Mandatory documents or not
We have bought your tool kit for implementation ISO27001:2013 and I’ve used the summary enclosed in this mail as guidelines to what we need to implement as we are on a very tight timeline.
Yesterday I was in a meeting with a consultant that we have hired to prepare us for the upcoming certification process. He then asked why I had not produced documents according to the demands in the Annex to which I replied that they are not mandatory to the certification.
He did not agree. My instructions to him has been that we need to apply the least amount of documentation to implement new routines and at the same time get certified. It is our absolute goal to fulfil and implement all requirements but we have to take it slow as I have another fulltime job at our company. I’ve taken on this job as it is often a requirement from my customers and we need to have the certification asap. It is however agreed that we also need the policies and instructions to live by but the further job of implementing och create new ways to get our job done will not be led by me but by a newly recruited CISO (has not yet started).
I’m sorry for the long mail, but I need clarification to this question. We have now 4 weeks left to the pre revision and I must know if I have to make sure that all documentation is produced. I have implemented a lot, and initiated other changes, but the documents are not ready, neither is the implementation completed because I thought I had more time. I would therefore very much like to hear your opinion on the matter.
Examples (not a complete list) that are not mandatory according to your overview is;
A.8.3 Information Classification Policy
A.11.1 Clear Desk and Clear Screen Policy (Note: it may be implemented as part of IT Security Policy)
A.13 Information Transfer Policy (Note: it may be implemented as part of Security Procedures for IT Department)
A.17.2 Business Impact Analysis Methodology
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001:2013 does not require writing Information Classification Policy, Clear Desk, and Clear Screen Policy, and Information Transfer Policy. This can be concluded by reading the related controls in Annex A - if the standard does not say "documented information" then writing a document is not needed. The Business Impact Analysis Methodology is not even mentioned in ISO 27001 because this is a document for ISO 22301.
From our experience, smaller companies usually do the following:
- merge Clear Desk and Clear Screen Policy into the IT Security Policy
- merge Information Transfer Policy into the Security Procedures for IT Department
- write Information Classification Policy only if they selected the classification controls as applicable.
Thank you for your answer.
You refer to Annex A with the following text “This can be concluded by reading the related controls in Annex A - if the standard does not say "documented information" then writing a document is not needed.” So just to make it clearer for me, for instance
A.12.5.1 – Installation of software on operational systems – Control – Procedures shall be implemented to control the installation of software on operational systems
A.12.6.2 – Restriction on software installation – Control – Rules governing the installation of software by users shall be established and implemented.
Or
A.10.1.1 – Policy on the use of cryptographic controls – Control – A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
1 - According to my understanding of your answer these are not required to be documented as it does not specifically say so (see red text above). If a policy and an implementation is required as it is advised in A.10.1.1, shall I really understand it not to be required to be documented?
2 - The documentation that I have purchased does not have templates for all requirements, for instance A.12.4-7. How come? Am I to understand it as A.12.1-3 are supposed to be documented (at least “if applicable) but A.12.4-7 are not?
Versus controls that has the word “documented” in them, as for instance A.12.1.1 Documented operation procedures – Control – Operating procedures shall be documented and made available to all users who need them.
shall be documented.
I am afraid that I am missing something here.
1 - According to my understanding of your answer these are not required to be documented as it does not specifically say so (see red text above). If a policy and an implementation is required as it is advised in A.10.1.1, shall I really understand it not to be required to be documented?
Your understanding is correct. Unless the standard explicitly states that something needs to be documented, you do not need to develop a document.
2 - The documentation that I have purchased does not have templates for all requirements, for instance A.12.4-7. How come? Am I to understand it as A.12.1-3 are supposed to be documented (at least “if applicable) but A.12.4-7 are not?
Versus controls that has the word “documented” in them, as for instance A.12.1.1 Documented operation procedures – Control – Operating procedures shall be documented and made available to all users who need them.
shall be documented.
I am afraid that I am missing something here.
Please note that from section A.12, only control A.12.1.1 explicitly states that documentation needs to be developed. All other controls do not require policies or procedures to be documented.
The toolkit is developed to cover all mandatory documents (e.g., Information Security Policy, ISMS scope, etc.), and the most frequent documents adopted by organizations, to not overwhelm them with the administrative effort to maintain documents.
In case you identify any need to document a control for which there is no template available, you can use the blank template included in your tool kit to develop the document, and you can contact us to solve questions about the development or schedule a meeting so one of our experts can provide orientation on how to develop the documents.
Comment as guest or Sign in
Mar 30, 2023