28Mandatory Requirements for Organizational ISO 27001 Certification ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes
1. It lays
out the design for an ISMS, describing the important parts at a fairly high level
2. It can (optionally) be used as the basis for formal compliance assessment by certification auditors in order to certify an organization compliant. The following mandatory documentation is explicitly
required for certification ISMS Scope (Clause 4.3) Determining the scope of the information security management system The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the
organization shall consider • the external and internal issues
•
the requirements • interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.
29Information Security Policy (Clause 5.2) Policy: Top management shall establish an information security policy that
• is appropriate to the
purpose of the organization,
• includes information security objectives or provides the framework for setting information security objectives,
• includes a commitment to satisfy applicable requirements related
to information security and • includes a commitment to continual improvement of the information security management system. The information security policy shall
• be available
as documented information • be available to interested parties, as appropriate.
Share with your friends: 
