Posts Tagged ‘ISO 27001 Documents’

Since information security affects businesses around the world, it is important that all organizations have ISO 27001 policy to declare and record their commitment to protecting the information they administer.

First, what is an information security policy?

The information security policy is the driving force behind the requirements of its Information Security Management System (ISMS): establishes board policy and information security requirements. ISO 27001 policy must be a short document, but it must comply with board requirements and organizational reality, respecting the requirements of the ISO 27001 standard if you’re looking to achieve ISO 27001 certification.

From a practical point of view, it is worth keeping the ISO 27001 policy as simple, complete and comprehensive as possible to allow managers adequate freedom to respond to changing business and security circumstances.

Compiling your information security policy

Compiling your information security policy is not always as simple as it seems, especially in large or complex organisations, and the final policy may have to reflect the final risk assessment and the declaration of applicability.

The ISO 27001 policy must:

  • Set objectives or include a framework for setting its objectives, and establish the overall sense of direction;
  • Consider all corporate, legal, regulatory and contractual security requirements;
  • Embellish the strategic context within which the ISMS will be established;
  • Understand the criteria for the evaluation of risk and the structure of the risk assessment.

Getting help with your information security policy

If you’re not sure what your policy should be, or if you need help with other parts of your ISMS documentation, then take a look at the ISO 27001 Documentation Kit. Developed by ISO 27001 experts and used by many clients worldwide, this toolkit contains a complete set of pre-written, ISO 27001-compliant templates to meet your mandatory and supporting documentation requirements.

Proven to save you time and money, this toolkit will provide you with a framework for consistent ISMS documentation that complies with the ISO 27001 standard that can be easily customised and adapted to your business’s needs and objectives.


When you start writing a policy or procedure, you might be surprised at how long it should be. And the truth is that ISO 27001 is very flexible in this regard. Basically, they allow you to decide for yourself what level of detail you will write in your ISO 27001 documents.

Criteria for deciding the level of detail

Before you start writing your ISO 27001 documentation, you should go through these criteria to decide how detailed your policies and procedures should be:

Complexity Level: The more complex the process or activity is, the more details to be written.

Maturity: If a process or activity is complex, but practice has shown that there are few problems with it because employees have been performing it the same way for years and know exactly how it is done, you don’t have to write a very lengthy document.

How often they are performed: If the process or activity is performed rarely, then you will probably have to explain it in more detail – this is because your employees will tend to forget how the process or activity is done; if it is performed very regularly, the document will be much shorter.

Importance/risks: The more important the activity or the process, the more detailed will be the ISO 27001 documents, because you want to make sure that everyone understands exactly how to do it.

Compliance: In some cases, you will have auditors coming to your company from regulatory bodies and/or from your important clients – if they expect to see a very detailed policy, then make your life easier and give them that nice-looking, detailed policy.

The decision on the number of ISO 27001 documents that you want to have and on how detailed they must be strategic: you need to make that decision even before starting the ISO 27001 project.

See here free samples of ISO 27001 documents that are optimized for smaller and mid-sized companies: Free preview of ISO 27001 Documentation Kit.

The ISO 27001 standard requires only four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action.

ISO 27001 proceduresThe term “documented” means that “the procedure is established, documented, implemented and maintained”. The ISO 27001 procedures for the control of documents should define who is responsible for approving and revising ISO 27001 documents, identifying changes and status of the review, how to distribute the documents, etc. In other words, this ISO 27001 procedures must define how the organization’s the flow of documents will function.

The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.

The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this ISO 27001 procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.

The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.

Therefore, the ISO 27001 procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.

You have applied for ISO 27001:2013 Certification and you are about to undergo your Stage 1 audit. The auditor checks that your ISO 27001 documentation is up to the task. For many organizations, the documentation stage is the most time-consuming part of their ISO 27001 project. For some, documenting ISMS (Information Security Management System) can take up to 12 months.

Providing the ISO 27001:2013 Documentation for your information security management system (ISMS) is often the hardest part of achieving ISO 27001 Certification. ISO 27001 Documents can run into thousands of pages for more complex businesses.

To get started, there are three approaches to addressing ISO 27001 documentation:

ISO 27001 documents

1. Trial and error
Designing the ISMS yourself is very risky and the most time-consuming approach. An ISMS needs a huge amount of detail, and trial and error is a difficult way to tackle this task.

2. External expertise
The second approach is bringing external expert from experienced consultants. Though this offers a faster route than trial and error, it is substantially more expensive. ISO 27001 Consultants will need time to learn your systems and processes before they can start documenting them and any new systems or processes. The advantages of external expertise include considerable reduction of the risk of failure and overcoming resource issues.

3. ISO 27001 Documentation toolkits
ISO 27001 Documentation Toolkit can significantly reduce errors and save you a considerable amount of time and money. We highly recommend this approach and have designed a documentation toolkit that exactly meets the requirements of ISO 27001. The ISO 27001 Documentation Toolkit has been developed by ISO 27001 experts and provides all of the mandatory and supporting documentation templates you will require, and is more cost-effective than consultancy fees.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

The ISO 27001 manual is a mandatory document for ISO 27001 Certification, which maintains Information Security Management System in organization. This is a roof document for ISMS, and it usually includes the ISMS scope, role(s) undertaken by the organization, exclusions from the standard, references to relevant documents, and the business process model.

Basically, there are two approaches for ISO 27001 Information Security Management System (ISMS) Manual:

a) The ISO 27001 Manual could be a document explaining how an organization will meet the ISO 27001 requirements and which procedures will be used in the ISMS, or

b) The ISO 27001 Manual could be a set of all the ISO 27001 documents that are produced for the ISMS – in practice, the idea would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that it is easier to read.

The first approach makes no sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security – it is called Statement of Applicability. It must list all the controls, and define if they are applicable and how they will be implemented. Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense.

Having all the ISMS policies and procedures included into a single ISO 27001 manual makes even less sense – first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the smaller the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly – since individual ISMS documents change rather often, it would be a nightmare to update such manual so frequently.

If you’re just starting to implement ISO 27001 in your business, you’re probably in a dilemma about how many ISO 27001 documents you need to have and whether you should write certain policies and procedures or not.

Criteria for deciding what to ISO 27001 Document

Well, the first step is simple: you have to check if the ISO 27001 Certification requires a document. If the ISO 27001 document is mandatory, you have nothing to think about; you have to write it if you want to compliant this standard.

Here are some criteria that will help you:

Risks: You need to start by assessing the risks to see if such control is needed. If there is no risk, then you certainly will not need a document for this; If there is a risk, this does not mean you have to write a document, but at least you have solved the dilemma if control is needed or not.

Compliance: Sometimes it is possible to have a regulation or a contractual requirement to write a specific document; For example, a regulation could require writing the classification policy.

Size of business: Small businesses will tend to have fewer documents, so you should avoid writing a procedure for each small process; For example, if it is a multinational organization with 10,000 employees, write policies in which each of them has a couple of related procedures, and then for each procedure a couple of work instructions; This approach makes sense.

Importance: The more important a process or activity is, the more likely it is to write a policy or procedure to describe it; this is because you want to be sure that everyone understands how to perform this process or activity in order to avoid interruptions in their operations.

Number of people involved: The more people perform a process or activity, the more likely you are to document it; For example, if there are 100 people involved, it will be very difficult to explain verbally to all these people how to perform a particular process; It is much easier to write a procedure that explains everything in detail. On the other hand, if you are involved in five people, you can probably explain how the whole process works in a single meeting, so you do not need a written procedure. However, there is one exception: if there is only one person working on a trial, you may want to document it because no one else knows how to do it, so if this person is no longer available, you can continue with your operations.

Complexity: The more complex the process, the more likely a written document is needed (at least in the form of a checklist); it is simply impossible to remember from memory

Maturity: If a process or activity is clearly established, if it has been performed for years and everyone knows exactly how to do it, if it has been developed, it is probably not necessary to document it.

Frequency: If you do some activities rarely, you can write them because you can forget how they are done.

ISO 27001 will help your company comply with increased government regulations and specific requirements of the industry difficult. Information is a valuable organizational asset that can make or break a company. When properly managed, it allows businesses to operate with confidence and gives them the freedom to grow, innovate and expand their customer base in the knowledge that all their confidential information remains that way.

ISO 27001 is intended to bring information security under management control to ensure that it meets and is maintained to continue to meet the requirements of the protection of information in the organization. Any certification standard documentation procedures are an important part of any management system as it clarifies the processes and management activities for system users and stakeholders including certification auditors.

ISO 27001 procedure for document control defines who is responsible for the approval of ISO 27001 documents and their revision, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function. The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how records are maintained. This means that the main rules of conduct of the audit must be addressed.

The corrective action procedure should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, the records that are made, and how the consideration of the shares is made. The purpose of the ISO 27001 procedure for Information security is to define how each corrective action should eliminate the cause of the nonconformity so that it does not happen again. The ISO 27001 procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims to eliminate the cause of the nonconformity so that it does not happen in the first place. Because of their similarities, these two procedures are usually merged into one.

ISO 27001 procedures for Information security management system taking following major parts:

  • It takes into account the market and legal or regulatory requirements and contractual security obligations ;
  • Procedures for ISO 27001 Information Security Management System includes a framework for setting objectives and establishes an overall sense of direction and principles of action with respect to information security;
  • Aligns with the context of strategic risk management organization in which the establishment and maintenance of the WSIS will take place;
  • Establishes criteria against which risk will be evaluated and;
  • Has been approved by management.