Organisations looking to comply with ISO 27001 must produce many documents demonstrating the steps they have taken to meet the Standard’s requirements. This enables staff to identify how the Standard applies to their organisation, and provides a framework for staying secure.
You must complete:
- 3 The scope of the ISMS
- 2 Information security policy
- 1.2 Information security risk assessment process
- 1.3 Information security risk treatment plan
- 1.3 d) The Statement of Applicability
- 2 Information security objectives;
- 2 d) Evidence of competence
- 5.1 b) Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
- 1 Operational planning and control
- 2 Results of the information security risk assessment
- 3 Results of the information security risk treatment
- 1 Evidence of the monitoring and measurement of results
- 2 A documented internal audit process
- 2 g) Evidence of the audit programmes and the audit results
- 3 Evidence of the results of management reviews
- 1 f) Evidence of the nature of the non-conformities and any subsequent actions taken
- 1 g) Evidence of the results of any corrective actions
Organisations will also have to complete documents in Annex A, which details a list of controls that must be considered for inclusion in the Statement of Applicability. Although only some of these are mandatory, any control that’s relevant must be documented. This will typically include:
- 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
- 8.1.1 An inventory of assets
- 8.1.3 Rules for the acceptable use of assets
- 8.2.1 Information classification scheme
- 9.1.1 Access control policy
- 12.1.1 Operating procedures for IT management
- 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
- 14.2.5 Secure system engineering principles
- 15.1.1 Supplier security policy
- 16.1.5 Incident management procedure
- 17.1.2 Business continuity procedures
- 18.1.1 Statutory, regulatory, and contractual requirements
How to approach documentation
Given the number of documents you need to complete and the lack of guidance from the Standard, the documentation stage can be incredibly time-consuming and stressful. There is no right way to approach the process, but organisations usually commit to one of three methods.
The first is trial and error, which we wouldn’t recommend. The documentation process is simply too big to go into without a plan, and even though you’ll quickly learn from your mistakes, you’ll burn through a lot of money doing so.
The second method is to bring in consultants to guide you through what you need to know. This is the most expensive approach, but it’s also the safest, reducing the risk of costly mistakes. It’s also the fastest route to ISO 27001 compliance, but don’t expect overnight success: consultants will need to learn your systems and processes before they can begin.
The third method is to purchase a documentation toolkit. These are packages that contain template documents and tools to help you meet the Standard’s requirements. Some toolkits, such as our ISO 27001 ISMS Documentation Toolkit, include direction and guidance from expert ISO 27001 practitioners.
Take a free trial of the ISO 27001 ISMS Documentation Toolkit
Those who want to learn more about our toolkit can take a free trial, which includes key sample templates for you to look at and use. You’ll also be able to experience some of the toolkit’s features, such as:
- An autofill for repetitive information (such as the organisation’s name);
- Our branded documentation toolkits;
- The assignment of roles and responsibilities; and
- The quick assignment of documentation classification levels.