Regarding "information security objectives and planning to achieve them
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Is there any separate document is required for this requirement with all plans and dates to achieve them?
Answer: General Information security objectives are usually documented in the Information Security Policy or some other related document; you can document specific security objectives in the Statement of Applicability or in a completely separate document.
Plans to achieve objectives are usually documented through the Risk Treatment Plan.
These articles will help you:
ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Risk Treatment Plan and risk treatment process Whats the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
ISO 27001 risk assessment & treatment 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Hi Dejan,
About this question, ¿is possible to comply two required documents with a document only?
The requirement 6.2 says the "Information security objectives", like a required document. Can I to include this requirement 6.2 in the "Information Security Policy" (requirement 5.2) for example?? Or, what is your recommendation?
Thank you
Best regards
In accordance with the clause 5.2 b) "Top management shall establish an information security policy that includes information security objectives (see 6.2) or provides the framework for setting information security objectives", you can include objectives in the Information security policy.
And yes, you can have an unique document for all objectives (general and specific security objectives), but it is not our recommendation because they are different type of objectives and we think that it is better separate them in different documents (policy for general and SoA for specific).
Finally, remember that you can use our templates: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/ and the Statement of Applicability https://advisera.com/27001academy/documentation/statement-of-applicability/
Comment as guest or Sign in
Jan 12, 2016