Required artifacts (records) for ISO 27001 Auditing

R

Ramaiyer

GA all,

I have implemented ISMS in our small IT consulting company. I am the only one working on this project. I have already created the ISMS manual, scope, the policies (29 of them), procedures, Request for Change, document and record handling, corrective and preventive action procedures, security awareness training etc.

I have already given security awareness training and took attendance, employees have acknowledged that they have read the policies and manual, information configuration items auding, security auditing, document auditing records I have collected. Visitors logs, system security monitoring logs, etc are collected. Performed desk top business continuity plan and recorded. Are there (I am sure there are) any other artifacts I need to collect. Can anyone post a list of artifacts they are collecting?.

Thanks
 

AndyN

Moved On
It's difficult to tell you what other records may be necessary, since this is going to depend on the scope of the ISMS.

I'm a bit concerned that you (alone) have been compiling this, as unless you engage with the other management you risk not being able to maintain the system. I'd collaborate with your management team to see what records they generate.

Of course, there are plenty of records generated from things such as internal audits, management reviews, corrective actions and improvements etc.
 

Colin

Quite Involved in Discussions
A lot of the records required will be produced as a result of applying the control objectives in Annex A. Many of these will likely be electronic records but either way, they will need to be retained.
 
R

Ramaiyer

GM Collin,

Thanks for the response. Can you give couple of examples/samples of electronic records of applyig controls?. I have the policies and procedures for applying controls. Examples are Access Control or password control for Information systems. or media disposable policy and the record of how the media was disposed. Will that do?.


TIA
 

Colin

Quite Involved in Discussions
I was thinking of things like records of privileges, network logs, fault logs, asset records, results of risk assessments, confidentiality agreements, change management records, system logs, etc.
 
D

darbym

Some of the information that I would be looking for in addition to the items already mentioned are:
1. Risk Management procedures and associated information.
2. Risk treatment plan(s) and activities.
3. Business continuity tests and information.
4. Security incidents records and results.
5. Background checks of staff (if applicable)
6. List of emergency contacts related to the scope.
7. List of security goals and objectives.
8. Access control review records.

I tried to provide items that were not already covered in the thread but it really depends on what is implemented and what is included in the scope.
 
R

Ramaiyer

Thanks Darbym,

Good list and very much appreciated. The scope is the entire HQ operations. We are a small IT consulting company. We are already collecting artifacts for the compliance of other ISO standards and CMMI certificates that we have. All that I have to do is create a document listing the artifacts and where they can be found on our SharePoint. I am already using the shared document list. I will create a shared record list. Those that are not part of those standards, I will create.

Thanks
 
D

darbym

No problem, just remember that you are following the process / policies. If the policy for access control states that profiles are reviewed quarterly than we should expect to see the form or evidence that associates with that requirement. Since many of the security controls can be managed dynamically through software, for example password strength and expiry requirements the auditor may need to consider records/artifacts that are included within the systems used by your HQ office. Using a CMMI based "PIID" approach to records management in SharePoint will be good for an external auditor as it can denote if a security control is managed through a system without a resulting form or record as the final evidence.

Markus
 

Richard Regalado

Trusted Information Resource
Check your statement of applicability for the controls that you have implemented based on the risks your organization is facing. The requirement is that these controls are established, implemented, managed and assessed for effectiveness. Hence, records must show all of the above for all the implemented controls.

For example: one of the controls for HR Security is Screening Prior to Employment. One would expect that you have background investigation reports, interview records, records of claimed expertise and experience.

Hope the above helps.
 
Top Bottom