We often talk about ISO 27001 and it being the international cyber security standard, but getting a handle on the Standard, digesting it and directing the rest of the company on what it requires can be quite a difficult task.
The core of the Standard is contained in nine pages (Clauses 4 to 10) that set out the specifications for the design and implementation of an information security management system (ISMS), and in the 13 pages of Annex A, which contains the 114 individual controls that you have to consider for applicability.
Document control requirements
ISO/IEC 27001:2013 explicitly requires the management system to be documented, maintained and made available to all users who need them. This includes the documents explicitly mandated in the text of the Standard, as well as the “documented information determined by the organization as being necessary for the effectiveness of the [ISMS]”.
Many of the Annex A controls recommend specific documentation, such as asset registers, access control policies, and so on; while these aren’t mandatory, most organisations will find that they’re not only best practice, they’re functionally essential. There is also a strong expectation that all information security processes and procedures will be clearly documented.
Contents of the ISMS documentation
Documentation is expected to be complete, comprehensive, in line with the requirements of the Standard and tailored to suit the needs of individual organisations.
Not every organisation has to implement an equally complex documentation structure. The Standard notes that “the extent of documented information can differ from one organization to another due to 1) the size of organization and its type of activities, processes, products and services; 2) the complexity of processes and their interactions; and 3) the competence of persons.”
It’s also important to remember that not all of your documentation will be policies, procedures, processes and work instructions. It is essential to maintain records of various types as evidence that your ISMS is functioning in line with its documentation.
Annex A document controls
There are controls relating specifically to document management in Annex A, which offer solid best-practice guidance for the ISMS, including:
- 8.2.1 Classification of information
- 8.2.2 Labelling of information
- 18.1.3 Protection of records
- 18.1.4 Privacy and protection of personally identifiable information
Tackling the documentation
IT managers and implementers will deal with potentially hundreds of documents and records at any one time. Each policy and procedure needs to be researched, created, developed and approved. This can take months, and creating the documents from scratch is confusing, prone to errors and costly, and the documents often fail to comply with the Standard.
Using pre-written ISO 27001 templates is a viable solution
The ISO 27001 Documentation Toolkit provides assistance throughout your project with pre-written and customisable templates that have been developed by ISO 27001 experts. All of the templates are fully compliant with ISO 27001:2013, come with 12 months of support, and have been proven to save organisations up to seven months of work.
You can see how the toolkit maps to ISO/IEC 27001:2013 by viewing the ISO 27001:2013 Requirements and Control Mapping document here (PDF).
- ISO 27001 ISMS Documentation Toolkit
- The official ISO 27001 and ISO 27002 standards
- Guidance on the ISO 27001/ISO 27002 standards