Arguably one of the most difficult elements of achieving ISO 27001 certification is providing the documentation for the information security management system (ISMS). The documentation that is required to create a conforming system, particularly in more complex businesses, can sometimes be up to a thousand pages.
So which documents do you need to to achieve compliance with ISO 27001:2013?
- 4.3 The scope of the ISMS
- 5.2 Information security policy
- 6.1.2 Information security risk assessment process
- 6.1.3 Information security risk treatment process
- 6. 1.3 d) The Statement of Applicability
- 6.2 Information security objectives
- 7.2 d) Evidence of competence
- 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 g) Evidence of the audit programs and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 f) Evidence of the nature of the non-conformities and any subsequent actions taken 10.1 g) Evidence of the results of any corrective actions taken
Many of the controls in Annex A also require specific documentation, including the following in particular:
- A 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
- A 8.1.1 An inventory of assets
- A 8.1.3 Rules for the acceptable use of assets
- A.8.2.1 Information classification scheme
- A.9.1.1 Access control policy
- A 12.1.1 Operating procedures for IT management
- A 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
- A 14.2.5 Secure system engineering principles
- A 15.1.1 Supplier security policy
- A 16.1.5 Incident management procedure
- A 17.1.2 Business continuity procedures
- A 18.1.1 Statutory, regulatory, and contractual requirements
Don’t reinvent the wheel – get pre-written policies and procedures
Having created and managed ISMS documentation for over ten years, our expert consultants have developed a set of pre-written ISMS document templates that are fully compliant with ISO 27001 and ready for you to tailor to your organization’s objectives and controls.
Containing every document template you could possibly need (both mandatory and optional), as well as additional work instructions, project tools and documentation structure guidance, the ISO 27001:2013 ISMS Documentation Toolkit really is the most comprehensive option on the market for completing your documentation.
The IT Governance Professional Services team has worked with organizations around the world to apply management system standards for more than a decade. We can help organizations of any size to achieve certification to ISO 27001. We have consulted on many successful compliance and cultural change projects, and have an impressive track record of over 400 clients successfully certificated to ISO 27001. Our team is one of the most experienced in the world, having worked on projects in a wide range of both public and private sector organizations, covering a wide variety of market sectors/segments.