Taking the ISO 27001 certification exam?
Get a bundle with FREE Live Virtual Training
(regular price US$ 199)
LIMITED-TIME OFFER – EXPIRES ON MAY 17, 2022

Expert Advice Community

Guest

Revisione

  Quote
Guest
Guest user Created:   Oct 27, 2021 Last commented:   Oct 27, 2021

Revisione

Good evening, the inspector who will carry out the audit reported the following documents to us: Organization chart, Integrated System Manual (or equivalent), Information security policy, Context analysis, Applicability statement, Risk analysis, Asset List, Continuity Plan, Disaster Recovery, Last Management Review. Internal Audit Results and Reports. Do you have any information on those documents that they have requested from us but which are not present in the kit?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 27, 2021

I’m assuming that by the inspector you mean certification auditor.

The following documents are not mandatory for ISO 27001 and templates for them are not included in the toolkit to avoid the unnecessary administrative effort to manage documents. You should ask for clarification from the auditor about the need for these documents:
- Organization chart
- Integrated System Manual (or equivalent)
- Context analysis
- Continuity Plan

The following are the documents required by ISO 27001, and templates for them can be found in the toolkit as follows:
- Information Security Policy, located in folder 4 General Policies
- Applicability statement, located in folder 6 Applicability of Controls (Statement of Applicability)
- Risk analysis, located in folder 5 Risk Assessment and Risk Treatment (Risk Assessment Table)
- Management Review, located in folder 11 Management Review (Management Review Minutes) 
- Internal Audit Report, located in folder 10 Internal audit

Please note that although the documents are nearly 90% complete, they still need to be customized by the customer for use in the organization (e.g., Information Security Policy), or the activities related to them need to be performed so results can be recorded (e.g., for Management Review, and Audit Report). 

These are the documents required by ISO 27001 only if specific controls are deemed applicable in the SoA, and they can be found in the toolkit as follows:
- Asset List, located in folder 8 Annex A Security Controls >> A.8 Asset Management
- Disaster Recovery, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

These articles will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 27, 2021

Oct 27, 2021

Suggested Topics