ISO27001security.

com

Mandatory ISMS documentation

fIsButton1fLayoutInCell1

Mandatory Information Security Management System Documents Required for ISO/IEC 27001 Certification
By Osama Salah and Gary Hinson 16th January 2009

Introduction
Members of the ISO27k Implementers’ Forum often ask which documents are explicitly mandated for certification of their Information Security Management System (ISMS) against ISO/IEC 27001:2005. Since opinions vary somewhat, we have compiled the following table by referencing and explaining certain clauses from the standard, particularly but not only those under clause 4.3 Documentation requirements. An ISMS is intended to bring information security under management control in order to ensure that it satisfies and is maintained to continue satisfying the organization’s information protection requirements. Documentation is an important element of any management system because it clarifies the management processes and activities for users of the system and interested parties (including certification auditors). The notes to clause 4.3.1 Documentation, plus the following clauses 4.3.2 Control of documents and 4.3.3 Control of records lay out in some detail what is required of the documentation for the purposes of the certification audit. There is more to it than red tape! If you take care to produce good quality documentation, it is more likely that your ISMS will meet the organization’s objectives, not just those of the standard and the auditors. Clause 1.2 of the standard specifies that compliance with clauses 4 through 8 inclusive is mandatory for certification. The italicized ISO/IEC 27001 extracts in the table below explicitly mandate certain documents, while additional documentation requirements may be inferred or implied from some clauses. Furthermore, in practice, organizations usually produce and use additional documents for their own purposes, beyond the minimal set stated in ISO/IEC 27001. The interpretation column in the table provide additional guidance based on our experience but this is not definitive. The titles of documents may vary in practice and in some cases there may be multiple variants (e.g. risk assessment reports for different situations, systems etc.).

Purpose
The table below can be used by the organization as a checklist prior to a certification audit to confirm that everything is in order, and to collate the mandatory documents ready for the auditors to review. It can also be used up front when planning and implementing the ISMS as a guide to the documentation that will have to be created and produced. We have provided a status column for such purposes.

Copyright
fIsButton1fLayoutInCell1 This work is copyright © 2009, ISO27k Implementers' Forum, some rights reserved. It is licensed under the Creative Commons Attribution-NoncommercialCopyright © 2009 ISO27k Implementers’ Forum

Page 1 of 8

Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers’ Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.

ISO27001security.com

Mandatory ISMS documentation

The mandatory ISMS documents
Documents mandated by ISO/IEC 27001
4.3.1 General Documentation shall include records of management decisions …     Designed Allocated Drafted Approved Records of key management decisions regarding the ISMS e.g. minutes of management meetings, investment decisions, mandating of policies, reports etc. [not individually specified in the standard apart from the following specific items …] Information security policy set matching the characteristics of the business, the organization, its location, [information] assets and technology, being a “superset of” (i.e. including) both of the following: The ISMS documentation shall include: a) Documented statements of the ISMS policy (see 4.2.1.b) and objectives;     Designed Allocated Drafted Approved An ISMS policy defining the objective-setting management framework for the ISMS, giving it an overall sense of direction/purpose and defining key principles. The ISMS policy must: • • • • b)     Designed Allocated Drafted Approved Take account of information security compliance obligations defined in laws, regulations and contracts; Align with the organization’s strategic approach to risk management in general; Establish information security risk evaluation criteria (the “risk appetite”); Be approved by management.; and

Status

Interpretation

4.3 Documentation requirements

Information security policy or policies specifying particular information security control objectives or requirements in one or more documents [these should also be approved by management to have full effect].

Copyright © 2009 ISO27k Implementers’ Forum

Page 3 of 8

Documents mandated by ISO/IEC 27001
c) The scope of the ISMS (see 4.2.1.a))                    

Status
Designed Allocated Drafted Approved Designed Allocated Drafted Approved Designed Allocated Drafted Approved Designed Allocated Drafted Approved Designed Allocated Drafted Approved

Interpretation
ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the business, the organization, its location, [information] assets and technology. Any exclusions from the ISMS scope must be explicitly justified. Information security procedures i.e. written descriptions of information security processes and activities e.g. procedures for user ID provisioning and password changes, security testing of application systems, information security incident management response etc. Controls documentation e.g. technical security standards, security architectures/designs etc. and probably referencing ISO/IEC 27002 (details very between ISMSs). Risk assessment methods i.e. policies, procedures and/or standards describing how information security risks are assessed, probably referencing ISO?IEC TR 1335-3 and/or ISO/IEC 27005. Risk assessment reports documenting the results/outcomes/recommendations of information security risk assessments using the methods noted above. For identified risks to information assets, possible treatments are applying appropriate controls; knowing and objectively accepting the risks (if they fall within the risk appetite); avoiding them; or transferring them to third parties. The reference to 4.2.1c-g implies that information security control objectives and controls should be identified in these reports.

d) Procedures and controls in support of the ISMS

e)

f)

A description of the risk assessment methodology (see 4.2.1.c))

g) The risk assessment report (see 4.2.1.c) to 4.2.1.g))

h) The risk treatment plan (see 4.2.2.b)

   

Designed Allocated Drafted Approved

Risk treatment plan i.e. a [project?] plan describing how the identified information security control objectives are to be satisfied, with notes on funding plus rôles and responsibilities.

ISO27001security.com

Mandatory ISMS documentation

Documents mandated by ISO/IEC 27001
i) Documented procedures needed by the organization to ensure the effective planning, operation and control of its information security process and describe how to measure effectiveness of controls (see 4.2.3.c)

Status

Interpretation

   

Designed Allocated Drafted Approved

ISMS operating procedures i.e. written descriptions of the management processes and activities necessary to plan, operate and control the ISMS e.g. policy review and approvals process, continuous ISMS improvement process.

j)

   

Designed Allocated Drafted Approved

Information security metrics describing how the effectiveness of the ISMS as a whole, plus key information security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive ISMS improvements. See 4.3.3 below. “Records” means information security paperwork such as user ID authorizations, and electronic documents such as system security logs, that are used routinely while operating the ISMS and should be retained and made available for the certification auditors to sample and check. Collectively, these prove that the ISMS has been properly designed, mandated by management and put into effect by the organization. Statement of Applicability stating the information security control objectives and controls that are relevant and applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that are in scope.

k) Records required by this International Standard (see 4.3.3)    

n/a

l)

The Statement Applicability

of

Designed Allocated Drafted Approved

4.3.2 Control of Documents

Copyright © 2009 ISO27k Implementers’ Forum

Page 5 of 8

Documents mandated by ISO/IEC 27001
Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions … 4.3.3 Control of records … The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented. 5 Management responsibility    

Status

Interpretation

Designed Allocated Drafted Approved

Document control procedure explaining how ISMS documents are approved for use, reviewed/updated/re-approved as necessary, version managed, disseminated as necessary, marked etc. (see 4.3.2 for the full list). If the organization already has a Quality Management System conforming to ISO 9000, the QMS document control procedure (or equivalent from another management system) may be applied to the ISMS.

   

Designed Allocated Drafted Approved

Records control procedure explaining how records proving conformity to ISMS requirements and the effective operation of the ISMS (as described elsewhere in the standard) are protected against unauthorized changes or destruction. Again, this procedure may be copied from the QMS or other management systems.

ISO27001security.com

Mandatory ISMS documentation

Documents mandated by ISO/IEC 27001
5.2.2 d) The organization shall maintain records of education, training, skills, experience and qualifications (see 4.3.3) … The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives

Status

Interpretation

       

Designed Allocated Drafted Approved Designed Allocated Drafted Approved

Security awareness, training and education records documenting the involvement of all personnel having ISMS responsibilities in appropriate activities (e.g. security awareness programs and security training courses such as new employee security induction/orientation classes). Various other clauses in section 5 mandate management support for information security awareness activities in general, therefore while not directly stated, the requirement for information security awareness materials, training evaluation/feedback reports etc. may be inferred from this section.

6 Internal ISMS audits The organization shall conduct internal ISMS audits at planned intervals …

… The responsibilities and requirements for planning and conducting audits, and for  reporting results and  maintaining records (see  4.3.3) shall be defined in a  documented procedure. 7 Management review of the ISMS 7.1 Management shall review 
Copyright © 2009 ISO27k Implementers’ Forum

   

Designed Allocated Drafted Approved Designed Allocated Drafted Approved Designed

Internal ISMS audit plans and procedures stating the auditors’ responsibilities in relation to auditing the ISMS, the audit criteria, scope, frequency and methods.

While not stated directly, further comments in section 6 re the need for actions arising from audits to be taken without undue delay could be taken to imply that ISMS audit reports, agreed action plans and follow-up/verification/closure reports should be retained and made available to the certification auditors on request. This implies the need to retain records (such as management review plans and reports) Page 7 of 8

Documents mandated by ISO/IEC 27001
the organization’s ISMS at planned intervals (at least once a year) to ensure its continued suitability, adequacy and effectiveness … 7.3 The output from the management review shall include and decisions and actions relating to … 8.2 Corrective action …The documented procedure for corrective action shall define … 8.3 Preventive Action …The documented procedure for preventive action shall define …    

Status

Interpretation

 Allocated  Drafted  Approved

proving that management does in fact review the ISMS at least once a year.

   

Designed Allocated Drafted Approved Designed Allocated Drafted Approved

Corrective action procedure documenting the way in which nonconformities which exist are identified, root-causes are analyzed and evaluated, suitable corrective actions are carried out and the results thereof are reviewed.

Preventive action procedure similar to the corrective action procedure but focusing more on preventing the occurrence of nonconformities in the first place, with such activities being prioritized on the basis of the assessed risk of such nonconformities.
*** End of list ***

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times