ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I need some clarity over what must be policy according to ISO27001 2013. I used a document called "List of Documents IS27001 Premium Documentation Toolkit" (Attached) which states all document names and whether they are "Mandatory according to ISO27001". Why would something non-mandatory be a policy?
Would an ISO27001 assessor criticise an organisation for having a procedure (rather than a policy) in these non-mandatory areas?
Answer:
Right, a non-mandatory document can be a policy, for example the Information Classification Policy, this is so because the standard ISO 27001:2013 does not establish for the control "A.8.2.1 Classification of information that you need to have a document. Read the description: Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. However, in the description of the control A.9.1.1 Access control policy you can read An access control policy shall be established, documented and reviewed based on business an d information security requirements. So, when you see in the standard
shall be documented
you need a document (mandatory). If not, can be a best practice to have a document but it is non mandatory.
Yes, generally an ISO 27001 assessor could criticize you, because the most logical is to have a policy for those controls that are related to policies: A.6.2.1 Mobile device policy (non mandatory to have a document), A.10.1.1 Policy on the use of cryptographic controls (non mandatory to have a document), etc.
You can have a procedure, for example Use of Mobile Devices where you can detail how to use Mobile devices in the organization, but you can include the basic rules in a policy. So, my recommendation is that if you want to have a document for a non-mandatory area and it is related to a policy, you can have a procedure and also you can have a policy, because they are different things.
Finally, maybe this article can be interesting for you: 8 criteria to decide which ISO 27001 policies and procedures to write : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Comment as guest or Sign in
Jan 12, 2016