At Dionach we often get asked what documentation is required for ISO 27001. Beyond the obvious information security policy, there are quite a few policies and procedures that are required in various sections of the standard. For the most part we find that some requirements are met as part of existing company policies and procedures, for example in the internet and email use policy, employee handbook or larger information security policies. The ISO 27001 gap audits that we will pick up any missing policies.
My colleague James took a scientific approach to specific documentation requirements and reviewed ISO 27001:2013 for these specific words: "documented", "formal", "policy", "procedure" and "agreement", where the word indicated a specific requirement for that section. I've collated this information into the following table.
There may be some debate on whether anything but "documented" or "formal" strictly requires the information security control to be documented, however "policy", "procedure" and "agreement" give a strong indication that documentation is a very good idea for an effective ISMS.
"Doc" is documented, "For" is formal, "Pol" is policy, "Proc" is procedure and "Agr" is agreement.
|Section||Section Heading||Doc. Required|
|5.2e||Information Security Policy||Doc, Pol|
|6.1.2, 8.2||Information Security Risk Assessment||Doc|
|6.1.3, 8.3||Information security risk treatment||Doc|
|6.2||Information security objectives and planning to achieve them||Doc|
|8.1||Operational planning and control||Doc|
|9.1||Monitoring, measurement, analysis and evaluation||Doc|
|10.1||Improvement; Nonconformity and corrective action||Doc|
|A.5.1.1||Information Security Policy||Pol|
|A.6.2.1||Mobile Device Policy||Pol|
|A.7.1.2||Terms and conditions of employment||Agr|
|A.8.1.3||Acceptable use of assets||Doc|
|A.8.2.2||Labelling of information||Proc|
|A.8.2.3||Handling of assets||Proc|
|A.8.3.1||Management of removable media||Proc|
|A.8.3.2||Disposal of Media||Proc|
|A.9.1.1||Access Control Policy||Doc, Pol|
|A.9.2.1||User Registration and De-registration||For|
|A.9.2.2||User Access Provisioning||For|
|A.9.2.4||Management of secret Authentication information of users||For|
|A.9.4.2||Secure log-on procedures||Proc|
|A.10.1.1||Policy on the use of cryptographic controls||Pol|
|A.11.2.9||Clear desk and clear screen policy||Pol|
|A.11.5.1||Working in secure areas||Proc|
|A.12.1.1||Documented Operating Procedures||Doc, Proc|
|A.12.5.1||Installation of software on operational systems||Proc|
|A.13.1.2||Security of network services||Agr|
|A.13.2.1||Information Transfer Policies and procedures||For, Pol, Proc|
|A.13.2.2||Agreements on information transfer||Agr|
|A.13.2.4||Confidentiality or non-disclosure agreements||Doc, Agr|
|A.14.2.1||Secure Development Policy||Pol|
|A.14.2.2||System change control procedures||For, Proc|
|A.14.2.5||Secure System Engineering Principles||Doc|
|A.15.1.1||Information Security Policy for Supplier Relationships||Doc|
|A.15.1.2||Addressing security within supplier agreements||Agr|
|A.15.1.3||Information and communication technology supply chain||Agr|
|A.15.2.2||Managing changes to supplier services||Pol, Proc|
|A.16.1.1||Responsibilities and procedures||Proc|
|A.16.1.5||Response to Information Security Incidents||Doc, Proc|
|A.16.1.7||Collection of evidence||Proc|
|A.17.1.2||Implementing information security continuity||Doc, Proc|
|A.18.1.1||Identification of applicable legislation and contractual requirements||Doc|
|A.18.1.2||Intellectual property rights||Proc|
If you want the statistics, 14 management sections require documentation, as do 39 Annex A sections.
If you would like help with aspects of ISO 27001, please see our ISO 27001 services.