Mandatory processes for ISO 27001:2013 external communications relevant to ISMS
Assign topic to the user
1) ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented. Therefore, you have the following options: (a) to have such a process without documenting it, (b) to write a separate procedure for communication, or (c) to include communication procedures in your other documents - e.g. in Incident management procedure.
2) If speaking about mandatory documents, there are many documents that are required in all four phases of PDCA cycle - you can see their list here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Dear Dejan, my question yesterday was regarding mandatory procedures, not other docs. What other procedures are mandated in ISO 27001:2013, apart from Risk Assessment/ Treatment and Incident Management?
ISO 27001:2013 does not separate procedures from other types of documents because it allows you the flexibility to write your documentation as you see it fit - therefore, I don't think it is a good idea to think separately of procedures from other types of documents.
To answer your question directly, word "procedure" is not mentioned in main part of ISO 27001:2013. In Annex A it is mentioned in couple of controls, but only in controls A.12.1.1 Documenting operating procedures, A.16.1.5 Response to information security incidents, and A.17.1.2 Implementing information security continuity does it require documenting the procedures.
By the way, a procedure must be written down only if the standard expressly mentions "documented" next to "procedure".
Comment as guest or Sign in
Jan 12, 2016