The final wording of the new Cyber Security Act is still not in sight. Postponing the start of companies' preparations for its fulfilment will be at least more expensive if the appropriate resources are available on the market at all in the required time.
It is also possible to start by preparing the documents required by ISO/IEC 27001:2022, as these are already clearly defined and can also be used to meet the obligations arising from the new Cyber Security Act and implementing decrees.
According to ISO/IEC 27001:2022, at least the following documents (excluding documents resulting from the annexes) must exist:
Scope of the ISMS (Section 4.3)
Information security policy (Section 5.2)
Risk assessment and risk treatment process (Section 6.1.2)
Applicability Statement (Section 6.1.3)
Risk treatment plan (Sections 6.1.3, 6.2 and 8.3)
Information security objectives (Section 6.2)
Risk assessment and treatment report (Sections 8.2 and 8.3)
Overview of all relevant legal, regulatory and contractual requirements having an influence on the information security strategy and ISMS (Section 18.1)
Comments