We’ve often heard from our customers that creating, managing and updating the documentation for an ISO 27001-compliant information security management system (ISMS) is one of the hardest parts of achieving certification.
This is especially true for organisations looking to achieve ISO 27001 certification for the first time, or for IT managers new to the Standard themselves.
ISO/IEC 27001:2013 documentation requirements
Within the Standard, there are 18 requirements that explicitly state you need documentation to prove that you comply. Although this number sounds small, each of those instances usually refers to multiple requirements simultaneously. In many cases, you can also package several of the documentation requirements into single documents – for instance, the policy could also include the scope and objectives, which covers three explicit requirements in one document.
And while these are the explicit requirements for documented information, don’t forget that it is often good practice to provide documentation for the other requirements, too. It is essential to maintain records of various types as evidence that your ISMS is actually functioning in accordance with its documented function.
In order to avoid nonconformities, documentation is expected to be complete, comprehensive, in line with the requirements of the Standard and tailored to suit the needs of the organisation.
Tackling the documentation
IT managers and implementers will deal with potentially hundreds of documents and records at any one time. Each policy and procedure needs to be researched, created, developed and approved. This can take months, and creating the documents from scratch is confusing, prone to errors and costly, and even then the documents often fail to comply with the Standard.
Using pre-written ISO 27001 templates makes compliance quicker and easier
The ISO 27001 Documentation Toolkit provides assistance throughout your project with pre-written and customisable templates that have been developed by ISO 27001 experts to comply with the Standard as a whole.
All of the templates are fully compliant with ISO 27001:2013, come with 12 months of support, and have been proven to save organisations months of work.
You can see how the toolkit maps to ISO/IEC 27001:2013 by viewing the ISO 27001:2013 Requirements and Control Mapping document here (PDF).