Reference documents
Assign topic to the user
How can we estimate which documents are connected to the information security guideline? The ones I would guess (document about the scope; methodology for risk assessment and risk treatment; SoA; list of legal, official, contractual and other requirements etc.) are already named above.
Would you mind giving me some key documents we have to add (beside the already named ones); only for ISO 27001; ISO 22301 excluded. I got the feeling the comment (I talked about before) described it for ISO 27001 and ISO 22301.
Answer:
The best way is to ask to the heads of each unit, and the key users of the processes, included in the ISMS scope. After you brief them on the purpose of ISMS, and show them which documents you already had identified, they would be able to tell you if any necessary document that can be used to define requirements for information security is missing (most probably, all necessary documents will be already on your list of legal and other requirements).
Without knowing details of your ISMS scope, the established security objectives, and the list of documents you already have, we cannot provide insights on what you have to add without the risk to induce you in an error, but as an example, you may consider a methodology for project management (if there is one different to the used for implementing the ISMS).
And you are right in the assumption that the comment applies both to ISO 27001 and ISO 22301.
Comment as guest or Sign in
Apr 27, 2019