Organisations that implement ISO 27001 must demonstrate their compliance by completing appropriate documents.
ISO 27001’s mandatory documents include:
- 4.3 The scope of the ISMS
- 5.2 Information security policy
- 6.1.2 Information security risk assessment process
- 6.1.3 Information security risk treatment plan
- 6.1.3 The Statement of Applicability
- 6.2 Information security objectives;
- 7.2 Evidence of competence
- 5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 Evidence of the audit programmes and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 Evidence of the nature of the non-conformities and any subsequent actions taken
- 10.1 g) Evidence of the results of any corrective actions
Annex A documentation
Organisations must also complete documents in Annex A, which details a list of information security controls that must be considered – whether they are implemented or not.
Indeed, you don’t have to implement all 114 of its controls; they are simply a list of possibilities you should consider based on your organisation’s requirements.
However, there are several controls that almost every organisation should implement. This includes:
- 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
- 8.1.1 An inventory of assets
- 8.1.3 Rules for the acceptable use of assets
- 8.2.1 Information classification scheme
- 9.1.1 Access control policy
- 12.1.1 Operating procedures for IT management
- 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
- 14.2.5 Secure system engineering principles
- 15.1.1 Supplier security policy
- 16.1.5 Incident management procedure
- 17.1.2 Business continuity procedures
- 18.1.1 Statutory, regulatory, and contractual requirements
Looking for help documenting ISO 27001 compliance
Given the number of ISO 27001 policies you need to complete and the lack of guidance from the Standard, the documentation stage can be incredibly time-consuming and stressful.
There is no right way to approach the process, but organisations usually commit to one of three methods.
The first is trial and error, which we wouldn’t recommend. The documentation process is too big to go into without a plan, and even though you’ll quickly learn from your mistakes, you’ll burn through a lot of money doing so.
The second method is to bring in consultants to guide you through what you need to know. This is the most expensive approach, but it’s also the safest, reducing the risk of costly mistakes.
This approach is also the fastest route to ISO 27001 compliance, but don’t expect overnight success: consultants will need to learn your systems and processes before they can begin.
The third method is to purchase a documentation toolkit. These are packages that contain template documents and tools to help you meet the Standard’s requirements.
Some toolkits, such as IT Governance’s ISO 27001 Toolkit, include direction and guidance from expert ISO 27001 practitioners.
Why choose our ISO 27001 Toolkit?
With our ISO 27001 Toolkit, you can halve your implementation costs and receive guaranteed compliance with the Standard.
You’ll receive more than 140 customisable ISO 27001 documentation templates, including policies, procedures, work instructions and records.
The toolkit also comes with tools to help you complete the gap assessment, Statement of Applicability and roles and responsibilities matrix, as well our Implementation Manager tool and two staff awareness e-learning licences.
A version of this blog was originally published on 27 October 2017.