Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Toolkit content

  Quote
Guest
Guest user Created:   Dec 04, 2018 Last commented:   Dec 04, 2018

Toolkit content

1 -In the toolkit, I noticed that there’s no policy, or a reference to a policy, for each control in Annex A (f.e. A.11.1.6 Delivery and loading, or A.11.2.3 Cabling security etc.). So I’m wondering if we can leave such things easily out of the ISO27K scope and so leave it out of the SOA ? Or should we include it in a policy or write a separate document about these things ? Or is it just enough to write a short answer in the SOA how this is implemented.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 04, 2018

Answer:

ISO 27001 does not require each control to be implemented, nor it requires each implemented control to be documented. Therefore, you have the following options:
a) Exclude a control in the Statement of Applicability if there are no risks or requirements for this particular control
b) Implement a control and write a separate policy or procedure for it
c) Implement a control and document it though a policy or a procedure which covers also other controls
d) Implement a control without documenting it - in this case you only describe briefly how you implemented it in the SoA

These articles will provide you further explanation about selecting controls and SoA:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - For my own reference: I assumed that the ISO standard and controls (Annex A or SOA) are copyright protected ? But I saw you used the numbering and especially “titles” from the ISO standard, is this allowed ? I’m just wondering if I can use my own excel “including the official control description” as well and store it in Conformio or on our file server.

Answer: Using numbering and titles as reference to the standard is allowed because in many requires (like the one which defines the SoA content) you have to make reference to the standard to be compliant. What is not allowed is copy of sections content, as well as copies from description of controls, but you can write them in other words to use in your excel file with no problem

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 04, 2018

Dec 04, 2018

Suggested Topics

Guest user Created:   Apr 07, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jan 25, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jan 20, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content - A.6.1