Академический Документы
Профессиональный Документы
Культура Документы
Documents
Required by ISO/IEC Interpretation
27001
4.3 Documentation requirements
4.3.1 General
Documentation shall include Records of key management decisions regarding the ISMS e.g. minutes of management meetings, investment
records of management decisions, mandating of policies, reports etc. [not individually specified in the standard apart from the following
decisions … specific items …]
Information security policy set matching the characteristics of the business, the organization, its location,
[information] assets and technology, being a “superset of” (i.e. including) both of the following:
An ISMS policy defining the objective-setting management framework for the ISMS, giving it an overall sense of
direction/purpose and defining key principles. The ISMS policy must:
The ISMS documentation Take account of information security compliance obligations defined in laws, regulations and contracts;
shall include:
Align with the organization’s strategic approach to risk management in general;
a) Documented statements
of the ISMS policy (see Establish information security risk evaluation criteria (the “risk appetite”);
4.2.1.b) and objectives; Be approved by management.; and
Information security policy or policies specifying particular information security control objectives or requirements
in one or more documents [these should also be approved by management to have full effect].
b) The scope of the ISMS ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the business, the organization,
(see 4.2.1.a)) its location, [information] assets and technology. Any exclusion from the ISMS scope must be explicitly justified.
Documents
Required by ISO/IEC Interpretation
27001
Information security procedures i.e. written descriptions of information security processes and activities
e.g. procedures for user ID provisioning and password changes, security testing of application systems, information
security incident management response etc.
c) Procedures and controls
in support of the ISMS
Controls documentation e.g. technical security standards, security architectures/designs etc. and probably
referencing ISO/IEC 27002 (details very between ISMSs).
f) The risk treatment plan Risk treatment plan i.e. a [project?] plan describing how the identified information security control objectives are to
(see 4.2.2.b) be satisfied, with notes on funding plus roles and responsibilities.
g) Documented procedures ISMS operating procedures i.e. written descriptions of the management processes and activities necessary to
needed by the plan, operate and control the ISMS e.g. policy review and approvals process, continuous ISMS improvement
organization to ensure the process.
effective planning,
operation and control of
its information security Information security metrics describing how the effectiveness of the ISMS as a whole, plus key information
process and describe how security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive
to measure effectiveness ISMS improvements.
Documents
Required by ISO/IEC Interpretation
27001
of controls (see 4.2.3.c)
See 4.3.3 below. “Records” means information security paperwork such as user ID authorizations, and electronic
h) Records required by this
documents such as system security logs, that are used routinely while operating the ISMS and should be retained
International Standard
and made available for the certification auditors to sample and check. Collectively, these prove that the ISMS has
(see 4.3.3)
been properly designed, mandated by management and put into effect by the organization.
Statement of Applicability stating the information security control objectives and controls that are relevant and
i) The Statement of
applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced
Applicability
to the control objectives from ISO/IEC 27002 that is in scope.
5 Management responsibility