SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Some questions about ISO 27001

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Some questions about ISO 27001

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

Q1) 'There is no policy or procedure in place listing the controls for documents of external origin.' 
So I need to work on the document control proc(or any doc which talks about doc mgmt.) and include topics on how to handle n manage the docs which are NOT prepared by my client.
I tried to list few documents of external origin:
Customer prints
Industry regulations
ISO Standards
References used for your documentation
Corporate guidance documents
Can you tell me what exactly is required when its said 'documents of external origin'?
 

Q2) How can I help the Management review to include 
(A) Changes in external & internal issues that are relevant to ISMS 
(B) Feedback on InfoSec performance on fulfillment of information security objectives as required by ISO 27001:2013) 
 

Q3) On clause 4.2, have tried discussing the same with Alan,..
@Alan : Please follow up on this one too
 

Answer:

Point 1: You are ok, furthermore can be external documents: reports of external auditors, project plans of your clients, and any document external to your organization (where the ISMS is implemented). Anyway, I suggest you that the control of external documents is almost the same as the control of internal documents. For more information, please read this article "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Point 2: (A) You need to request to any change to external/internal issues and you can develop a report with conclusions about this, (B) You can develop a report of conclusions of the risk assessment & treatment. Also these articles can be interesting for you:

Why is management review important for ISO 27001 and ISO 22301? : https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
How to perform monitoring and measurement in ISO 27001: https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Point 3: Sorry but I do not understand this question. Can you reformulate it? Anyway, this article about interested parties  can be interesting for you “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Guest user Created:   Jan 05, 2022 ISO 27001 & 22301
Replies: 5
0 0

Scope of the ISMS

Guest user Created:   Oct 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS evidence