Questions regarding ISO27001 documentation
Assign topic to the user
1 - In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here https://advisera.com/27001academy/documentation/business-continuity-strategy/, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest?
ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a Business Continuity Strategy document is not mandatory for this standard, and you will only need the DRP template included in your toolkit. In this DRP template, in the first row of the table in section 3 you can describe an overview of your Business Continuity Strategy (this will be sufficient for ISO 27001 purposes).
2 - All along the instructions we can see that the documents refer to clauses (e.g., A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses?
Please note that references to controls from ISO 27001 Annex A start with “A.” (e.g., A.17.2.1 refers to control Availability of information processing facilities), while references to clauses from the main part of the standard (clauses 4 to 10) start with a number (e.g., 7.5 refers to Documented information).
This material can provide you more information about ISO 27001 clauses:- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
3 - In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did?
You can keep your reference documents as you define them. ISO 27001 does not prescribe this level of detail in formatting documents, so organizations can define the content order as best it fits them.
4 - In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not?
You can keep your paragraph dedicated to Violations of the Politics in your documents. ISO 27001 does not prescribe this level of detail in document content, so organizations can define the content as best it fits them.
5 - Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents? Could you suggest the best way to call these figures in Italian?
Key roles and responsibilities for the ISMS are included in the Information Security Policy template (section 4.4). Please take a look if the information in this section of this template can fulfill your needs. If yes you can include the organizational chart, but you also can develop a separate document to present this chart.
Regarding the RACI matrix, you can use it in the documents, as a means to provide a quick view about how something needs to be done, but please note that required responsibilities are already defined alongside the documents, and you need to ensure the RACI matrix covers them properly.
In the Italian version of the toolkit we translated the ISMS roles in various policies and procedures where we found an appropriate term in Italian; the rest are left in English.
Comment as guest or Sign in
Oct 26, 2021