Toolkit content
Today we downloaded the toolkit for creating ISO 27001.
We noticed that appendix A_6.1 does not contain a document "internal organization" that the points of the declaration of applicability 6.1. contains:
A.6.1.1 - Information security roles and responsibilities
A.6.1.2 - Segregation of duties
A.6.1.3 - Keeping in contact with authorities
A.6.1.4 - Keeping in contact with special interest groups
A.6.1.5 - Information security in project management
Our document 6.1. is the regulation on BYOD. Is there a document missing or could you send it to us?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as a result of risk assessments, legal requirements, or organizational decisions. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for those companies this large number of documents would result in overkill for many of them. Instead of that, a single template may cover multiple controls. In the root folder of the toolkit, you'll find a document called “List of Documents” that explains which control is covered by which document.
A.6.1.1 - Information security roles and responsibilities are embedded in every document in the toolkit (you can identify its application on the field which requires a job title to be defined).
For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
A.6.1.2 - Segregation of duties is included in templates where such control is deemed applicable (e.g., in change management policy roles for request a change and approve one can be different), and the Statement of Applicability document provides a short guidance on how to implement this control.
For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
A.6.1.3 - Keeping in contact with authorities, A.6.1.4 - Keeping in contact with special interest groups, and A.6.1.5 - Information security in project management are not commonly used controls, so they do not have a specific application in the templates. Likewise for A.6.1.2, the Statement of Applicability document provides a short guidance on how to implement these controls.
For further information, see:
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
Comment as guest or Sign in
May 28, 2021