ISO 27001:2013 Documentation Requirements

At Dionach we often get asked what documentation is required for ISO 27001. Beyond the obvious information security policy, there are quite a few policies and procedures that are required in various sections of the standard. For the most part we find that some requirements are met as part of existing company policies and procedures, for example in the internet and email use policy, employee handbook or larger information security policies. The ISO 27001 gap audits that we will pick up any missing policies. My colleague James took a scientific approach to specific documentation requirements and reviewed ISO 27001:2013 for these specific words: “documented”, “formal”, “policy”, “procedure” and “agreement”, where the word indicated a specific requirement for that section. I’ve collated this information into the following table. There may be some debate on whether anything but “documented” or “formal” strictly requires the information security control to be documented, however “policy”, “procedure” and “agreement” give a strong indication that documentation is a very good idea for an effective ISMS. “Doc” is documented, “For” is formal, “Pol” is policy, “Proc” is procedure and “Agr” is agreement.
Section Section Heading Doc. Required
4.3 Scope Doc
5.2e Information Security Policy Doc, Pol
6.1.2, 8.2 Information Security Risk Assessment Doc
6.1.3, 8.3 Information security risk treatment Doc
6.2 Information security objectives and planning to achieve them Doc
7.2 Competence Doc
7.5 Documented information Doc
8.1 Operational planning and control Doc
9.1 Monitoring, measurement, analysis and evaluation Doc
9.2 Internal audit Doc
9.3 Management Review Doc
10.1 Improvement; Nonconformity and corrective action Doc
A.5.1.1 Information Security Policy Pol
A.6.2.1 Mobile Device Policy Pol
A.6.2.2 Teleworking Pol
A.7.1.2 Terms and conditions of employment Agr
A.7.2.3 Disciplinary Process For
A.8.1.3 Acceptable use of assets Doc
A.8.2.2 Labelling of information Proc
A.8.2.3 Handling of assets Proc
A.8.3.1 Management of removable media Proc
A.8.3.2 Disposal of Media Proc
A.9.1.1 Access Control Policy Doc, Pol
A.9.2.1 User Registration and De-registration For
A.9.2.2 User Access Provisioning For
A.9.2.4 Management of secret Authentication information of users For
A.9.4.2 Secure log-on procedures Proc
A.10.1.1 Policy on the use of cryptographic controls Pol
A.10.1.2 Key Management Pol
A.11.2.9 Clear desk and clear screen policy Pol
A.11.5.1 Working in secure areas Proc
A.12.1.1 Documented Operating Procedures Doc, Proc
A.12.3.1 Information Backup Pol
A.12.5.1 Installation of software on operational systems Proc
A.13.1.2 Security of network services Agr
A.13.2.1 Information Transfer Policies and procedures For, Pol, Proc
A.13.2.2 Agreements on information transfer Agr
A.13.2.4 Confidentiality or non-disclosure agreements Doc, Agr
A.14.2.1 Secure Development Policy Pol
A.14.2.2 System change control procedures For, Proc
A.14.2.5 Secure System Engineering Principles Doc
A.15.1.1 Information Security Policy for Supplier Relationships Doc
A.15.1.2 Addressing security within supplier agreements Agr
A.15.1.3 Information and communication technology supply chain Agr
A.15.2.2 Managing changes to supplier services Pol, Proc
A.16.1.1 Responsibilities and procedures Proc
A.16.1.5 Response to Information Security Incidents Doc, Proc
A.16.1.7 Collection of evidence Proc
A.17.1.2 Implementing information security continuity Doc, Proc
A.18.1.1 Identification of applicable legislation and contractual requirements Doc
A.18.1.2 Intellectual property rights Proc
If you want the statistics, 14 management sections require documentation, as do 39 Annex A sections. If you would like help with aspects/services/ of ISO 27001, please see our ISO 27001 services.  

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]