Guest user Created: Aug 01, 2017 Last commented: Aug 01, 2017

Writing ISO 27001 documentation

I have roughly 5 departments. Should I give each department manager the full mandatory documents to fill out? For example, for the first mandatory document, the scope. Should I have a scope for each department or should I have one written by me (project manager), which includes all the departments? Does each department need to write the documents or one for the whole company? If you need more elaboration please feel free to ask. I am still in the beginning of the implementation process so at this point there is still confusion. Please help in clearing things up. Any information on the first steps of the process will be much appreciated.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 01, 2017

Answer: You should keep the documentation as small and simple as possible. So, considering 5 departments, the best approach should be that you propose drafts for the evaluation of department heads. You should consider writing general documents that can cover all departments, including specific sections for specific situations regarding the departments. If you see this approach cannot cover the department need s, then you should consider writing specific procedures for the departments who needs them (in our experience the general documents cover most of the situations).

Regarding scope, you can write a single document covering all departments. This way you can have a systemic view of all your ISMS and avoid excessive administrative work. For more information, please see these articles:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Examples of documents that can be written for the whole organization are the statement of applicability and the risk assessment report. Examples of documents that should be writen by each department are records of monitoring and measurement.

These articles will provide you further explanation about writing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

These materials will also help you regarding writing documents:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 01, 2017

Expert Advice Community