SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Questions regarding ISO27001 documentation

  Quote
Guest
Guest user Created:   Oct 26, 2021 Last commented:   Oct 26, 2021

Questions regarding ISO27001 documentation

I’m writing to you on behalf of the company *** and its CEO ***, who bought the ISO27001 toolkit. Here are some questions I would like to ask. 1 -         In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here https://advisera.com/27001academy/documentation/business-continuity-strategy/, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest? 2 -         All along the instructions we can see that the documents refer to clauses (e.g. A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses? 3 -         In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did? 4 -         In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not? 5 -         Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents?  Could you suggest the best way to call these figures in Italian? Thank you in advance for your help and have a nice weekend.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 26, 2021

1 - In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here https://advisera.com/27001academy/documentation/business-continuity-strategy/, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest?

ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a Business Continuity Strategy document is not mandatory for this standard, and you will only need the DRP template included in your toolkit. In this DRP template, in the first row of the table in section 3 you can describe an overview of your Business Continuity Strategy (this will be sufficient for ISO 27001 purposes). 

2 - All along the instructions we can see that the documents refer to clauses (e.g., A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses?

Please note that references to controls from ISO 27001 Annex A start with “A.” (e.g., A.17.2.1 refers to control Availability of information processing facilities), while references to clauses from the main part of the standard (clauses 4 to 10) start with a number (e.g., 7.5 refers to Documented information).

This material can provide you more information about ISO 27001 clauses:- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 

3 - In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did?

You can keep your reference documents as you define them. ISO 27001 does not prescribe this level of detail in formatting documents, so organizations can define the content order as best it fits them.

4 - In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not?

You can keep your paragraph dedicated to Violations of the Politics in your documents. ISO 27001 does not prescribe this level of detail in document content, so organizations can define the content as best it fits them.

5 - Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents?  Could you suggest the best way to call these figures in Italian?

Key roles and responsibilities for the ISMS are included in the Information Security Policy template (section 4.4). Please take a look if the information in this section of this template can fulfill your needs. If yes you can include the organizational chart, but you also can develop a separate document to present this chart.

Regarding the RACI matrix, you can use it in the documents, as a means to provide a quick view about how something needs to be done, but please note that required responsibilities are already defined alongside the documents, and you need to ensure the RACI matrix covers them properly.

In the Italian version of the toolkit we translated the ISMS roles in various policies and procedures where we found an appropriate term in Italian; the rest are left in English.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 26, 2021

Oct 26, 2021

Suggested Topics

Guest user Created:   Mar 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition

Guest user Created:   Feb 28, 2018 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation

Guest user Created:   May 15, 2022 ISO 27001 & 22301
Replies: 1
0 0

Conformio expert questions