Toolkit content
1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2
Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.
There IS a A.7.2_Statement of Acceptance.
2.
Also, the following are policies we need; however they seem to paint to no specific document. Where would you recommend we add these?
Patch Management Policy – in A.8.2 – IT Security Policy?
Information Security in Project Management – where to discuss this or assign project manager responsibilities?
Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2
Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.
There IS a A.7.2_Statement of Acceptance.
Please note that ISO 27001 does not require a policy for "Information Security Awareness, Education & Training" to be written. For certification purposes, it is sufficient the training and awareness plan, located on folder 09 Training and Awareness.
For further information, see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
2. Also, the following are policies we need; however they seem to paint to no specific document. Where would you recommend we add these?
Patch Management Policy – in A.8.2 – IT Security Policy?
Information Security in Project Management – where to discuss this or assign project manager responsibilities?
Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.
Patch management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.
Overall project manager responsibilities can be defined in the Information Security Policy, located on folder 04 General Policies and specific responsibilities can be defined in the project's documentation.
Separation of Development, testing & Operational Environments would be best covered in A.14 - Secure Development Policy, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance
These articles will provide you further explanation:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
Comment as guest or Sign in
Apr 08, 2020