The Risk Assessment and Risk Treatment Methodology is a procedure (it defines how risk assessment and risk treatment are performed), developed once and updated as needed, while the Risk Treatment Plan and the Risk Assessment Report are records (the first contain the results of risk assessment and the second a summary of the risk assessment and treatment results), which can be generated multiple times and are not normally updated.
Considering that, procedures and records should not be merged in a single document, because of the dynamic nature of records (after some time you w.ould have an unmanageable document basically containing records).
Regarding the Risk Treatment Plan and the Risk Assessment Report, they are not normally merged because the report is a summary, and the Risk Treatment Plan is normally referred to as an annex for the Risk Assessment Report
These articles will provide you a further explanation about risk management and records management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding risk management and records management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Jul 21, 2020