SOA Documentation
- Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.
- If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.
- While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?
Assign topic to the user
Here are the answers:
Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.
Answer: As you mentioned, ISO 27001 does not require you to create a document for each control. You should prepare only the documents that are mandatory (e.g. Access control policy) + the documents that you think will be useful for you (for example, you might decide that BYOD Policy will be useful because lots of your employees are bringing their own devices). Bear in mind that if you declared a control as not applicable in your Statement of Applicability, then you do not have to write any document for it (even if it is marked as mandatory).
See also this article: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.
Answer: The certification auditor will check all the ISMS documents you have written, it does not matter if they are mandatory or not.
See also: What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit
While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?
Answer: As mentioned in the first answer, you need to write the documents that are mandatory + those that you consider useful for your company. You should exclude the documents that you did not find useful, but also the documents that are related to controls that you declared as not applicable in your Statement of Applicability.
Comment as guest or Sign in
Dec 23, 2019