For an organization to be ISO 27001 compliant, there are lists of mandatory documents needed.
But how do you decide which policies and procedures to document and to what level of detail is needed?
Each clause of the standard specifies if the requirement from that clause should be documented or not. You know a document is mandatory by reading the ISO 27001 and it states pretty clearly what needs to be documented using a phrase like “The organization shall retain documented information of …” you have nothing to think about, you must write it if you want to be compliant with the standard.
The list of mandatory documents and records prescribed by ISO 27001:
- Scope of the ISMS.
- Information security policy and objectives.
- Risk assessment and risk treatment methodology.
- Statement of Applicability.
- Risk treatment plan.
- Risk assessment report.
- Records of training, skills, experience, and qualifications.
- Monitoring and measurement results.
- Internal audit program.
- Results of internal audits.
- Results of the management review.
- Results of corrective actions.
There are some non-mandatory documents that can be used. The list of non-mandatory documents and records prescribed by ISO27001:
- Procedure for document control.
- Procedure for internal audit.
- Bring your own device (BYOD) policy.
- Mobile device and teleworking policy.
- Password policy.
- Procedures for working in secure areas.
- Clear desk and clear screen policy.
- Backup policy.
- Information transfer policy.
Keep in mind that when the standard doesn’t explicitly require something to be documented, it might be useful for the organization to have some additional policies and procedures written down and here are some criteria that can help in making that decision:
- Risk and requirement of interested parties.
- Size of the company.
- Importance and complexity.
It is important to note that ISO 27001 does not include all the information security requirements from local laws and regulations in particular countries. Therefore, to be compliant with all the legislation, a company will need to implement additional safeguards.