I am busy with the implementation of an ISMS at one of my clients and have a question to ask: What is the situation with regards to the organisational structure, e.g. committees, forums and workgroups etc? Should these all be described and documented. Maybe also include Terms of Reference for each and then explain reporting lines and decision making capabilities within each committee or forum?
Answer:
Yes, you can consider for the organizational structure committees, forums and workgroups, etc. Some companies use the term Security committee, although it only was mandatory in the old version of the ISO 27001:2005, in the current version ISO 27001:2013 it is just a best practice. So it is not necessary to be documented. Regarding your second question, I am not sure what you mean, but after each committee, forum or meeting it is important to generate minutes (these minutes can include reporting lines, decisions, conclusiones, etc), which can be used as evidences. This article can be interesting for you Records management in ISO 270 01 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
And also this article about the list of mandatory documents and records of ISO 27001:2013 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Comment as guest or Sign in
Jan 13, 2016