Documentation requirements for ISO 27001
1) Documented statements of the ISMS policy and Objectives
Policy:- Information security policy set matching the characteristics of the business, the organization, its location, [information] assets and technology, being a “superset of” (i.e.including) both of the following:
An ISMS policy defining the objective-setting management framework for the ISMS, giving it an overall sense of direction/purpose and defining key principles. The ISMS policy must:
Take account of information security compliance obligations defined in laws, regulations and contracts;
Align with the organization’s strategic approach to risk management in general;
Establish information security risk evaluation criteria (the “risk appetite”);
Be approved by management.; and
2) The scope of the ISMS
ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the business, the organization, its location, [information] assets and technology. Any exclusion from the ISMS scope must be explicitly justified.
3) Procedures and controls in support of the ISMS
Information security procedures i.e. written descriptions of information security processes and activities e.g. procedures for user ID provisioning and password changes, security testing of application systems, information security incident management response etc.
Controls documentation e.g. technical security standards, security architectures/designs etc. and probably referencing ISO/IEC 27002
4) A description of the risk assessment methodology
Risk assessment methods i.e. policies, procedures and/or standards describing how information security risks are assessed, probably referencing ISO?IEC TR 1335-3 and/or ISO/IEC 27005.
5) The risk assessment report
Risk assessment reports documenting the results/outcomes/recommendations of information security risk assessments using the methods noted above. For identified risks to information assets, possible treatments are applying appropriate controls; knowing and objectively accepting the risks (if they fall within the risk appetite); avoiding them; or transferring them to third parties.
6) The risk treatment plan
Risk treatment plan i.e.a [project?] plan describing how the identified information security control objectives are to be satisfied, with notes on funding plus roles and responsibilities.
7) Documented procedures needed by the organization to ensure the effective planning, operation and control of its information security process and describe how to measure effectiveness of controls
ISMS operating procedures i.e. written descriptions of the management processes and activities necessary to plan, operate and control the ISMS e.g. policy review and approvals process, continuous ISMS improvement process.
Information security metrics describing how the effectiveness of the ISMS as a whole, plus key information security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive ISMS improvements.
8) Records required by this International Standard
“Records” means information security paperwork such as user ID authorizations, and electronic documents such as system security logs, that are used routinely while operating the ISMS and should be retained and made available for the certification auditors to sample and check.Collectively, these prove that the ISMS has been properly designed, mandated by management and put into effect by the organization.
9) The Statement of Applicability
Statement of Applicability stating the information security control objectives and controls that are relevant and applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that are in scope.
