Documented evidence is crucial in demonstrating that processes within an Information Security Management System (ISMS) have been carried out as planned. For ISO 27001: 2022 compliance, the following types of documented evidence can be used:

1. Policies and Procedures

Information Security Policy

Document detailing the organization's commitment to information security.

Procedure Documents

Detailed step-by-step instructions on how to perform specific processes.

2. Records of Activities

Audit Logs

Logs that capture the details of security events, user activities, and system changes.

Access Control Records

Records showing who accessed what information and when.

3. Risk Management Documentation

Risk Assessment Reports

Documents identifying potential risks and their impact.

Risk Treatment Plans

Plans detailing the measures taken to mitigate identified risks.

4. Training and Awareness Records

Training Attendance Sheets

Lists showing which employees attended training sessions.

Training Materials

Copies of materials used during training sessions.

Awareness Campaign Records

Evidence of communication efforts (emails, posters, intranet announcements).

5. Implementation Records

Change Management Logs

Records of changes made to systems and processes.

Configuration Management Records

Details of system configurations and changes.

6. Monitoring and Measurement Records

Performance Monitoring Reports

Regular reports showing the performance of security controls.

Incident Reports

Documentation of security incidents and the response actions taken.

7. Audit and Review Documentation

Internal Audit Reports

Findings from internal audits.

External Audit Reports

Findings from external audits.

Management Review Minutes

Minutes from management review meetings discussing ISMS performance.

8. Corrective and Preventive Action Records

Corrective Action Reports

Documentation of actions taken to correct non-conformities.

Preventive Action Plans

Plans detailing preventive measures to avoid future non-conformities.

9. Supplier and Third-Party Management Records

Contracts and SLAs

Agreements with suppliers and third parties detailing security requirements.

Supplier Audit Reports

Reports from audits of third-party service providers.

10. Communication Records

Meeting Minutes

Documentation of meetings discussing ISMS-related topics.

Email Communications

Emails related to ISMS activities, decisions, and updates.

11. Compliance and Legal Records

Legal and Regulatory Compliance Reports

Documentation demonstrating compliance with applicable laws and regulations.

Data Protection Impact Assessments (DPIAs)

Assessments detailing how data protection risks are managed.

Example Evidence for Specific ISMS Processes:

A. Risk Assessment Process

·        Risk Assessment Report

·        Details of identified risks, their impact, and likelihood.

·        Risk Treatment Plan

·        Actions planned or taken to mitigate risks.

·        Meeting Minutes

·        Discussions about risk assessment outcomes and decisions made.

B. Access Control Process

·        Access Control Policy

·        Guidelines for granting and revoking access rights.

·        Access Logs

·        Records of who accessed what information and when.

·        User Access Reviews

·        Periodic reviews of user access rights.

C. Incident Management Process

·        Incident Response Plan

·        Steps to follow in case of a security incident.

·        Incident Reports

·        Detailed reports of each security incident and the response actions taken.

·        Post-Incident Review

·        Analysis of the incident to prevent future occurrences.

D. Training and Awareness Program

·        Training Attendance Sheets

·        Records of employees who attended the training.

·        Training Materials

·        Slides, handouts, and other materials used during training sessions.

·        Feedback Forms

·        Employee feedback on the training sessions.

By maintaining comprehensive and accurate documented evidence for each process, an organization can effectively demonstrate that its ISMS processes have been carried out as planned, ensuring compliance with ISO 27001:2022 standards.

WE ARE HERE TO HELP!

CLICK HERE for a Dogma C3X free trial!

Dogma C3X is an Intelligent Business Consulting Platform inspired by the 3Cs industry model, which offers a strategic look at the pillars that every company needs for success: Customers – Company – Competitors. "Intelligent" because by using artificial intelligence (AI) and machine learning (ML) it can collect, process, and analyze the growing tsunami of data (structured and unstructured) related to the 3Cs, which is incredibly valuable. Only by strengthening, positioning, and integrating these three pillars (Customers - Company - Competitors) you will be able to build a sustainable competitive advantage.