Toolkit content

- 7.1 prior to employment, 7.2 During employment, and 7.3 termination and change of employment
- 8.1 responsibility for assets and 8.3 media handling
- 12.1. 1 Operational procedures and responsibilities, 12.1.3 Capacity Management, 12.2.1 controls against malware, and 12.4.1 event logging

my current priority is work on on operations securities.

Answer: ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as result or risk assessments, legal requirements or organizational decision. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control - for thos e companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

To answer your question, controls from section A.7.1 are covered by documents Confidentiality Statement (control A.7.1.2 ), Statement of Acceptance of ISMS Documents (control A.7.1.2), Supplier Security Policy (controls A.7.1.1 and A.7.1.2), and Appendix – Security Clauses for Suppliers and Partners (control A.7.1.2 ).

In the root folder of the toolkit you'll find a document called "List of Documents" which will explain which control is covered by which document.