Q1) 'There is no policy or procedure in place listing the controls for documents of external origin.'
So I need to work on the document control proc(or any doc which talks about doc mgmt.) and include topics on how to handle n manage the docs which are NOT prepared by my client.
I tried to list few documents of external origin:
References used for your documentation
Corporate guidance documents
Can you tell me what exactly is required when its said 'documents of external origin'?
Q2) How can I help the Management review to include
(A) Changes in external & internal issues that are relevant to ISMS
(B) Feedback on InfoSec performance on fulfillment of information security objectives as required by ISO 27001:2013)
Q3) On clause 4.2, have tried discussing the same with Alan,..
@Alan : Please follow up on this one too
Point 1: You are ok, furthermore can be external documents: reports of external auditors, project plans of your clients, and any document external to your organization (where the ISMS is implemented). Anyway, I suggest you that the control of external documents is almost the same as the control of internal documents. For more information, please read this article "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
Point 2: (A) You need to request to any change to external/internal issues and you can develop a report with conclusions about this, (B) You can develop a report of conclusions of the risk assessment & treatment. Also these articles can be interesting for you: