Mandatory Documentation (Recap)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 9.3 mandatory documentation. A recap
00:10
In this lesson. We'll do a recap of clauses where documentation is mandatory
00:15
and we'll also do a recap of clauses where additional documentation is not mandatory that it is recommended.
00:26
The following clauses are required to have documentation as per the ISO 27,001 standard.
00:33
The auditors will focus a lot on mandatory documentation
00:36
and this forms the basis of your ice amiss.
00:40
Missing mandatory documentation could jeopardize your certification result
00:44
depending on the extent of the missing documentation.
00:48
Remember, the standard isn't really prescriptive in terms of how documentation must be done,
00:54
it must just be done in a logical manner that includes all of the required content.
00:59
And in a way it can be communicated to the relevant parties
01:03
as well as shown to your certification auditors.
01:08
So the clauses where documentation is mandatory
01:11
is Khloe's 4.3.
01:14
Your Eyes May Scope
01:17
Clause 5.2
01:18
your information security policy
01:22
close 6.1 point two
01:23
and 6.1 point three
01:26
Your information security risk assessment and treatment
01:30
specifically here. You require process documents,
01:34
your risk register,
01:36
your statement of applicability
01:38
and the risk treatment plan
01:42
close 6.2
01:42
Information security objectives and plans to achieve them
01:48
close 7.2
01:49
Competence,
01:52
including skills, qualifications and experience relating to teams running the ice. Miss
01:59
Clause 8.1 Operational planning and control
02:04
This includes all information that supports this clause,
02:07
for example. Procedures, headcounts budgets, progress reports, etcetera.
02:20
Closed 8.2
02:22
risk assessment results,
02:23
including the risk register
02:25
risk reports
02:28
and evidence of frequency of risk assessments.
02:31
Close 8.3
02:34
risk treatment results,
02:36
including the risk treatment plan,
02:38
evidence of treatment,
02:39
pen test reports,
02:42
ordered reports
02:43
and risk owner approvals.
02:46
Close 9.1
02:47
matrix.
02:50
Any type of evidence that demonstrates metrics are in place,
02:53
that they are being actively monitored
02:55
and that undesirable levels are acted upon appropriately.
03:00
Force 9.2.
03:02
The ice amiss internal orders,
03:06
including the order plan
03:07
ordered report
03:09
as well as any other ordered evidence.
03:13
Close 9.3.
03:15
You're isom Mismanagement Reviews
03:17
includes the agenda,
03:20
the attendance register
03:22
minutes,
03:23
action items
03:24
as well as reports on action items
03:30
closed 10.1.
03:30
Nonconformity, ease and corrective actions.
03:35
This includes your NCR forms
03:38
you're nonconformity register or index
03:43
and corrective action evidence.
03:53
Now there are also a couple of clauses where the ISO 27,001 standard doesn't specifically say documentation is mandatory, but it would be quite challenging to demonstrate effectiveness in these areas to your auditors without it.
04:08
So for these clauses, it is recommended that you maintain some form of documentation in any case,
04:14
at a level that shows your certification auditor that the process is designed and is operating effectively.
04:21
The majority of processes and procedures would automatically generate some form of documented output,
04:28
whether it's reports, meeting minutes, emails, memos and so forth.
04:34
Thes closes include
04:36
4.1
04:39
the organization and its context.
04:41
4.2
04:43
interested parties
04:45
4.4
04:47
The IMS ISMs,
04:49
including the certificate Once you're certified
04:53
5.1
04:55
leadership
04:57
5.3
04:58
Roles and Responsibilities
05:00
6.1 point one The actions to address risks and opportunities
05:06
7.1
05:09
Resource is
05:10
7.3
05:12
Awareness
05:14
7.4
05:15
Communication
05:17
7.5 point one
05:19
General communication
05:21
7.5 point two Creating and updating documentation
05:28
7.5 point three document control
05:31
and 10.2 continual improvement
05:41
to summarize
05:42
in this lesson recovered which clauses have mandatory documentation requirements
05:46
and which clauses don't specifically require documented information as per the standard,
05:53
but we're additional documentation would definitely help for the audit
05:56
and demonstrating complaints to the standard.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By