Please consider updating your browser. Some parts of the website may not function as intended.

ISO 27001 Documentation: What’s Required and What’s Optional

Man with lots of documents on his desk

Documenting your information security management system (ISMS) for evidence of compliance with the ISO 27001:2013 standard can be confusing as it is not clear which documents are mandated and which are discretionary. Consequently, most of us overcompensate and produce far more paperwork than we need causing redundant and conflicting policies to confuse our stakeholders, staff and of course the Auditors.

Here’s a reminder on the documents that are specifically required by the standard — where an Auditor would expect to find them — and which ones are optional.

What Is the Required ISO 27001 Documentation?

ISO 27001:2013 Specifically Requires the Following Documented Policies:

  • Access Control Policy
  • Acceptable Use of Assets Policy
  • Mobile Device Policy
  • Teleworking Policy
  • Cryptographic Controls Policy
  • Key Management Policy
  • Clear Desk & Clear Screen Policy
  • Backup Policy
  • Information Transfer Policies (and Procedures)
  • Secure Development Policy

While these policies are mandated by control requirements found in Annex A of the standard, if you decide that they are not relevant to your organisation (for example Cryptography) then they are not needed but be prepared to justify this to your Auditor.

Depending on the organisation the required list of policies above may need supplementing by other policies to provide a comprehensive information security environment. Typical examples are policies governing external visitors or a policy on the length and composition of passwords. These additional policies would be in the ‘good to have’ category.  Let’s look at a few more.

What Are Optional “Good to Have” ISO 27001 Documents?

There can be several optional documents depending on the type and size of the organisation but the following documents that are good to have — are relevant to just about everyone:

  • Written Procedure for Document Control
  • Documented procedure for Internal Audit
  • Documented Information Classification Policy
  • Documented Business Continuity Plan

One final point. While the ISO 27001 standard requires specific documentation detailing policies and procedures, it is also a good idea to document specific actions and activities which can serve as evidence of compliance. The minutes of meetings, for example, provide documentary evidence to the auditor that the activities are taking place.

Other typical activities worth documented in include:

  • The Information Security Team Assessments of Non-conformities or Reported Incidents
  • The Risk Committee Development of the Risk Treatment Plan
  • Internal Audit Scheduling and Reports
  • Management Review of the Information Security Management System

Need a Hand?

It can seem like a gruelling task to define and write your documentation, but it doesn’t have to be. Risk Crew consultants can support you with all your ISO 27001 requirements to help you achieve compliance, including:

Risk Crew also provides Security Penetration Testing, we can be your partner in helping you gain ISO compliance and help you stay compliant.

Leave a Reply

Your email address will not be published.

Risk Crew