ISO 27001 certification requires organisations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. For some, documenting an ISMS (information security management system) can take up to 12 months.
Mandatory ISO 27001 documentation and records
The Standard requires you to document a number of policies and procedures in order to show your compliance, including:
- The information security policy, scope statement for the ISMS, risk assessment, information security objectives, Statement of Applicability and risk treatment plan.
- The underpinning procedures that implement specific controls. (These should include responsibilities and required actions.) A procedure describes who has to do what, under which conditions, and when.
- Documents that deal with how the ISMS is monitored, reviewed and continually improved, including measuring progress towards the information security objectives.
There are a number of non-mandatory documents that can also be used in your ISO 27001 project. Common documents include a password policy, clear-desk policy and BYOD (bring your own device) policy.
Accelerate your ISO 27001 project
Designed and developed by expert ISO 27001 practitioners, the ISO 27001 Documentation Toolkit provides a complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant.
With the ISO 27001 Documentation Toolkit, you can:
- Get professional guidance from expert ISO 27001 practitioners, saving yourself time and avoiding mistakes.
- Work from ISO 27001-compliant documentation that is accurate and aligned with the Standard.
- Embed the documentation into your organisation quickly and easily by using the pre-formatted templates.
- Meet local and global security laws, such as the GDPR (General Data Protection Regulation).