Guest user Created: May 07, 2018 Last commented: May 08, 2018

Policy documentation

I do have a question and it surrounds control 9.1.1. We have recently streamlined a lot of our ISMS documentation and policies as they were just too wordy and difficult to use. We have a folder of SOP’s (standard operating procedures) which are clear instructions on how to manage a given process and why. It covers a lot of the necessary information but in a nice succinct and user friendly way. I’m just preparing an audit on Access Control and, although we have an SOP on User Registration, User Joining and User Leaving (the company)which covers off a lot of the items listed in 9.1.1 of 27002 a-k, there is no stand-alone policy. I see this as an opportunity for improvement, however, I am also mindful of the fact that the company wishes to keep it all streamlined and has moved away from wordy policies can be more of a hindrance to the staff. I wonder if an external auditor would likely pick up on this or, if all items listed in 9.1.1 a-k (27002) are covered off, that would suffice? I would welcome some help with this.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 07, 2018

Answer: ISO 2700 does not prescribe a way to organize information on documents, only requirements regarding how to create, update and control them, so organizations are free to define how to control documents the way that best fits them.

Considering that, it is not required that you have a stand-alone policy, and it is not necessary to document everything mentioned in ISO 27002, provided you are able to demonstrate the requirements for the policy are fulfilled according the results of your risk assessment.

Regarding external auditor evaluation, since there is no prescribed way for documentation format, if your documents, records and operation fulfil the requirements of control A.9.1.1 this will be enough.

These articles will provide you further explanation about documentation control:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote

0 0

Guest

ecb129 May 08, 2018

I think it's the wording in 27002 that is confusing me. When I read it, I'm taking it as gospel. In point 9.1.1 the wording reads 'An access control policy should be established, documented and reviewd based on business and information security requirements'. I interpret the 'should' part as meaning obligatory. Is 27002 just for guidance but not written in blood? I can't find anything anywhere in the document that implies that. The manditory documents has it listed on there too. I'm getting conflicting information basically.

Quote

0 0

Expert

Rhand Leal May 10, 2018

In ISO world, mandatory requirements/documents are related to the words "must" or "shall", while non mandatory requirements/documents are related to words "may"or "should". In ISO 27002, since it provides recommendations for the implementation of controls that may be required as a result of a risk assessment, you will find the guidance ruled by "should", i.e., you only have to consider the recommendations that will help handle the risks you identified as unacceptable.

You can find more information in this article: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 07, 2018

May 10, 2018

Expert Advice Community