While implementing an ISO 27001-compliant ISMS (information security management system) in your organisation may seem overwhelming, you can prepare yourself for creating and managing the documentation side.
ISO 27001 documentation – the hardest part
The hardest, most exhausting part of achieving ISO 27001 certification is documenting the ISMS. Even if you’re developing one that takes guidance from ISO 27002 but not pursuing certification, the documentation will still be the hardest part.
The risk assessment, the selection of controls, the implementation of security improvements – these look hard, but, in comparison, they’re quite straightforward.
The Standard itself is a slim document, but the documentation that is necessary to create an effective system can push up toward a thousand pages, particularly in more complex businesses.
The resource, time and management implications of making that happen are immense. In a smaller organisation, where much less documentation is required, the resources to tackle the task are also more limited.
Then there’s the issue of how exactly to do it. If you’ve never built a quality management system – or an ISMS – before, there’s a lot of learning (some of it by costly trial and error) before you get the documentation formula and process working effectively. And that’s time and credibility down the drain – costs you can ill-afford when there’s an ISMS to build.
What needs to be documented in your ISO 27001 project?
- The information security policy, the scope statement for the ISMS, the risk assessment, the information security objectives, the Statement of Applicability and the risk treatment plan.
- The management framework documentation.
- The underpinning procedures (which should include responsibilities and required actions) that implement specific controls. A procedure describes who has to do what, under what conditions, or by when. These procedures (there would probably be one for each of the implemented controls) can be on paper or electronic.
- Documents that deal with how the ISMS is monitored, reviewed and continually improved, including measuring progress towards the information security objectives.
Consultants can be expensive
Many organisations turn to outside consultants. But consultants are expensive and don’t necessarily leave an organisation owning the ISMS, and this sense of ownership is crucial for your long-term success. The logical alternative, therefore, is to buy a set of model pre-written policies and procedures. Pre-written policies and procedure should accelerate the whole project, reducing trial and error and helping towards early adoption of best practice. You can purchase ‘policy generators’ on the Internet. The problem is, they’re usually only at the policy level, not at the detailed procedure and work instruction level – and that’s where all the hard work really is. They’re not necessarily logically aligned with the Standard either, and they simply don’t give the detailed, point-by-point drafting advice that is required if they are to be truly useful.
Content is critical in effective solutions. It should be well researched, practical and pragmatic, and it should follow industry-standard routines. It should be as instantly recognisable to a quality manager as it is to a line manager or IT technician. And it should be in an application as easy to edit and customise as MS Word.
Pre-written policies and procedures should accelerate your project, by
- Saving you research time
- Speeding your policy deployment
- Improving your procedure writing
- Simplifying and speeding implementation
Most importantly, you don’t want hundreds and hundreds of policies – after all, ISO 27001specifically only requires seven policies – what you need is a set of procedures that really enable you to implement ISO 27001.
The right ISO 27001 package
It’s not enough that the documents are put together well. You have to able to customise them. You need a combination of on-the-page customisation advice and a real-world support service that can provide feedback and help when you’re not sure how a specific issue should be tackled. Without that combination of support, it’s difficult to get full value from any pre-written policies and procedures.
Our conclusion: the defining role of pre-written ISO 27001 documents
The ISO 27001 ISMS Documentation Toolkit is a unique product, it costs less than a day of a consultant’s time and it’s packaged with 12 months of online drafting support and advice. It makes it easier for organisations of all sizes, anywhere in the world, to succeed with an ISMS project. It’s spent the last three years helping organisations all over the world achieve ISO 27001 certification.
It contains a pre-written information security manual (including a model information security policy and a model Statement of Applicability) as well as 120 pre-written policies, procedures and templates. It has detailed, ‘at the point you need it’ guidance and comes packaged with 12 months of automatic updates and 6 months of documentation support – a unique facility for you to get email answers about policy and procedure drafting issues.