Besides the question what controls you need to cover for ISO 27001 the other most important question is what documents, policies and procedures are required and have to be delivered for a successful certification. The biggest goal of ISO 27001 is to build an Information Security Management System (ISMS). That is a framework of all your documents including your policies, processes and procedures and others that I will cover here in this article.
What is the problem?
The biggest challenge for CISO’s, Security or Project Managers is to understand and interpret the controls correctly to identify what documents are needed or required. Unfortunately, ISO 27001 and especially the controls from the Annex A are not very specific about what documents you have to provide. ISO 27002 gets a little bit more into detail. Here you can find controls that specifically name what documents and what kind of documents (policy, procedure, process) are expected. The challenge of every framework is, that it is just a frame you have to fill with your own paint to show your big picture. The list of required documents we are seeing today comes from best practices and experiences over many years but also experience we have from other ISO framework implementations (e.g. ISO 9001).
What kind of documents are expected?
Essentially each framework is a collection of documented rules, guidelines, best practices or methods. This collection comes in form of policies, processes, procedures, instructions, or any other form that prove the implementation of your security controls and measures. Obviously, these papers are in office formats like Word, Excel, PowerPoint or PDF. But often you can also find system configuration files, logs, database extracts, network plans, etc.
How many documents do you commonly find in your ISMS?
When you look at a usual ISMS from a medium sized business you usually find about 50 to 100 documents. But you can say there are at least 30 mandatory documents you have to deliver to get certified. It always depends on what controls you have covered; how big your organization is or how intense you are going with your policies, procedures or processes.
What mandatory documents are required for ISO27001:2013?
Here you can find the complete list of mandatory and optional documents you should have. These documents include the ones that are necessary to define or describe the implementation of your Information Security Management System (ISMS) and your Risk Management. And also, the ones that show the organization and implementation of your information security and controls. You could also use it as an example for your internal audit plan, stage 1 checklist or compliance checklist.
Mandatory documents for the management of the ISMS and risks:
- Scope or area of application of the ISMS
In this article you can find “How to define an write your scope statement“.
- Statement of Applicability
- Inventory of Assets
- Risk Management process or procedure
- Risk Treatment plan
- Risk Assessment Report
- Security Roles and Responsibilities
Mandatory policies you have to deliver according ISO 27001 Annex A:
- Information Security Policy (A.5.1.1)
- Mobile Device Policy (A.6.2.1)
- Remote Access / Teleworking Policy (A.6.2.2)
- Access Control Policy (A.9.1.1)
- Cryptography Policy (A.10.1.1)
- Cryptography Key Management Policy (A.10.1.2)
- Clear Desk and Screen Policy (A.11.2.9)
- Acceptable Use of Information Assets Policy (A.8.1.3)
- Communications (Information Transfer) Policy (A.13.2.1)
- Secure Development Policy or Plan (A.14.2.1)
- Supplier Management Security Policy (A.15.1.1)
Mandatory procedures or processes according to ISO 27001 Annex A:
- Information Classification and Management
- Asset Management
- Vulnerability Management (see “Modern and Agile Vulnerability and Patch Management Process“)
- Management of (Removable) Media and Storage Devices
- User Access Management
- Working in secure areas
- Change Management
- Capacity Management
- Backup and Recovery
- Information Security Incident Management
- Business Continuity Plan
Other mandatory documents:
In addition to the specified policies and procedures above you should also have these documents available to prove the implementation of your controls:
- Adequate job descriptions of your employees dealing with information security
- Trainings of your staff (especially IT personnel)
- Audit plans
- Internal and external audits (e.g. pentests, assessments) and the results
- Maintenance plans and performed maintenance work (especially for your data centers)
- Any kind of logs, KPI’s, key figures, configuration files, network plans, etc.
- Meeting minutes (showing the discussion of risks and overall security topics)
List of not mandatory or optional documents:
- Physical and Environmental Security
- Information Transfer
- Privacy and Protection of personal information
- Information Security Strategy
- Logging Concept
- Password Policy
- Vulnerability Management Policy
- Awareness plans
The given list of policies, processes and procedures is just an example of what you can expect. I got a small organization certified with these documents. But that does not mean that you can get away with it. The number of documents required also depends on the size of the company, on the business area, which regulations or laws must be complied with or what is your overall goal for security, etc. Sometimes it is even better to write less than too much. Always keep in mind that everything that is written down must also be verifiable and provable.