Some questions about ISO 27001:2013
Assign topic to the user
The purpose is to define a person or entity with the accountability and authority to manage a risk (this a definition that you can find in the ISO 27000:2014). And to determine the risk owners you should aim for someone who is closely related to processes and operations where the risks have been identified. Please read this article for more information Risk owners vs. Asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Is a communication plan mandatory in the ISMS documentation ? (clause 7.4)
Answer:
No, it is not mandatory. You can find a list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/.
The objectives mentioned in clause 6.2, does it refer to the objectives in the Statement Of Applicability (e.g. : in my company, we chose the whole Annex A for our SoA)
Answer:
The objectives in ISO 27001 clause 6.2 can be set both for the whole ISMS, and/or for the control objectives in the Statement of Applicability - usually, the objectives are set at two levels: (1) the general ISMS level, and (2) at the level of security processes or security controls. See also this article: ISO 27001 control objectives Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Comment as guest or Sign in
Jan 12, 2016