ISO 27001 clearly recognises that there is no such thing as a one size fits all approach to documentation. Instead, it recommends that the extent of the ISMS documentation should reflect the complexity of the organisation and its security requirements.
In practical terms, there are four levels of documentation in an ISMS, and each level has different characteristics, including about who is entitled to make decisions regarding revisions to the documents. The four levels are:
- Board-approved corporate policies, which drive all other aspects of the ISMS. There will normally be one high-level information security policy supported by a number of additional, subject-specific policies (setting out, for instance, what constitutes acceptable use of the Internet).
- Detailed procedures that describe who is responsible for doing what, when and in what order.
- Operations/work instructions, that set out in detail precisely how each of the identified tasks are performed.
- Records, which provide evidence of what was done.
The most demanding, in terms of time, is producing the third level – even though this is often simply the process of documenting existing ways of carrying out specific activities.
Getting ISO 27001 documentation help
If you’re about to tackle the documentation part of your project, the ISO 27001 ISMS Documentation Toolkit will help you save time and money otherwise spent creating the documentation from scratch.
The templates developed by leading industry experts will help you meet the requirements of the Standard, ensuring nothing is left out, reduce the room for error and streamline your compliance with ISO 27001:2013.
This toolkit is also specifically designed so that it can easily be integrated into additional management systems, ensuring that the opportunity to build an integrated management system that meets multiple standards is available from the outset.
And unlike others on the market, our toolkit is proven to have helped organisations go on to achieve certification.
Excerpts in this blog post were taken from Alan Calder’s Nine Steps to Success – An ISO 27001 Implementation Overview, Third edition.