ISO 27001 documentation: an overview

R66E2T133WImplementing and maintaining an ISMS (information security management system) aligned to ISO 27001 requires  up-to-date, accurate and compliant documentation. This is often where businesses experience nonconformities.

Few companies realise that creating, managing and maintaining the documentation for their ISMS will be the most time-consuming part of their total ISO 27001 project. How you decide to tackle it will be a major determining factor in your overall success.

What are the key requirements for your documentation?

“Documentation has to be complete, comprehensive, in line with the requirements of the Standard and fit your organisation like a glove. A properly managed ISMS will be fully documented. ISO 27001 describes the minimum documentation that should be included in the ISMS, i.e. what is needed to meet the Standard’s requirement that the organisation maintain sufficient records to demonstrate compliance.

“The key test of the ISMS documentation is that it should be adequate, but not excessive, and that it enables each of the processes to be ‘systematically communicated, understood, executed and effective so as to be repeatable and dependable’”, Alan Calder wrote in Nine Steps to Success – An ISO 27001 Implementation Overview.

What should your first steps be?

Once you have determined the controls you need to deploy in light of your risk assessment, you will have an outline of the documentation you will need to include.

“Every one of those controls, together with your approach to identifying and managing risk, your management structure, your decision-making processes and every other component of your ISMS has to be documented; as a point of reference; as the basis for ensuring that there is consistent application over time; and to enable continual improvement.” – Nine Steps.

What needs to be documented?

  • The information security policy, the scope statement for the ISMS, the risk assessment, the various control objectives, the Statement of Applicability and the risk treatment plan.
  • The management framework documentation.
  • The underpinning procedures (which should include responsibilities and required actions) that implement specific controls. A procedure describes who has to do what, under what conditions, or by when. These procedures (there would probably be one for each of the implemented controls) would be part of the policy manual, which can be on paper or electronic.
  • Documents that deal with how the ISMS is monitored, reviewed and continually improved, including measuring progress towards the information security objectives.

Getting documentation help

ISO 27001:2013 ISMS Documentation ToolkitIf you’re about to tackle the documentation part of your project, the ISO 27001 ISMS Documentation Toolkit will help you save time and money otherwise spent creating the documentation from scratch.

The templates developed by leading industry experts will help you meet the requirements of the Standard, ensuring nothing is left out, reduce the room for error and streamline your compliance with ISO 27001:2013.

This toolkit is also specifically designed so that it can easily be integrated into additional management systems, ensuring that the opportunity to build an integrated management system that meets multiple standards is available from the outset.

And unlike others on the market, our toolkit is proven to have helped organisations go on to achieve certification.

Take a free trial and see sample documents from the toolkit here >>