ISO 27001 Information Security - Clause 7.5 Creating your documents

7.5 Documented information

ISO uses the term 'documented information' to cover what we traditionally think of as documents or records, and the ISO 27001 standard has very specific requirements for documented information. The following lists those requirements. Where the requirement clearly refers to records, it's noted here in brackets.

• Clause 4.3 ISMS Scope
• Clause 5.2 Information security policy
• Clause 6.1.2 Information security risk assessment - process documentation (records)
• Clause 6.1.3 (d) Information security risk treatment - Statement of Applicability
• Clause 6.1.3 Information security risk treatment - Risk treatment process - process documentation (records)
• Clause 6.2 Information security objectives and planning to achieve them
• Clause 7.2 Competence (records)
• Clause 8.1 Operational planning and control (records)
• Clause 8.2 Risk assessment results (records)
• Clause 8.3 Risk treatment results (records)
• Clause 9.1 Monitoring and measurement results (records)
• Clause 9.2 ISMS internal audits (records of programme and audits conducted)
• Clause 9.3 ISMS management reviews (records)
• Clause 10.1 Nonconformities and corrective actions (records)
• Annex Control - A5.1.1 Information security policies
• Annex Control - A6.2.1 Mobile device policy
• Annex Control - A6.2.2 Teleworking (remote working) policy
• Annex Control - A8.1.1 Inventory of assets
• Annex Control - A8.1.3 Acceptable use rules / policy
• Annex Control - A9.1.1 Access control policy
• Annex Control - A10.1.1 Policy for the effective use of cryptography
• Annex Control - A10.1.2 Policy for the management of cryptographic controls
• Annex Control - A11.2.9 Clear desk and clear screen policy
• Annex Control - A12.3.1 Data backup policy
• Annex Control - A13.2.1 Information transfer policy. Some organizations choose to address this alongside business rules for classification. While ISO 27001 does not specify a documented classification policy, that may assist in satisfying that requirements of clause A8.2
• Annex Control - A14.2.1. Secure development policy
• Annex Control - A15.1.1 Information security policy in supplier relationships

Of course, you may also choose to have other documents to support your ISMS.

Tips on creating documents

When creating documented information, you need to ensure that you use appropriate:

• Identification and description
  This might be a title, date, author, owner, reference number, or various forms of metadata. Note: Metadata is information stored by document management software about a document in order to facilitate searches. It might include document type, topic, owner, relevant business unit, relevant location, security classification, and keywords. At this point, let's dispel one of the great myths surrounding management systems: ISO does not specify that your system documents have to be numbered at all. In traditional management systems, very creative numbering systems were often used to convey information about what the file contained. With modern software applications, that role is performed much more effectively by metadata and search functions. Ultimately, the choice is yours.
• Format
  This might include language, media, and file format for electronic documents (e.g. docx, pdf, xlsx etc.). Accessibility issues should be considered. It can be useful to have a corporate style guide or series of templates to help ensure consistency of format. We generally like to include the security classification of a document in a prominent place (such as in the header). That is in addition to it being included in the metadata of document management software.

Exampes of all the policies listed are included in our ISO 27001 InfoSec Toolkit - available in Qudos 3 IMS software. The software also provides a great solution for efficient document management. Contact us to find out more. In the next blog in this series, we'll talk more about document management.