the inspector who will carry out the audit reported the following documents to us:
Integrated System Manual (or equivalent),
Information security policy,
Last Management Review.
Internal Audit Results and Reports.
Do you have any information on those documents that they have requested from us but which are not present in the kit?
I’m assuming that by the inspector you mean certification auditor.
The following documents are not mandatory for ISO 27001 and templates for them are not included in the toolkit to avoid the unnecessary administrative effort to manage documents. You should ask for clarification from the auditor about the need for these documents: - Organization chart - Integrated System Manual (or equivalent) - Context analysis - Continuity Plan
The following are the documents required by ISO 27001, and templates for them can be found in the toolkit as follows: - Information Security Policy, located in folder 4 General Policies - Applicability statement, located in folder 6 Applicability of Controls (Statement of Applicability) - Risk analysis, located in folder 5 Risk Assessment and Risk Treatment (Risk Assessment Table) - Management Review, located in folder 11 Management Review (Management Review Minutes) - Internal Audit Report, located in folder 10 Internal audit
Please note that although the documents are nearly 90% complete, they still need to be customized by the customer for use in the organization (e.g., Information Security Policy), or the activities related to them need to be performed so results can be recorded (e.g., for Management Review, and Audit Report).
These are the documents required by ISO 27001 only if specific controls are deemed applicable in the SoA, and they can be found in the toolkit as follows: - Asset List, located in folder 8 Annex A Security Controls >> A.8 Asset Management - Disaster Recovery, located in folder 8 Annex A Security Controls >> A.17 Business Continuity