The best way to include “evidences” of policy implementation
Thank you for this mail. I’m currently beginning redaction of the first documents and follow your online training. As I’m very satisfied of both , I’m also studying the opportunity to take a company account on advisera training for our employees awareness training.
After hours of reading and watching the very complete content of your website (blog, videos…) I don’t have any questions requiring a meeting, except one you could surely answer by email : what Is the best way to include “evidences” of policy implementation (screenshot, configurations … showing that a rule or control is implemented) ?
- put them in a folder listed in the record part of the document (one folder by audit date ?) and put link to invidual files in the document (difficult to handle as folder is not always attached to the document, especially when sent to employees who don’t need to have such evidences)
- put them in aforementioned folder, but without any link ? but this way it could be difficult to see which file corresponds to which rules/ controls
- other way ?
Once again, thank you very much for the quality of your service
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that ISO 27001 does not prescribe how to store evidence of implementation, so organizations are free to implement them the best that suits them.
Considering that, you can adapt the storage approach to the type of the record (you do not need to adopt a single approach). For example, evidence of monitoring implementation can be stored in the monitoring system (i.e., the monitoring logs). Evidence of awareness and training can be included in the employee's personal folder.
Regarding the use of links in the documents, you should consider including a link only to the general folder of your evidence (for example, the audit folder, not the specific audit). This way you can balance the agility to found the records without adding too much complexity.
This article will provide you a further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
This material will also help you regarding record management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Oct 14, 2020