With the new revision of ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?
So here is the list – below you will see not only mandatory documents, but also the most commonly used documents for ISO 27001 implementation.
Mandatory documents and records required by ISO 27001:2013
Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Non-mandatory documents
There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
So this is it – what do you think? Is this too much to write? Do these documents cover all aspects of information security?
Click here to download a white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision) with more detailed information on the most common ways for structuring and implementing mandatory documents and records.