Toolkit content

Answer: ISO 27001 does not require documents specific for control from section A.6, but these following templates in your toolkit cover controls from this section:
- Bring Your Own Device (BYOD) Policy (covers controls A.6.2.1 and A.6.2.2)
- Mobile Device and Teleworking Policy (covers control A.6.2)
- Acceptable Use Policy (covers controls A.6.2.1 and A.6.2.2)

2. Also, A.12 Operations security should include all below, but I can see only 3 controls ? Could you please let me know how to address this, please ?
1. Operational procedures and responsibilities
2. Protection from malware
3. Backup
4. Logging and monitoring
5. Control of operational software
6. Technical vulnerability management
7. Information systems audit considerations

Answer: These controls are covered by the following templates:
1. Operational procedures and responsibilities: Operating Procedures for Information and Communication Technology
2. Protection from malware: Acceptable Use Policy
3. Backup: Operating Procedures for Information and Communication Technology, Backup Policy, and Acceptable Use Policy
4. Logging and monitoring: Operating Procedures for Information and Communication Technology
5. Control of operational software: Acceptable Use Policy
6. Technical vulnerability management: Acceptable Use Policy
7. Information systems audit considerations: Internal Audit Procedure

ISO 27001 does not require each control in Annex A to be documented. Our toolkits focus on small and mid-size companies, and that's the reason why we do not write documents to cover each control – for those companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control is covered by which document.