Number of policies and procedures required by Annex A
Assign topic to the user
ISO 27001 does not prescribe the number of policies or procedures to be written, so you can choose the approach that best fits your needs.
From the new set of ISO 27001 Annex A controls, only controls A.5.10 (Acceptable use of information and other associated assets), A.5.26 (Response to information security incidents), and A.5.31 (Legal, statutory, regulatory and contractual requirements), requires documentation (but does not specify they need to be separated documents).
The main criteria to decide the number of documents to be written are their content (i.e., if each one covers similar purposes) and if by writing them this way they would not become documents too big to understand or read.
So, in this case, if a single document covering several controls becomes too big to use and manage, you should consider writing separate documents.
These articles will provide you a further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Our ISO 27001 Documentation Toolkit has 45 documents that cover the mandatory documents, and the most commonly used ones, providing an optimized quantity of documents for small and mid-sized organizations. You can see a demo of them at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Regarding ISO 27002, please note that while it is not mandatory for the implementation of ISO 27001, it provides guidance and recommendation about how to implement controls from Annex A (ISO 27001 Annex A only provides the requirements of the controls, not how to implement them).
For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
Comment as guest or Sign in
Mar 09, 2022