Guest user Created: Mar 09, 2022 Last commented: Mar 09, 2022

Number of policies and procedures required by Annex A

I listened carefully to your presentation at the webinar. I think I heard what I expected. I really wanted to know about the number of policies and the number of procedures required by Annex A of the standard. Standard 27002 is available for purchase, but I do not want to give about 200 euros just to read the answers to the above two questions. After that, I no longer need this standard. I'll just buy the 27001 when it comes out in March. The table with the description of the new and merged controls from Annex A is useful to me. Thank you for it. With wishes for successful work

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 09, 2022

ISO 27001 does not prescribe the number of policies or procedures to be written, so you can choose the approach that best fits your needs.

From the new set of ISO 27001 Annex A controls, only controls A.5.10 (Acceptable use of information and other associated assets), A.5.26 (Response to information security incidents), and A.5.31 (Legal, statutory, regulatory and contractual requirements), requires documentation (but does not specify they need to be separated documents).

The main criteria to decide the number of documents to be written are their content (i.e., if each one covers similar purposes) and if by writing them this way they would not become documents too big to understand or read.

So, in this case, if a single document covering several controls becomes too big to use and manage, you should consider writing separate documents.

These articles will provide you a further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

Our ISO 27001 Documentation Toolkit has 45 documents that cover the mandatory documents, and the most commonly used ones, providing an optimized quantity of documents for small and mid-sized organizations. You can see a demo of them at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Regarding ISO 27002, please note that while it is not mandatory for the implementation of ISO 27001, it provides guidance and recommendation about how to implement controls from Annex A (ISO 27001 Annex A only provides the requirements of the controls, not how to implement them).

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 09, 2022

Expert Advice Community