List of Mandatory Documents required by ISO/IEC 27001 Information Security Management System
ISO/IEC 27001:2013 is an international standard that helps organizations accomplish the security of their information assets. It delivers a management framework for implementing an Information Security Management System to confirm the confidentiality, integrity, and accessibility of all corporate data. The ISO 27001 framework was published in 2013 by the ISO and IEC and belongs to the ISO 27000 family of standards. It is the only internationally familiar certifiable information security standard. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27001:2013, which describes how to implement information security controls for managing information security risks.
It has been a fair while since ISO 27001:2013 for Information Security Management Systems was published yet its acceptance is only really now starting to gain some traction, just in time for the work on the next revision to actually get proceeding. Like all ISO standards there are set requirements about what must do, ISO list these as "shall", part of these must does is of course documentation and records. It's fair to say that there are a few more requirements in ISO 27001 than some of the other standards but they all do make sense and will lead to an Information Security Management System.
The ISO 27001 Information Security Management standard has an Annex which acts like a check list linked back to risks, some of the document’s requirements are only valid if that particular risk is appropriate to organization.
Mandatory Documents:
ISO 27001 requires a minimum set of policies, procedures, plans, records, and other documented information that are required to become compliant. The following ISO 27001 documents are requiring:
- Scope of the Information Security Management System.
- Information security policy.
- Information security objectives.
- Risk assessment process.
- Risk treatment process.
- Statement of Applicability.
- Risk treatment plan.
- Risk assessment report.
- Definition of security roles and responsibilities.
- Inventory of assets.
- Acceptable use of assets.
- Access control policy.
- Operating procedures for Information Security.
- Secure System Engineering Principles.
- Supplier Security Policy.
- Incident management procedure.
- Business continuity strategy & procedures.
- Statutory, regulatory, and contractual requirements.
Non – Mandatory Documents:
- Procedure for document control.
- Controls for managing records.
- Procedure for internal audit.
- Procedure for corrective action.
- Bring your own device (BYOD) policy.
- Mobile device and teleworking policy.
- Information classification policy.
- User Access Rights Policies with Password control.
- Disposal and destruction policy.
- Procedures for working in secure areas.
- Clear desk and clear screen policy.
- Organizational Change management policy.
- Software Change management policy.
- Backup policy.
- Information transfer policy.
- Business impact analysis.