We are a small datacentre operating in XXXXX and we are in the process of implementing ISO27001. The business has grown from a small family company and thus lacks a lot of documentation (which is mainly in my head!).
My question is relating to the structure of the documentation, I'm writing the documentation on XXXX and it's going to be (initially) located in a XXXXX.
I want to make the structure as easy to ready/use as possible, so thinking of having sub-folders for the likes of Employee procedures, Data-protection policies, and then the ISMS.
However, some documentation which would be intended for Employee use (e.g. Computer Acceptable Use Policy) would also form a policy under the ISMS for ISO27001. The same applies for Data Protection Policies (such as Data Portability procedures) - this would be covered in the ISMS and Data Security, so I'm uncertain where to locate it.
I guess to cut a long story short, everything I've seen seems to suggest placing all procedures and policies in the ISMS folder but logically to me that would n't work.
Can you offer any advise?
Answer: ISO 27001 does not prescribe how you must organize your documents, so you can place them the way it will be more useful and easier to understand by your employees.
My suggestion to you is to keep in the ISMS folder only the high level policies and procedures (e.g., information security policy, document control procedures, internal audit procedure, etc.), and keep specific policies and procedures in the folders most related to them (e.g., the backup policy could be kept on the folder that contain the IT staff documentation).