Please note new versions of ISO 27001 and ISO 27002 have now been published.
To learn more about what these updates mean for your organisation, and to buy your copies of ISO 27001:2022 and ISO 27002:2022, please visit our information pages.
Although ISO 27001 is built around implementing an ISMS (information security management system), none of its controls are universally mandatory for compliance.
That’s because the Standard recognises that every organisation is unique and has its own information security requirements.
Instead of taking a one-size-fits all approach, organisations are required to perform activities that inform their decisions regarding which controls to implement. In this blog, we explain what those processes entail and how you can complete them.
Mandatory ISO 27001 requirements
The most important activities when implementing ISO 27001 are:
- Scoping your ISMS
Documenting the ISMS scope means defining what information assets need to be protected.
There will almost certainly be more information and more locations where information is kept than you initially think of, so you must take the time to identify every relevant part of your organisation.
The requirements for doing this are outlined in Clause 4.3 of the Standard.
- Conducting a risk assessment
Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.
An information security risk assessment is a formal, top management-driven process and sits at the core of the ISMS.
- Defining a risk treatment methodology
An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.
Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001.
Organisations are also required to complete the following mandatory clauses:
- Information security policy and objectives (clauses 5.2 and 6.2)
- Information risk treatment process (clause 6.1.3)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit programme (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
And the Annex A controls?
Annex A outlines the controls that are associated with various risks. Depending on the controls your organisation selects, you will also be required to document:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3).
The Statement of Applicability
The SoA (Statement of Applicability) is another essential piece of documentation within the information risk treatment process.
The SoA outlines which Annex A controls you have selected or omitted and explains why you made those choices. It should also include additional information about each control and link to relevant documentation about its implementation.
Tackling the documentation process
As you begin your compliance project, you’ll notice that the documentation process is the most time-consuming part of your ISO 27001 compliance project.
Each clause comes with its own documentation requirements, meaning IT managers and implementers will have to deal with hundreds of documents. Each policy and procedure must be researched, developed, approved, and implemented, which could take months.
Organisations can simplify the compliance process with our ISO 27001 Toolkit.
This set of customisable templates was designed by information security experts, providing simple guidance to help you meet the Standard’s documentation requirements.
You can embed the documentation directly in your organisation, saving you time and money.
A version of this blog was originally published on 24 March 2016.