The documents you need for ISO 27001 compliance

If your organisation achieves accredited certification to ISO 27001, it demonstrates to existing and potential customers that your information security management system (ISMS) follows best practices. However, the Standard’s requirements can take a long time to implement. The hardest part is often documenting your compliance, for which you need to produce:

  • The scope of the ISMS (clause 4.3);
  • An information security policy (clause 5.2);
  • A risk assessment and risk treatment methodology (clause 6.1.2);
  • A risk treatment plan (RTP) (clause 6.1.3);
  • A Statement of Applicability (clause 6.1.3 d);
  • Evidence of competence (clause 7.2 d);
  • Documented information that the organisation deems necessary for the effectiveness of the ISMS (clause 7.5.1 b);
  • Evidence of operational planning and control (clause 8.1);
  • The results of the risk assessment (clause 8.2);
  • The results of the RTP (clause 8.3);
  • Evidence of monitoring, and its results (clause 9.1);
  • An internal audit programme and results of audits (clause 9.2);
  • The results of management reviews (clause 9.3); and
  • The results of corrective actions (clause 10.1).

Many of the controls in Annex A also state that organisations need to produce specific documentation, including:

  • Definitions of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4);
  • An inventory of assets (clause A.8.1.1);
  • Acceptable use of assets (clause A.8.1.3);
  • An access control policy (clause A.9.1.1);
  • Operating procedures for IT management (clause A.12.1.1);
  • Logs of user activities, exceptions and security events (clauses A.12.4.1 and A.12.4.3);
  • Secure system engineering principles (clause A.14.2.5);
  • A supplier security policy (clause A.15.1.1);
  • Incident management procedures (clause A.16.1.5);
  • Business continuity procedures (clause A.17.1.2); and
  • Statutory, regulatory and contractual requirements (clause A.18.1.1).

Get help complying with ISO 27001

If you’re overwhelmed by the prospect of producing all this documentation, you should take a look at our ISO 27001:2013 ISMS Documentation Toolkit.

This toolkit includes a set of templates that you can tailor to your organisation’s objectives and controls, making the documentation process easy. It will accelerate your ISO 27001 implementation process, make sure you don’t leave out any crucial information and help you integrate your ISMS documentation into your business processes.

Find out how else we can help you implement ISO 27001 >>

Related Posts

About The Author

Luke Irwin

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology, and is a one-time winner of a kilogram of jelly beans.