List of documentation that needed for ISO27001

1. The information security policy, the scope of the ISMS, the risk assessment, the control objectives and the statement of applicability. These might, with a description of the PDCA approach, form the core of an ISMS manual.

2. Evidence of the actions undertaken by the organization and its management to specify the scope of the ISMS (the minutes of board and steering committee meetings, as well as any specialist reports).

3. A description of the management framework (steering committee, etc). This could usefully be related to an organizational structure chart.

4. The risk treatment plan and the underpinning, documented procedures (which should include responsibilities and required actions) that implement the specified controls. A procedure describes who has to do what, under what conditions, or by when, and how. Awork instruction is an even more detailed description of how to perform a specific task. Procedures (there would probably be one for each of the implemented controls) and work instructions would be identified in the ISMS manual, but would be subject to a lower level of authorization than the manual.

5. The procedures (which should include responsibilities and required actions) that govern the management and review of the ISMS.


Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Facebook
  • Google
  • Yahoo
  • Technorati

Trackback URL for this post:

http://www.smashingpasswords.com/trackback/81

User login

Who's online

There are currently 0 users and 2 guests online.

Who's new

  • appopoutt
  • davis21842
  • iamnumberhg
  • wrewsgimi
  • srinivas.niitmyl