information security management ISMS documents ISO 27001 documentation ISO 27001 documents

How to Prepare ISO 27001 Documents for Effective ISMS Implementation

by Benson Thomas

Introduction

The certification of the ISO 27001 is an important process that organizations must complete in order to gain access to sensitive data and show their awareness of the international standards. One of the main components of this certification is that of preparing the required ISO 27001 documents. Compliance does not only come with proper documentation, but builds your Information Security Management System (ISMS).

How to Prepare ISO 27001 Documents for Effective ISMS Implementation

The ISO 27001 Documentation Is Important Why?

ISO 27001 is geared towards confidential information protection, integrity as well as availability.

Documentation is that which proves that your organization:

  • Knows its security threats.

  • Has operational policies and procedures to curb such risks.

  • Is able to comply with audits.

Your audit of ISO 27001 may fail, despite having strong security practices, without documentation.

Types Of ISO 27001 Documents

The ISO 27001 documentation is widely separated into mandatory documents and records.

1. Mandatory Documents

There are required documents that establish the what, why and who of your ISMS. These include:

  • Information Security Policy: A document at a high level which defines the commitment  of your organization to information security.
  • Scope of ISMS: This identifies the scope of your ISMS, i.e. locations, processes, and assets.
  • Risk Assessment Procedure: Explains the process of risk identification, analysis and evaluation.
  • Risk Treatment Plan: Describes the steps to be taken to reduce the risks.

  • Statement of Applicability (SoA): List of all the ISO 27001 controls with an explanation of the ones applied.
  • Roles and Responsibilities: Indications of specific roles of information security        management.

2. Records

Records present evidence that there are procedures and policies observed. They are historical and cannot be changed after they are made. Examples include:

  • Completed risk assessments

  • Audit reports

  • Training records

  • Incident reports

 

How to Prepare ISO 27001 Documents for Effective ISMS Implementation

 

How To Prepare ISO 27001 Documents Step-By-Step.

The following is a feasible way of developing ISO 27001 documents:

Step 1: Define Your ISMS Scope

Define the extent of your ISMS before developing documents. Consider:

  • Locations covered

  • Departments involved

Types of processed information.

The scope is a documentation which makes the auditors be aware of the limits of your ISMS.

Step 2: Compose Information Security Policy.

The ISO 27001 relies on your Information Security Policy. It should:

  • Show best practice in top management.

  • Establish information security goals.

  • Be made known to the employees.

All other documents and procedures are based on this policy.

Step 3: Perform Risk Assessment.

Risk assessment process determines possible threats and vulnerabilities. Key steps:

  • Determine assets and information.

  • Determine potential risks

  • Assess the risk probability and effects.

  • Rank risks to be treated.

 By documenting the process, transparency and accountability will be achieved.

Step 4: Develop Risk Treatment Plan.

After identifying risks, determine the way to reduce them. Include:

Table of selected controls of ISO 27001 Annex A.

  • Responsibilities on implementation.

  • Deadlines and follow-up

The Statement of Applicability is supposed to provide an overview of the controls that are adopted and the reasons.

Step 5: Determine Roles and Responsibilities.

Information security roles are clearly documented including:

  • ISMS manager

  • Risk owners

  • IT personnel

  • Employees

Role definition helps to avoid confusion and makes the roles in an organization stronger.

Step 6: Formulate Supporting Procedures.

The ISO 27001 demands several supporting procedures including:

  • Access control procedure

  • Incident management process.

  • Business continuity process.

  • Asset management procedure

Every procedure must have a clear description of the steps, responsibilities and evidence needed.

Step 7: Maintain Records

Record and retain documents to show compliance including:

  • Training completion logs

  • Audit reports

  • Corrective actions

  • Incident reports

During auditing, records are very necessary and must be laid out and easily accessed.

Efficient ISO 27001 Documentation Tips.

  1. Apply Templates: Templates save time and are consistent.

  2. Simplify Documents: Simple, brief, and effective documents are simpler to apply.

  3. Periodic Review: Review and update documents on a regular basis particularly when processes or risks change.

  4. Make it Accessible: Keep the documents in one location, and preferably in a digital format that is under control.

  5. Employee Awareness: Educate personnel on policies and procedures to make them compliant.

Common Mistakes To Avoid

  1. Unnecessarily complexifying documents.

  2. Failure to update documents with changes in the processes.

  3. Lack of connection between policies and procedures and the real practices.

  4. Disregard of record-keeping and evidence collection.

  5. These errors are to be avoided to guarantee a successful ISO 27001 audit.
How to Prepare ISO 27001 Documents for Effective ISMS Implementation

Conclusion

It is possible that the preparation of the ISO 27001 documents is overwhelming, however, with a planned approach, it is easier. Pay attention to required documents, supporting procedures, and records and make them clear, available, and accurate. Compliance through proper documentation is not only ensured but also enhances the overall information security posture of your organization.

More from: information security management ISMS documents ISO 27001 documentation ISO 27001 documents
Back to ISO 27001 ISMS