Expert Advice Community

Guest

Mandatory processes for ISO 27001:2013 external communications relevant to ISMS

  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Mandatory processes for ISO 27001:2013 external communications relevant to ISMS

1. Please see clause 7.4e: ....the internal shall include "the processes by which communication shall be effected"..... Does it mean the standard is mandating a 'Communications process'? 2. Apart from the above, I think the standard mandates only Risk Assessment and Risk Treatment processes/ plans. All other mandated docs are implementation level evidences. Am I right?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 12, 2016
1) ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented. Therefore, you have the following options: (a) to have such a process without documenting it, (b) to write a separate procedure for communication, or (c) to include communication procedures in your other documents - e.g. in Incident management procedure.

2) If speaking about mandatory documents, there are many documents that are required in all four phases of PDCA cycle - you can see their list here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Quote
0 0
Guest
Guest post Jan 12, 2016
Dear Dejan, my question yesterday was regarding mandatory procedures, not other docs. What other procedures are mandated in ISO 27001:2013, apart from Risk Assessment/ Treatment and Incident Management?
Quote
0 0
Guest
DejanK Jan 12, 2016
ISO 27001:2013 does not separate procedures from other types of documents because it allows you the flexibility to write your documentation as you see it fit - therefore, I don't think it is a good idea to think separately of procedures from other types of documents.

To answer your question directly, word "procedure" is not mentioned in main part of ISO 27001:2013. In Annex A it is mentioned in couple of controls, but only in controls A.12.1.1 Documenting operating procedures, A.16.1.5 Response to information security incidents, and A.17.1.2 Implementing information security continuity does it require documenting the procedures.

By the way, a procedure must be written down only if the standard expressly mentions "documented" next to "procedure".
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016