Do we have to make procedures for all below controls?
A 8.2.2 labeling of info
A 8.2.3 handling of assets
A 8.3.1 mgt of removable media
A 8.3.2 disposal of media
A 9.4.2 secure log-on procedures
A 11.1.5 working in secure areas
A 12.5.1 installation of software on operational system
A 13.2.1 info transfer policy & proc
A 14.2.2 system change control
A 15.2.2 managing changes to supplier services
A 16.1.1 responsibilities and proc
A 16.1.5 response to information security incident (done)
A 16.1.7 collection of evidence
A 17.1.2 info sec continuity
A 18.1.2 intellectual property rights
As in the explanation of all these controls, its mentioned that we need to create some procedures
Answer:
Yes, you are right you need procedures for these controls, but this does not mean that you need a document. A procedure is the way that you have to perform an activity, and the documented procedure is the procedure written in a document. It is only mandatory to have a document in the controls (and clauses) where you can read The organization shall document
, so for example is mandatory to have a document for the A.16.1.5 and for the A.17.1.2. Here you can see the list of mandatory documents and records of ISO 27001:2013 (and non-mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "Explanation of the basic terminology in ISO standards" : https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
Comment as guest or Sign in
Jan 13, 2016