Which policies to implement before the certification
Assign topic to the user
Answer:
If your company wants to go for the ISO 27001 certification, the first thing you need to have are all the mandatory documents, you can see them here: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Next, once you perform the risk assessment you will define which controls you need, and then you have to decide which of these controls need to be documented. Finally, in the Risk treatment plan you need to decide which controls are to be implemented before the certification, and which will be implemented after.
In the certification audit, t he auditor will check if all the published documents are fully implemented.
So, to summarize: each document you write needs to be fully implemented; the only documents that you can leave for after the certification are those that are not mandatory.
These articles will also help you:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
Probably the best thing for your is to go through this free online course ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ - it will explain you all the details.
Comment as guest or Sign in
Jun 24, 2016