Organisations seeking ISO 27001 compliance must prove their compliance with the Standard by completing appropriate documents.
List of documents required for ISO 27001 compliance
- 4.3 The scope of the ISMS
- 5.2 Information security policy
- 6.1.2 Information security risk assessment process
- 6.1.3 Information security risk treatment plan
- 6.1.3 The Statement of Applicability
- 6.2 Information security objectives;
- 7.2 Evidence of competence
- 5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 Evidence of the audit programmes and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 Evidence of the nature of the non-conformities and any subsequent actions taken
- 10.1 g) Evidence of the results of any corrective actions
Organisations must also complete documents in Annex A, which details a list of controls that must be considered for inclusion in the Statement of Applicability.
Although only some of these are mandatory, any control that’s relevant must be documented. This will typically include:
- 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
- 8.1.1 An inventory of assets
- 8.1.3 Rules for the acceptable use of assets
- 8.2.1 Information classification scheme
- 9.1.1 Access control policy
- 12.1.1 Operating procedures for IT management
- 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
- 14.2.5 Secure system engineering principles
- 15.1.1 Supplier security policy
- 16.1.5 Incident management procedure
- 17.1.2 Business continuity procedures
- 18.1.1 Statutory, regulatory, and contractual requirements
Where to start with ISO 27001 documentation
Given the number of documents you need to complete and the lack of guidance from the Standard, the documentation stage can be incredibly time-consuming and stressful. There is no right way to approach the process, but organisations usually commit to one of three methods.
The first is trial and error, which we wouldn’t recommend. The documentation process is simply too big to go into without a plan, and even though you’ll quickly learn from your mistakes, you’ll burn through a lot of money doing so.
The second method is to bring in consultants to guide you through what you need to know. This is the most expensive approach, but it’s also the safest, reducing the risk of costly mistakes.
This approach is also the fastest route to ISO 27001 compliance, but don’t expect overnight success: consultants will need to learn your systems and processes before they can begin.
The third method is to purchase a documentation toolkit. These are packages that contain template documents and tools to help you meet the Standard’s requirements.
Some toolkits, such as our ISO 27001 ISMS Documentation Toolkit, include direction and guidance from expert ISO 27001 practitioners.
The toolkit includes:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.
A version of this blog was originally published on 27 October 2017.