Hi Dejan,
Thanks for the feedback, it was useful. We've incorporated everything already but I still have an open question: you mentioned that if a control is selected by "management decision" we should specify where/when this decision was taken (eg. meeting minutes). But it happens that most of these controls are actually already implemented and we just "do it like this", without having documentation for it (eg. we never held a meeting for it or it was a long time ago, without minutes).
How do you suggest we proceed with this?
- Shall I explain this situation in the SOA document (for example write "management decision: control already in place before the implementation of the ISMS")
- Would it be preferable maybe to hold a meeting to ratify these are the controls we want, so there is documentation of it?
- Any other suggestions?
Thanks!
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I'm sorry about the confusion, but my colleague Dejan did not mention that management decisions for implemented controls need a separate document - instead, you can simply state in your Statement of Applicability under the justification 'Management decision' or similar.
Comment as guest or Sign in
Nov 06, 2020