ISO/IEC 27001 is a global standard created to serve as a framework to support an organization’s Information Security Management System. The ISO 27001 standard covers all policies and processes related to how data is precise and used by an organization. The standard was originally published in 2005 and then it was revised in 2013.
The ISO/IEC 27001 standard is an information security management system. The Information Security Management System is a sequence of ISO 27001 mandatory documents for managing information security. The ISO 27001 required vital documents to outline what the organization does and show that the organization does it. ISO 27001 is the easiest information security certificate to get and it holds the most value. ISO 27001 documents are essential to evidence of the effective process of the Information Security Management System. An auditor will take the tactic that if it is not written down it does not exist and did not happen. Having appropriate documentation and evidence is a foundation of the ISO 27001 certification.
Implementing ISO/IEC 27001 standard requires various steps, such as scoping the project, finding senior leadership commitment to protecting the necessary resources, conducting a risk assessment, implementing the required controls, developing the appropriate internal skills, as well as creating policies and procedures to support the actions, implementing technical measures to mitigate risks, conducting awareness training for all workforces, continually monitoring and auditing the ISMS, and undertaking the certification audit.
Following is the list of mandatory documents that are required for ISO/IEC 27001 implementation:
- Scope of the Information Security Management System (ISMS)- Clause 4.3
- Information security policy – clause 5.2
- Information security objectives – clause 6.2
- Risk assessment process – clause 6.12
- Operating procedures for Information Security – clause A12.1.1
- Incident management procedure – clause A16.1.5
- Business continuity strategy & procedures – clause A17.1
- Statutory, regulatory, and contractual requirements – clause A18.1.1
- Risk treatment process – clause 6.13
- Statement of Applicability for controls in Annex A – – clause 6,13, d
- Risk treatment plan – clause 6.13.e
- Risk assessment report- clause 8.2
- Definition of security roles and responsibilities (should be in the employment agreement) – clause A7.1.2
- Inventory of assets – clause A8.1.1
- Acceptable use of assets – clause A8.1.3
- Access control policy – clause A9.1.1
The list of non-mandatory documents:
- Procedure for document control – clause 7.5
- Controls for managing records – clause 7.5
- Procedure for internal audit – clause 9.2
- Procedure for corrective action – clause 10.1
- Bring your device (BYOD) policy – clause A6.2.1
- Mobile device and teleworking policy – clause A6.2.1
- Software Change management policy – clause A.14.2.4
- Backup policy – clause A.12.3.1
- Information transfer policy – clause A.13.2
- Business impact analysis – clause A.17.1.1
- ISMS Continuity controls testing plan – clause A.17.1.3
- Information classification policy – clause A8.2
- User Access Rights Policies including Password control – clause A9.2
- Disposal and destruction policy – clause A.8.3.2 and clause A.11.2.7
- Procedures for working in secure areas – clause A.11.1.5
- Clear desk and clear screen policy – clause A.11.2.9
- Organisational Change management policy – clause A.12.1.2
Mandatory documents from Annex A when there is any kind of risks found:
- Confidentiality or Non-Disclosure agreements- Clause A.13.2.4
- Secure system engineering principles- Clause A.14.2.5
- Supplier security policy Clause A.15.1.1
Online ISO Documentation Consultancy 