Toolkit support
Assign topic to the user
Answer: The classification of each document will depend on the information the organization will include to complete the document. In a general manner, documents with processes results (planned or achieved), formulas, drawings, instructions and other elements that gives your organization a competitive advantage should be considered restricted. Policies in general should be considered internal, since many people inside you organization will need to access them. The Quality Policy is an example of a document you should consider public, since people inside and outside the organization may have access to it.
This material will also help you regarding information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2) Also like to know how many documents are needed related to business continuity. I can see only Backup_Policy_Cloud_EN and Disaster_Recovery_Plan_27001_Cloud_EN. Do we need back up procedure/back up plan and back up logs
Answer: To be compliant with ISO 27001 business continuity requirements, you need only the disaster recovery plan, considering the recovery of IT infrastructure/services. If you consider your organization needs to consider other business process or all the steps in business continuity management, I recommend you check out ISO 22301 Documentation Toolkit.
Regarding the Backup, you can include the information describing the backup plan and how to perform the procedure in the policy document itself (see comments in section 3.1) or decide to create a separated document, what suits you best. As for backup logs, you need to generate and manage as evidence your backup process is being performed and achieving its proposed results. The log generation will depend upon the process you use in your organization (e.g., performed manually by your staff or automatically by a specific tool)
These materials will also help you regarding documentation elaboration:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
3) I also didn't found controls for A 18 Compliance
Answer: If you consult the list of documents in your ISO 27001, 27017 and 27018 Documentation Toolkit it will show you which documents support each controls of ISO 27001 Annex A. In the case of A.18 controls the documents are "Procedure for Identification of Requirements", "List of Legal, Regulatory, Contractual and Other Requirements", "Policy for Data Privacy in the Cloud ", "Acceptable Use Policy", and "Policy on the Use of Cryptographic Controls".
Comment as guest or Sign in
Dec 16, 2016