Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Toolkit content

  Quote
Guest
Guest user Created:   Apr 08, 2020 Last commented:   Apr 08, 2020

Toolkit content

1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2

Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.

There IS a A.7.2_Statement of Acceptance.

2.

Also, the following are policies we need; however they seem to paint to no specific document.  Where would you recommend we add these?

Patch Management Policy – in A.8.2 – IT Security Policy?

Information Security in Project Management – where to discuss this or assign project manager responsibilities?

Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 08, 2020

1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2

Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.

There IS a A.7.2_Statement of Acceptance.

Please note that ISO 27001 does not require a policy for "Information Security Awareness, Education & Training" to be written. For certification purposes, it is sufficient the training and awareness plan, located on folder 09 Training and Awareness.

For further information, see:

2. Also, the following are policies we need; however they seem to paint to no specific document.  Where would you recommend we add these?

Patch Management Policy – in A.8.2 – IT Security Policy?

Information Security in Project Management – where to discuss this or assign project manager responsibilities?

Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.

Patch management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.

Overall project manager responsibilities can be defined in the Information Security Policy, located on folder 04 General Policies and specific responsibilities can be defined in the project's documentation.

Separation of Development, testing & Operational Environments would be best covered in A.14 - Secure Development Policy, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance

These articles will provide you further explanation:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 08, 2020

Apr 08, 2020

Suggested Topics

Guest user Created:   Sep 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   May 28, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Mar 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content