I am conscious that this process generates a lot of paperwork, and one of the push backs from the business is that it will become too cumbersome to manage and things will get missed / ignored because it is unrealistic to maintain and make people aware of everything. Ultimately, we dont want this just to become a tick box exercise and lose sight of why we are doing it. I would be interested in knowing how other companies have addressed this i.e. have they consolidated all the documents into a single document or grouped certain policies and documents together?
Answer:
Generally the number and complexity of documents is adapted to the particular needs of each company, please read this article for more information 8 criteria to decide which ISO 27001 policies and procedures to write : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
By the way, in accordance with ISO 27001, there are some mandatory documents, you can see the list here List of mandatory documen ts required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Comment as guest or Sign in
Jan 13, 2016