ISO 27001 Information Security - Clause 7.5 Creating your documents
24th August 2022 - ISO 27001 Information Security in plain English - Blog post #14.
ISO 27001 - Clause 7.5 Documented information. Article on creating the required documents for your ISMS (Information Security Management System).
ISO 27001 Information Security in plain English
Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard. However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.
7.5 Documented information
ISO uses the term 'documented information' to cover what we traditionally think of as documents or records, and the ISO 27001 standard has very specific requirements for documented information. The following lists those requirements. Where the requirement clearly refers to records, it's noted here in brackets.
- Clause 4.3 ISMS Scope
- Clause 5.2 Information security policy
- Clause 6.1.2 Information security risk assessment - process documentation (records)
- Clause 6.1.3 (d) Information security risk treatment - Statement of Applicability
- Clause 6.1.3 Information security risk treatment - Risk treatment process - process documentation (records)
- Clause 6.2 Information security objectives and planning to achieve them
- Clause 7.2 Competence (records)
- Clause 8.1 Operational planning and control (records)
- Clause 8.2 Risk assessment results (records)
- Clause 8.3 Risk treatment results (records)
- Clause 9.1 Monitoring and measurement results (records)
- Clause 9.2 ISMS internal audits (records of programme and audits conducted)
- Clause 9.3 ISMS management reviews (records)
- Clause 10.1 Nonconformities and corrective actions (records)
- Annex Control - A5.1.1 Information security policies
- Annex Control - A6.2.1 Mobile device policy
- Annex Control - A6.2.2 Teleworking (remote working) policy
- Annex Control - A8.1.1 Inventory of assets
- Annex Control - A8.1.3 Acceptable use rules / policy
- Annex Control - A9.1.1 Access control policy
- Annex Control - A10.1.1 Policy for the effective use of cryptography
- Annex Control - A10.1.2 Policy for the management of cryptographic controls
- Annex Control - A11.2.9 Clear desk and clear screen policy
- Annex Control - A12.3.1 Data backup policy
- Annex Control - A13.2.1 Information transfer policy. Some organizations choose to address this alongside business rules for classification. While ISO 27001 does not specify a documented classification policy, that may assist in satisfying that requirements of clause A8.2
- Annex Control - A14.2.1. Secure development policy
- Annex Control - A15.1.1 Information security policy in supplier relationships
Of course, you may also choose to have other documents to support your ISMS.
Tips on creating documents
When creating documented information, you need to ensure that you use appropriate:
- Identification and description
This might be a title, date, author, owner, reference number, or various forms of metadata. Note: Metadata is information stored by document management software about a document in order to facilitate searches. It might include document type, topic, owner, relevant business unit, relevant location, security classification, and keywords. At this point, let's dispel one of the great myths surrounding management systems: ISO does not specify that your system documents have to be numbered at all. In traditional management systems, very creative numbering systems were often used to convey information about what the file contained. With modern software applications, that role is performed much more effectively by metadata and search functions. Ultimately, the choice is yours.
This might include language, media, and file format for electronic documents (e.g. docx, pdf, xlsx etc.). Accessibility issues should be considered. It can be useful to have a corporate style guide or series of templates to help ensure consistency of format. We generally like to include the security classification of a document in a prominent place (such as in the header). That is in addition to it being included in the metadata of document management software.
Exampes of all the policies listed are included in our ISO 27001 InfoSec Toolkit - available in Qudos 3 IMS software. The software also provides a great solution for efficient document management. Contact us to find out more. In the next blog in this series, we'll talk more about document management.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Click the LinkedIn Follow button below to receive notifications.
There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!