7 hours 52 minutes
Listen 9.3 mandatory documentation. A recap
In this lesson. We'll do a recap of clauses where documentation is mandatory
and we'll also do a recap of clauses where additional documentation is not mandatory that it is recommended.
The following clauses are required to have documentation as per the ISO 27,001 standard.
The auditors will focus a lot on mandatory documentation
and this forms the basis of your ice amiss.
Missing mandatory documentation could jeopardize your certification result
depending on the extent of the missing documentation.
Remember, the standard isn't really prescriptive in terms of how documentation must be done,
it must just be done in a logical manner that includes all of the required content.
And in a way it can be communicated to the relevant parties
as well as shown to your certification auditors.
So the clauses where documentation is mandatory
is Khloe's 4.3.
Your Eyes May Scope
your information security policy
close 6.1 point two
and 6.1 point three
Your information security risk assessment and treatment
specifically here. You require process documents,
your risk register,
your statement of applicability
and the risk treatment plan
Information security objectives and plans to achieve them
including skills, qualifications and experience relating to teams running the ice. Miss
Clause 8.1 Operational planning and control
This includes all information that supports this clause,
for example. Procedures, headcounts budgets, progress reports, etcetera.
risk assessment results,
including the risk register
and evidence of frequency of risk assessments.
risk treatment results,
including the risk treatment plan,
evidence of treatment,
pen test reports,
and risk owner approvals.
Any type of evidence that demonstrates metrics are in place,
that they are being actively monitored
and that undesirable levels are acted upon appropriately.
The ice amiss internal orders,
including the order plan
as well as any other ordered evidence.
You're isom Mismanagement Reviews
includes the agenda,
the attendance register
as well as reports on action items
Nonconformity, ease and corrective actions.
This includes your NCR forms
you're nonconformity register or index
and corrective action evidence.
Now there are also a couple of clauses where the ISO 27,001 standard doesn't specifically say documentation is mandatory, but it would be quite challenging to demonstrate effectiveness in these areas to your auditors without it.
So for these clauses, it is recommended that you maintain some form of documentation in any case,
at a level that shows your certification auditor that the process is designed and is operating effectively.
The majority of processes and procedures would automatically generate some form of documented output,
whether it's reports, meeting minutes, emails, memos and so forth.
Thes closes include
the organization and its context.
The IMS ISMs,
including the certificate Once you're certified
Roles and Responsibilities
6.1 point one The actions to address risks and opportunities
7.5 point one
7.5 point two Creating and updating documentation
7.5 point three document control
and 10.2 continual improvement
in this lesson recovered which clauses have mandatory documentation requirements
and which clauses don't specifically require documented information as per the standard,
but we're additional documentation would definitely help for the audit
and demonstrating complaints to the standard.