Expert Advice Community

Home / ISO 27001 & 22301 / Mandatory documents

Guest

Mandatory documents

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Apr 13, 2019 Last commented:   Apr 13, 2019

Mandatory documents

ISO 27001 & 22301
As I have been appointed a task of creating an overall IT Security policies and procedures documentation, I have chosen ISO 27001 guidelines to help me define the scope of documentation required for my company to be ISO certified this year + submit the documentation for one of the security requirements imposed by the UK tender framework.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Apr 13, 2019

The question is : in a small digital agency (up to 20 employees, including management), which documentation and policies / procedures are required and which ones are an overkill for such a small organization like my company?

Answer:

First it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:
- Inventory of assets (to implement control A.8.1.1)
- Acceptable use of assets (to implement control A.8.1.3)

Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

These articles will provide you further explanation about ISO 27001 documents and selection of controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 13, 2019

Apr 13, 2019

Suggested Topics
Guest user Created:   Jun 10, 2024 ISO 27001 & 22301
Replies: 1
0 0

Non-mandatory documents
Guest user Created:   Jun 13, 2023 ISO 27001 & 22301
Replies: 2
0 0

Who should write mandatory documents in organization?
Guest user Created:   May 17, 2023 ISO 27001 & 22301
Replies: 1
0 0

Mandatory documents