7 top tips for effective ISO 27001 documentation

Audit checklist on a desk, with tick against audit satisfactory

If you’re responsible for creating documentation for your ISMS (information security management system), then you need to be aware of these 7 tips for creating effective, successful documentation. These tips are taken from Alan Calder’s Nine Steps to Success – An ISO 27001 Implementation Overview.

  1. All formal documentation should be controlled and available to all staff who are entitled to view it.
  2. It can be published in paper form but is most effective on an intranet, a shared drive or SharePoint. A shared drive or SharePoint ensures that the current version of any procedure is immediately available to all members of staff without hassle.
  3. A structured numbering system should be adopted that ensures ease of navigation of the documentation.
  4. The document issue should be controlled.
  5. Replacement pages and changes are tracked.
  6. The documentation you provide is complete.
  7. Staff should be trained in how to use the documentation and how to draft operations procedures for the assets and processes for which they are personally responsible.

Clearly, there will be a number of security system documents that need to be subject to security measures. These will include documents such as the risk assessment, the risk treatment plan and the Statement of Applicability, which contain important insights into how security is managed, and should therefore be classified, restricted and treated in accordance with the organisation’s information classification system. Access should be limited to people with specified ISMS roles, such as the information security manager.

Getting documentation help

ISO 27001 ISMS Documentation ToolkitIf you’re about to tackle the documentation part of your project, the ISO 27001 ISMS Documentation Toolkit will help you save time and money otherwise spent creating the documentation from scratch.

The templates developed by leading industry experts will help you meet the requirements of the Standard, ensuring nothing is left out, reduce the room for error and streamline your compliance with ISO 27001:2013.

This toolkit is also specifically designed so that it can easily be integrated into additional management systems, ensuring that the opportunity to build an integrated management system that meets multiple standards is available from the outset.

And unlike others on the market, our toolkit is proven to have helped organisations go on to achieve certification.

Take a free trial and see sample documents from the toolkit here >>



Excerpts in this blog post were taken from Alan Calder’s Nine Steps to Success – An ISO 27001 Implementation Overview, Third edition.