Creating and managing documentation for your ISO 27001 information security management system (ISMS) is often the hardest part of achieving ISO 27001 certification. One of the more complex areas of this crucial step is keeping track of all your documentation and avoiding duplication.
Creating and managing documentation requires a huge amount of resources, time and management.
The documentation necessary to create a conformant system, particularly in more complex businesses, can run to thousands of pages, so effective management of it is vital.
Mandatory documentation for ISO 27001 certification
ISO 27001 requires organisations to produce certain documents to get certified.
Mandatory documents include the scope, information security policy, Statement of Applicability and information security objectives.
It is also best practice to provide supporting documentation for your chosen Annex A controls. Auditors will need to confirm each of your organisation’s processes is systematically communicated, understood, executed and effective.
The importance of avoiding duplication in your ISMS
Implementing and maintaining an ISMS requires up-to-date, accurate and ISO 27001-compliant documentation, which involves a lot of manual work to get right.
Duplication across documentation within your management system can generate contradictions at a later date when one version is updated or reworded and the other is not.
If this is your first attempt at ISO 27001 certification, be realistic about the amount of documentation that you can create, use, manage and maintain. You should split your processes into as many different documents as necessary and each document should require only one person to authorise its amendment.
Ask yourself whether your ISMS is efficient and effective. If not, auditors are likely to make recommendations to improve it.
Tools to help avoid duplication in your documentation
Designed and developed by expert ISO 27001 practitioners, and used by more than 2,000 clients, the ISO 27001 ISMS Documentation Toolkit is the ideal tool to help avoid duplication and mistakes in your ISMS.
Containing a useful Information Security Manual, the toolkit directs users to the specific documents that relate to each requirement and control of the Standard (see screenshot below).
By listing and linking to documents in your ISMS, the toolkit eliminates the risk of duplication and helps you keep track of your documentation.
This makes it easy to review and see when a new document needs to be created or an existing one needs to be updated.
The ISO 27001 ISMS Documentation Toolkit also includes:
- A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
- Helpful dashboards and gap analysis tools to ensure your ISMS meets all the requirements of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.