When implementing an ISO 27001-compliant information security management system (ISMS), you will need to create and manage the ISMS documentation.
ISO 27001: What needs to be documented
The Standard requires you to document a number of policies and procedures in order to show compliance with the Standard, including:
- The information security policy, the scope statement for the ISMS, the risk assessment, the information security objectives, the Statement of Applicability and the risk treatment plan.
- The management framework documentation.
- The underpinning procedures (which should include responsibilities and required actions) that implement specific controls. A procedure describes who has to do what, under which conditions, and when. These documents (there would probably be one for each of the implemented controls) can be on paper or electronic.
- Documents that deal with how the ISMS is monitored, reviewed and continually improved, including measuring progress towards the information security objectives.
The ISO 27001 documentation challenges you’ll likely face
According to the ISO 27001 Global Report 2016, creating and managing documentation was one of the top four implementation challenges faced by information security professionals worldwide.
Implementing and maintaining an ISMS requires up-to-date, accurate and ISO 27001-compliant documentation, which involves a lot of manual work to get right.
The resource, time and management implications of creating and managing documentation are immense. Then there’s the issue of how exactly to do it. If you’ve never built a quality management system before – let alone an ISMS – there’s a lot of learning (some of it by costly trial and error) before you get the documentation formula and process working effectively.
Get ahead in creating your own ISO 27001 documentation
The most viable and sensible route is to use tried and tested ISO 27001-compliant templates.
Templates will take away the hassle of creating documentation from scratch, while also helping you decipher the Standard and visualise how its requirements need to be translated into documentation.
Developed by ISO 27001 auditors, the ISO 27001 ISMS Documentation Toolkit contains pre-written documents that cover every aspect of the Standard, and are easily customisable to the scope of your organisation and the controls you choose to implement.
Check out some of the templates below which are included in the full toolkit:
Information Security Manual
How the toolkit maps to ISO 27001: 2013
Guidance for helping you complete the templates