Guest
SoA - controls
When a status of a controls says "Planned" and there is no document but only a task there, does this mean we need to develop our own policy? For example control A 6.1.2. has the status "Planned" however the implementation method is a task and there are no documents :
How do I cover this and controls with similar status? Do I need to develop my own policies in that case?
Assign topic to the user
Expert
Rhand Leal
Jan 13, 2022
When only a task is defined as the implementation method of control it means that this control does not require specific documentation, so you do not need to develop your own policy or procedure.
In cases like this, you only need to provide a record showing that the task was performed. For example, for control A.6.1.2 you only need to provide a list of which activities were divided. For control A.6.1.3 you need to provide a list of which authorities need to be contacted.
For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Comment as guest or Sign in
Jan 13, 2022
Jan 13, 2022
Jan 13, 2022