As part of implementing an information security management system (ISMS) aligned to ISO 27001:2013, you are required to produce a number of documents. Failure to do so could result in a range of nonconformities.
The documentation you must provide includes:
- Scope (4.3)
- Information security policy (5.2 e)
- Information security risk assessment process (6.1.2)
- Information security risk treatment process (6.1.3)
- Statement of Applicability (6.1.3)
- Information security objectives (6.2)
- Evidence of competence (7.2)
- That “determined by the organization as being necessary for the effectiveness of the ISMS” (7.5.1 b)
- The extent necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
- Results of information security risk assessments (8.2)
- Results of information security risk treatment (8.3)
- Evidence of the information security performance monitoring and measuring results (9.1)
- Internal audit programme(s) and the audit results (9.2 g)
- Internal audit procedure (ISO 27000:2014, sec. 2.5)
- Evidence of the results of management reviews (9.3)
- Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)
In addition to these mandatory documents, it is best practice to provide documents that support your chosen controls; auditors will want to see what you have done within your organisation to implement them.
This raises a number of questions:
- What should these documents look like?
- How should they be formatted?
- What information should be included or left out?
For many companies certifying to ISO 27001 for the first time, creating the documentation from scratch can be a daunting process.
Having created and managed ISMS documentation for over ten years, our expert consultants have developed a set of pre-written ISMS document templates that are fully compliant with ISO 27001 and ready for you to tailor to your organisation’s objectives and controls.
Containing every document template you could possibly need (both mandatory and optional), as well as additional work instructions, project tools and documentation structure guidance, the ISO 27001:2013 ISMS Documentation Toolkit really is the most comprehensive option on the market for completing your documentation.
Take the pain out of creating, implementing and managing your ISMS documentation with this toolkit >>
Other resources you may find useful:
- ISO 27001:2013 standard – Read the official standard in its entirety.
- ISO27001 Certified ISMS Lead Implementer training course (currently available with 20% off) – Learn how to implement the Standard in your organisation and make best use of the documentation toolkit.
- vsRisk™ – Fully aligned with ISO 27001:2013, this software tool helps you conduct an information security risk assessment quickly and easily.