Controls documentation

Should the control documents simply just state for instance all information should be backed up etc etc or should it state all information should be backed up and this is what the backup covers, the backups retention etc etc.

I hope this makes sense.

Answer: To be compliant with ISO 27001 it is required to implement some documents and keep some records, such as:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)

This article will provide you further explanation about mandatory documents and records:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Regarding documentation of controls, the information needed to be included (e.g., rules, actions in case of failure, preventive measures, etc.) will depend on the results of risk assessment, to identify which controls are needed, which objectives are established for them, and who will be acting upon these documents (e.g., a technical person like a system administrator, or a management person like the head of IT department).

These article will provide you further explanation about security controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

These materials will also help you regarding documents and controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Hi, Thanks for the response however im still not very clear even having reviewed the links etc in your response.

What I mean is for example:

We have decided from our risk assessment that we need to implement certain controls that will mean we've decided to have a backup policy, anti-malware policy, information classification policy as well as some others.

When we come to create these documents how descriptive are the auditors looking for. i.e. in a information classification policy is it acceptable to simply state the these types of documents should be classified with this level of classification or are we to be more descriptive i.e. This type of document should be classified as 'Restricted' it should be encrypted and we have implemented Microsoft Information Protection which must be used to enforce the encryption.

Or

for Anti-Malware is it acceptable to simply state that all organisation machines should have anti-malware protection installed upon them. Or do we need to provide more details to demonstrate how we are protecting ourselves i.e. All machines should be c onfigured with this anti-malware product and it should be configured to scan this and exclude this and prevent this etc.

Im just trying to establish how much detail we should be putting into the documentation of the controls we have decided are needed. In my mind simply stating we should have anti-malware on a machine or this document should have this type of classification doesn't really seem to demonstrate to anyone that we have made sufficient action to mitigate the risk. Saying we should have anti-malware and actually having it are obviously two very different things, what is it that an auditor would actually be looking for?

Many Thanks

First it is important to understand that auditors will evaluate documentation not considering how descriptive they are, but if they comply with the standards requirements, applicable legal requirements and needs identified as results of risk assessment.

Considering that, as guidance for writing the details in your documents you should consider the ISO 27002 standard, a supporting standard that provides the details you are looking for. For example, for control information classification this standard recommends that information classification criteria should be reviewed over time. For anti-malware, you should include guidance for users regarding not accessing malicious content or scanning files before using them.

Orientations from this standard can be implemented as needed, so you do not need to implement all of them if you do not identify the need.
This article will provide you more information about ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

At this link you can buy ISO 27002: https://www.iso.org/standard/54533.html