Expert Advice Community

Guest

SOA Documentation

  Quote
Guest
Guest user Created:   Dec 23, 2019 Last commented:   Dec 23, 2019

SOA Documentation

Regarding SOA:
  1. Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.
  2. If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.
  3. While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Dec 23, 2019

Here are the answers:

Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.

Answer: As you mentioned, ISO 27001 does not require you to create a document for each control. You should prepare only the documents that are mandatory (e.g. Access control policy) + the documents that you think will be useful for you (for example, you might decide that BYOD Policy will be useful because lots of your employees are bringing their own devices). Bear in mind that if you declared a control as not applicable in your Statement of Applicability, then you do not have to write any document for it (even if it is marked as mandatory). 

See also this article: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.

Answer: The certification auditor will check all the ISMS documents you have written, it does not matter if they are mandatory or not. 

See also: What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit 

While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?

Answer: As mentioned in the first answer, you need to write the documents that are mandatory + those that you consider useful for your company. You should exclude the documents that you did not find useful, but also the documents that are related to controls that you declared as not applicable in your Statement of Applicability. 

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Dec 23, 2019

Dec 23, 2019

Suggested Topics

Guest user Created:   Nov 06, 2020 ISO 27001 & 22301
Replies: 1
0 0

SOA

Guest user Created:   Nov 27, 2018 ISO 27001 & 22301
Replies: 1
0 0

Statement of Applicability