In any ISO standard, documents play a big role in achieving compliance. Not only do they serve as a channel for communication, but also act as evidence of your corrective actions. If you are in the process of acquiring ISO 27001 and building an effective Information Security Management System (ISMS), you will find the following article very helpful. 

Mandatory ISO 27001 documents

Mandatory ISO 27001 documents

Here is a list of ISO 27001 clauses that you should document if you wish to become compliant with ISO 27001. They include:

  • Scope of the ISMS, which is usually documented through an ISMS scope document and the recommendations are provided in clause 4.3.
  • Information security policy, that is usually documented through an information security policy document, where recommendations are outlined in clause 5.2.
  • Risk assessment and risk treatment process, where the recommendations are outlined in clause 6.1.2.
  • Statement of applicability, that contains justification of all the controls that you have included and the recommendations outlined in clause 6.1.3.
  • Risk treatment plan, where the recommendations are found in clauses 6.1.3e, 6.2, and 8.3.
  • Information security objectives, where recommendations can be found in clause 6.2.
  • Risk assessment and treatment report, where requirements and recommendations can be found in clause 8.2 and 8.3.
  • Inventory of assets, where organisations create a list of assets in the risk register and recommendations are found in Annex A, section A.5.9.
  • Acceptable use of assets, which is usually documented in the IT security policy, and recommendations can be found in Annex A, section A.5.10.
  • Incident response procedure, that is usually a part of the incident management procedure, and recommendations can be found in Annex A, section A.5.26.
  • Statutory, regulatory and contractual requirements, where control A.5.31 helps organisations identify the relevant legal, regulatory and contractual requirements that are applicable to their organisation.
  • Security operating procedures for all information, technology, management, and the specific control is outlined in A.5.37.
  • Definition of security rules and responsibilities that are usually outlined in agreements, and the specific controls dedicated to these roles and responsibilities are A.6.2 and A.6.6.
  • Definition of security configurations, that are outlined in control A.8.9.
  • Security system engineering principles that are usually documented in the secure development policy and the recommendations are present in control A.8.27.

 

Arranging the documents as per the requirements of ISO 27001

However, there is a point that business owners must remember when they were arranging the documents as per the requirements of ISO 27001. Similar to any other ISO standard, ISO 27001 allows organisations a great deal of liberty. This means that the documents should be an appropriate reflection of their policies and procedures, meaning that they should be customised in accordance to the scope of the organisation.

Hence, the documents or records that are needed by Annex A controls are only mandatory, if they are relevant to the risks and requirements. In other words, if these requirements are coherent with the needs and expectations of the interested parties, or if the interested parties demand implementing these controls, only then do these mandatory ISO 27001 documents hold value. You can find more information by reading ISO 27001 checklist article.

ISO 27001 documents

Mandatory ISO 27001 records

Before we list out the mandatory records, let us distinguish between what a document and what a record is. The purpose of a record is to serve as evidence or a means to “record” an action that was taken in an organisation. This means that records, by nature, are unmodifiable.

In contrast, ISO 2700 documents can be used for any purpose, and therefore, they are more flexible and have the inherent capacity to be modified or upgraded. Examples of mandatory records include:

  • Training, skills, experience, and qualifications, as per clause 7.2.
  • Monitoring and measuring results, as per clause 9.1.
  • Internal audit program, as per clause 9.2.
  • Results of internal audits, as per clause 9.2. 
  • Results of management review as per clause 9.3.
  • Results of corrective actions, as per clause 10.2.
  • Logs/ledgers of exceptions, user activities, and security events, as per control A.8.15.
iso 27001 mandatory document

Non-mandatory ISO 27001 documents

ٍExpect ISO 27001 Annex A there are certain records/documents that are not mandatory. This means that although these records will not help you uphold or achieve compliance, they are helpful for the security personnel/team to clarify their doubts or as a reference system. Examples of these non-mandatory records include:

  • Procedure for document on record control as per clause 7.5.
  • Procedure for conducting an internal audit as per clause 9.2.
  • Procedure for conducting and implementing corrective actions, as per clause 10.2.
  • Information classification policy, as per controls A.5.13, A.5.12 and A.5.10.
  • Information transfer policy, as per control A.5.14.
  • Access control policy, as per control A.5.15.
  • Password policy, as per controls A.5.16, A.5.17 and A.8.5.
  • Supplier security policy, as per controls A.5.19, A.5.21, A.5.22 and A.5.23.
  • Disaster recovery plan as per control A.5.29.
  • Mobile device and working from home policy, as per control A.6.7.

 

Conclusion

One of the biggest reasons why implementation of ISO 27001 is considered to be difficult is that it is a “document-heavy,” standard that requires certain mandatory documents and records. ISO Council can help you in your endeavour by simplifying your documentation process through our expert guidance.