I'm a collage student and now I'm doing my undergraduates thesis about risk management with ISO 27001 controls as the mitigation guide. Or maybe it can be said ISMS planning. I have analyzed risks and got some high level risks that need to be mitigated. But the problem is I don't understand about ISO 27001 mandatory documents. How can we define the mandatory document for our planning or we have to do all the document list? Is it explained in ISO 27001 Information technology - Security techniques - Information security management systems - Requirements document? Can it be adjusted with the ISO 27001 control that we have chosen?
In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment a nd risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a document related to that control.
Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.