ISMS documentation

Please note that ISO 27001 does not require Business Impact Analysis to be performed or documented, and it does not require the register of risks and opportunities related to clause 6.1.1. Only risks related to information security need to be recorded (see clauses 6.1.2 and 6.1.3). To try to convince your management to document this information you need to show them that there is some added value for your organization (e.g., it can be used to support other processes, not related to your ISMS scope).

To help you with ISO 27001 implementation, I suggest you take a look at our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit contains templates covering the mandatory requirements of the standard, and the most commonly used documents. Additionally, each template is almost 90% complete (you only have to include the details of your organization). As part of the toolkit, you have access to expert advice in the form of our Expert community and online meetings.

These articles will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/