Mandatory Documentation (Recap)

00:01

Listen 9.3 mandatory documentation. A recap

00:10

In this lesson. We'll do a recap of clauses where documentation is mandatory

00:15

and we'll also do a recap of clauses where additional documentation is not mandatory that it is recommended.

00:26

The following clauses are required to have documentation as per the ISO 27,001 standard.

00:33

The auditors will focus a lot on mandatory documentation

00:36

and this forms the basis of your ice amiss.

00:40

Missing mandatory documentation could jeopardize your certification result

00:44

depending on the extent of the missing documentation.

00:48

Remember, the standard isn't really prescriptive in terms of how documentation must be done,

00:54

it must just be done in a logical manner that includes all of the required content.

00:59

And in a way it can be communicated to the relevant parties

01:03

as well as shown to your certification auditors.

01:08

So the clauses where documentation is mandatory

01:11

is Khloe's 4.3.

01:14

Your Eyes May Scope

01:17

Clause 5.2

01:18

your information security policy

01:22

close 6.1 point two

01:23

and 6.1 point three

01:26

Your information security risk assessment and treatment

01:30

specifically here. You require process documents,

01:34

your risk register,

01:36

your statement of applicability

01:38

and the risk treatment plan

01:42

close 6.2

01:42

Information security objectives and plans to achieve them

01:48

close 7.2

01:49

Competence,

01:52

including skills, qualifications and experience relating to teams running the ice. Miss

01:59

Clause 8.1 Operational planning and control

02:04

This includes all information that supports this clause,

02:07

for example. Procedures, headcounts budgets, progress reports, etcetera.

02:20

Closed 8.2

02:22

risk assessment results,

02:23

including the risk register

02:25

risk reports

02:28

and evidence of frequency of risk assessments.

02:31

Close 8.3

02:34

risk treatment results,

02:36

including the risk treatment plan,

02:38

evidence of treatment,

02:39

pen test reports,

02:42

ordered reports

02:43

and risk owner approvals.

02:46

Close 9.1

02:47

matrix.

02:50

Any type of evidence that demonstrates metrics are in place,

02:53

that they are being actively monitored

02:55

and that undesirable levels are acted upon appropriately.

03:00

Force 9.2.

03:02

The ice amiss internal orders,

03:06

including the order plan

03:07

ordered report

03:09

as well as any other ordered evidence.

03:13

Close 9.3.

03:15

You're isom Mismanagement Reviews

03:17

includes the agenda,

03:20

the attendance register

03:22

minutes,

03:23

action items

03:24

as well as reports on action items

03:30

closed 10.1.

03:30

Nonconformity, ease and corrective actions.

03:35

This includes your NCR forms

03:38

you're nonconformity register or index

03:43

and corrective action evidence.

03:53

Now there are also a couple of clauses where the ISO 27,001 standard doesn't specifically say documentation is mandatory, but it would be quite challenging to demonstrate effectiveness in these areas to your auditors without it.

04:08

So for these clauses, it is recommended that you maintain some form of documentation in any case,

04:14

at a level that shows your certification auditor that the process is designed and is operating effectively.

04:21

The majority of processes and procedures would automatically generate some form of documented output,

04:28

whether it's reports, meeting minutes, emails, memos and so forth.

04:34

Thes closes include

04:36

4.1

04:39

the organization and its context.

04:41

4.2

04:43

interested parties

04:45

4.4

04:47

The IMS ISMs,

04:49

including the certificate Once you're certified

04:53

5.1

04:55

leadership

04:57

5.3

04:58

Roles and Responsibilities

05:00

6.1 point one The actions to address risks and opportunities

05:06

7.1

05:09

Resource is

05:10

7.3

05:12

Awareness

05:14

7.4

05:15

Communication

05:17

7.5 point one

05:19

General communication

05:21

7.5 point two Creating and updating documentation

05:28

7.5 point three document control

05:31

and 10.2 continual improvement

05:41

to summarize

05:42

in this lesson recovered which clauses have mandatory documentation requirements

05:46

and which clauses don't specifically require documented information as per the standard,

05:53

but we're additional documentation would definitely help for the audit