I am implementing ISO 27001:2013 standard for a client in ***.
My client has outsourced the ISO 27001:2013 policy development to an external consultant, and since the documentation is procured, all policy document has the external consultant name as the "Author". The policies are reviewed and approved by the client's CISO and Management representative.
Does this comply with
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
The external auditor has raised an objection for having an external consultant as the author of the policy.
Appreciate your inputs on the same.
Assign topic to the user
ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.
The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.
In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.
Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.
This article will provide you a further explanation about creating documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
This material will also help you regarding creating documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Jun 18, 2020