This blog has been updated to reflect industry updates. Originally published 24 March 2016.
Although ISO 27001 is built around the implementation of information security controls, none of them are universally mandatory for compliance.
That’s because the Standard recognises that every organisation will have its own requirements when developing an ISMS, and that not all controls will be appropriate.
Instead, organisations are required to perform activities that inform their decisions regarding which controls to implement. In this blog, we explain what those processes entail and how you can complete them.
Mandatory certification requirements
The two most important activities when implementing ISO 27001 are:
- Scoping your ISMS (clause 4.3), in which you define what information needs to be protected; and
- Conducting a risk assessment and defining a risk treatment methodology (clause 6.12), in which you identify the threats to your information.
Organisations are also required to complete the following mandatory clauses:
- Information security policy and objectives (clauses 5.2 and 6.2)
- Information risk treatment process (clause 6.1.3)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit programme (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
And the Annex A controls?
Annex A outlines the controls that are associated with various risks. Depending on the controls your organisation selects, you will also be required to document:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4);
- Inventory of assets (clause A.8.1.1);
- Acceptable use of assets (clause A.8.1.3);
- Access control policy (clause A.9.1.1);
- Operating procedures for IT management (clause A.12.1.1);
- Secure system engineering principles (clause A.14.2.5);
- Supplier security policy (clause A.15.1.1);
- Incident management procedure (clause A.16.1.5);
- Business continuity procedures (clause A.17.1.2);
- Statutory, regulatory and contractual requirements (clause A.18.1.1); and
- Logs of user activities, exceptions and security events (clauses A.12.4.1 and A.12.4.3).
The Statement of Applicability
We can’t delve into the ins and outs of all these processes here (you can take a look at our website for more information), but it’s worth highlighting the SoA (Statement of Applicability), an essential piece of documentation within the information risk treatment process.
The SoA outlines which Annex A controls you have selected or omitted, and explains why you made those choices. It should also include additional information about each control and link to relevant documentation about its implementation.
Tackling the documentation process
As you begin your compliance project, you’ll notice that the documentation process is a lot more time-consuming than the implementation of the requirements themselves.
Each clause comes with its own documentation requirements, meaning IT managers and implementers will have to deal with hundreds of documents. Each policy and procedure must be researched, developed, approved and implemented, which could take months.
Making the documentation process easy
Organisations can simplify the compliance process with our ISO 27001 ISMS Documentation Toolkit.
Developed by ISO 27001 experts, this set of customisable templates will help you meet the Standard’s documentation requirements with as little hassle as possible.
You can embed the documentation directly in your organisation, saving you time and money, and with access to support over 12 months, you can be assured of expert help if you’re unsure about anything related to the ISO 27001 documentation process.