Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Policy author

  Quote
Guest
Guest user Created:   Jun 18, 2020 Last commented:   Jun 18, 2020

Policy author

I am implementing ISO 27001:2013 standard for a client in ***.

My client has outsourced the ISO 27001:2013 policy development to an external consultant, and since the documentation is procured, all policy document has the external consultant name as the "Author".  The policies are reviewed and approved by the client's CISO and Management representative.

Does this comply with
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);

The external auditor has raised an objection for having an external consultant as the author of the policy.

Appreciate your inputs on the same.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 18, 2020

ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

This article will provide you a further explanation about creating documents:

This material will also help you regarding creating documents:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 18, 2020

Jun 18, 2020

Suggested Topics

Rena Created:   Sep 15, 2021 ISO 27001 & 22301
Replies: 1
0 0

Conformio ISO Documentation

Guest user Created:   Mar 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

Developing documents