Documentation Requirements set out in ISO/IEC 27001:2013
For those of you who are currently 'transitioning' to the 2013 version of ISO27001, and who want to keep any additional workload down to a bare minimum, let's start with the optimistic news: No changes should be required to your existing documented procedures concerning control of documentation. However, as for the documents themselves, a lot will depend on the approach that you take to the transitioning process itself.
Here's why. A transition strategy might be one of the following options:
- A straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation; or
- Take a completely fresh look at the ISMS, using the revised standard to make improvements, which might be quite significant for some organisations.
There are some really good reasons to go for option 2 that merit several more future blog posts, but for the time being, I shall assume that you simply want to make updates to your existing ISMS documentation in time for the assessor's next visit. Also, because you are human, you've left this rather late and don't want to look as if you haven't prepared as well as you should before the fateful day dawns. As always with ISO compliance, the main thing to remember before you make a start is that you need to attend to the Requirements of the Standard first, however tempting it may be to reorganise your Controls; especially given the fact that by now you have probably had the time to peruse for yourself the 114 Control objectives and Controls in the 2013 version of Annex A and realise that they have, to quote an authority on ISO27001 "got mixed up quite a bit".
At this point, it's also worth delivering a timely reminder of the fact that no two organisations are identical in terms of their documentation needs - something that a DMS software developer like CogniDox is fully aware of.
A Note in Clause 7.5 of ISO27001:2013 says: "The extent of Documented Information can differ from one organisation to another due to:
- the size of organization and its type of activities, processes, products and services
- the complexity of processes and their interactions; and
- the competence of persons.
As was the case with the 2005 version, the best advice is not to make life complicated for yourself and your organisation by generating too many documents or going for the 'fine-grained' detail - no matter how tempting!
Identify first what Documented Information is required by the Standard.
Which documents and records are required by ISO27001:2013?
The requirements for documented information are spread throughout the standard. Here's a document checklist and the relevant clause numbers.
|Required Documents||ISO 27001:2013 clause number|
|Scope of the ISMS||4.3|
|Information security policy||5.2|
|(Information on the)
Information security risk assessment process
|(Information on the)
Information security risk treatment process
|Statement of Applicability||6.1.3 d)|
|Information security objectives (and Planning to achieve them)||6.2|
|Evidence of Competence||7.2 d)|
|Documented information determined by the organisation as being necessary for the effectiveness of the ISMS||7.5.1 b)|
|Documented Information of External Origin (necessary for the planning and operation of the ISMS)||7.5.3|
|Operation planning and control (Information necessary to have confidence that processes are being carried out as planned)||8.1|
|Results of the information security risk assessments||8.2|
|Results of information security risk treatment plan||8.3|
|Evidence of the monitoring and measuring of results||9.1|
|Evidence of the audit programme(s) and the audit results||9.2 g)|
|Evidence of the results of the management reviews||9.3|
|Evidence of the nature of non-conformities||10.1 f)|
|Evidence of the results of corrective action||10.1 g)|
|Annex A Control Objectives and Controls - Document RequirementsIn addition to the Requirements, there are a number of Controls listed in the Annex A that require documented information; see the Table below.|
|Inventory of Assets||A.8.1.1 (formerly A.7.1.1)|
|Acceptable use of assets||A.8.1.3 (formerly A.7.1.3)|
|Access Control Policy||A.9.1.1 (formerly A.11.1.1)|
|Documented Operating Procedures||A.12.1.1|
|Confidentiality or non-disclosure agreements||A.13.2.4 (formerly A.6.1.5)|
|Secure systems engineering principles||A.14.2.5|
|Information security policy for supplier relationships||A.15.1.1|
|Response to information security incidents||A.16.1.5|
|Implementing information security continuity||A.17.1.2 (formerly A.14.1.3)|
|Relevant legislative, statutory and contractual requirements||A.18.1.1 (formerly A.15.1.1)|
Cautionary note:– The standard allows other documents to be added to improve the level of information security; therefore, what you see above is by no means a definitive list of documents and records that can be used during the ISO 27001 implementation. For example, organisations often include in their information security management system non-mandatory policy, procedure and control documents such as the ones shown below:
|Documents||ISO 27001:2013 clause number|
|Procedure for document control||7.5|
|Controls for managing records||7.5|
|Procedure for internal audit||9.2|
|Procedure for corrective action||10.1|
|Bring your own device (BYOD) policy||A.6.2.1|
|Mobile device and teleworking policy||A.6.2.1|
|Information classification policy||A.8.2.1, A.8.2.2, A.8.2.3|
|Password policy||A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3|
|Disposal and destruction policy||A.8.3.2, A.11.2.7|
|Procedures for working in secure areas||A.11.1.5|
|Clear desk and clear screen policy||A.11.2.9|
|Change management policy||A.12.1.2, A.14.2.4|
|Information transfer policy||A.13.2.1, A.13.2.2, A.13.2.3|
|Business impact analysis||A.17.1.1|
|Exercising and testing plan||A.17.1.3|
|Maintenance and review plan||A.17.1.3|
|Business continuity strategy||A.17.2.1|
After you have determined the boundaries and applicability of the ISMS to establish its scope, it is then necessary to make the scope available, both within the organisation and to interested parties. The 2013 wording says:
"the scope shall be made available as documented information (4.3), and this term is used in other clauses; for example, from Clause 5.2 Policy:
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.
Documented Information that defines the chosen Risk Assessment Process and Risk Treatment Process required by ISO27001:2013
Documented Information in ISO27001:2013 includes the definition of the risk assessment process that establishes and maintains risk acceptance criteria and criteria for performing risk assessments. The documented results of the risk assessment should identify security risks associated with loss of Confidentiality, Integrity and Availability and the Risk Owners.
These risks are then analyzed in terms of their potential consequences, the realistic likelihood of occurrence is determined, and the levels of risk. It is necessary to define and apply an information security risk treatment process to; select treatment options,
- Determine controls "from any source"
- Compare controls with Annex A
- Produce a Statement of Applicability
- Formulate a treatment plan
- Obtain owners approval of treatments and residual risks
- Retain documented information.
At this point, it is worth a moment to reflect that ISO27001:2013 aligns with the principles and generic guidelines provided by ISO31000, a family of standards in which risk management principles, policy, framework and process documentation, the risk culture of the organisation, and the risk recording and sharing system, are all touched upon in the documentation.
If you would like more information and guidance about ISO27001:2013 Requirements, including Risk Assessment Process options and selecting Control objectives and Controls, I will be writing about this subject in a later post - let me know that you are interested by posting a comment!
Next time: Cyber Essentials: what's all the fuss about another self-assessment process and what is this rumour about penetration testing?
This guest post was written by Michael Shuff. You can email him here.
Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM