Expert Advice Community

Guest

Templates and applicable controls

  Quote
Guest
sourabh Created:   Nov 12, 2019 Last commented:   Nov 14, 2019

Templates and applicable controls

I have downloaded the Files saved under my Project.

I have a Question here. Since there are around 114 Controls listed in the ISO 27001 Manual, do we here have each Template for each Control or one Template can be used for the documentation of the multiple Controls.

For e.g you find attached the A.8.2 Template for the Documentation and in the Documentation (IT Security Policy) the below text is mentioned. So the Question is whether is the attached Document only for A.8.2 Valid or it is valid for all the Controls mentioned in the below screenshot.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 12, 2019

First, it is important to note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:
1) ISO 27001 does not require each and every control to be documented
2) If the toolkit had a document for each control, there would be too many documents and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:
All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

Considering that, the IT security policy you attached as an example applies all controls listed on its section 2 (reference documents), i.e., controls A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1, A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2, A.13.2.3, A.18.1.2.

The identification A.8.2 is used only to make easier to organize and locate the document. It does not make reference to applicable controls to this document.

Quote
0 1
Guest
sourabh Nov 13, 2019

@Rhand Leal  Thank you for the response. That means since more than one ISO Control Documentation is mentioned in the one Document, the same Documentation is also valid for the other controls mentioned on the Document. Below is the example.

e.g A.10 Policy on use of Encryption: ISO/IEC 27001 standard, clauses A.10.1.1, A.10.1.2, A.18.1.5 

Here the same Document will be valid for the Documentation of the Control A.18.1.5.

Please Advise.

Thanks,

First, it is important to note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:
1) ISO 27001 does not require each and every control to be documented
2) If the toolkit had a document for each control, there would be too many documents and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:
All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

Considering that, the IT security policy you attached as an example applies all controls listed on its section 2 (reference documents), i.e., controls A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1, A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2, A.13.2.3, A.18.1.2.

The identification A.8.2 is used only to make easier to organize and locate the document. It does not make reference to applicable controls to this document.

Quote
0 0
Expert
Rhand Leal Nov 14, 2019

Your understanding is correct. Please note that included in your toolkit, there is a "List of Documents" file that identifies which controls are covered by each document in your toolkit.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Nov 12, 2019

Nov 14, 2019

Suggested Topics

Guest user Created:   Apr 27, 2020 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation

Guest user Created:   Oct 27, 2021 ISO 27001 & 22301
Replies: 1
0 0

Revisione

Guest user Created:   Jul 07, 2021 ISO 27001 & 22301
Replies: 1
0 0

Conformio number of documents