Sunteți pe pagina 1din 8

ISO27001security.

com Mandatory ISMS documentation


fIsButton1fLayoutInCell1
Mandatory Information Security Management System Documents Required
for ISO/IEC 27001 Certification

By Osama Salah and Gary Hinson


16th January 2009
Introduction
Members of the ISO27k Implementers’ Forum often ask which documents are explicitly mandated for certification of their Information Security
Management System (ISMS) against ISO/IEC 27001:2005. Since opinions vary somewhat, we have compiled the following table by
referencing and explaining certain clauses from the standard, particularly but not only those under clause 4.3 Documentation requirements.
An ISMS is intended to bring information security under management control in order to ensure that it satisfies and is maintained to continue
satisfying the organization’s information protection requirements. Documentation is an important element of any management system because
it clarifies the management processes and activities for users of the system and interested parties (including certification auditors). The notes
to clause 4.3.1 Documentation, plus the following clauses 4.3.2 Control of documents and 4.3.3 Control of records lay out in some detail what is
required of the documentation for the purposes of the certification audit. There is more to it than red tape! If you take care to produce good
quality documentation, it is more likely that your ISMS will meet the organization’s objectives, not just those of the standard and the auditors.
Clause 1.2 of the standard specifies that compliance with clauses 4 through 8 inclusive is mandatory for certification. The italicized ISO/IEC
27001 extracts in the table below explicitly mandate certain documents, while additional documentation requirements may be inferred or
implied from some clauses. Furthermore, in practice, organizations usually produce and use additional documents for their own purposes,
beyond the minimal set stated in ISO/IEC 27001. The interpretation column in the table provide additional guidance based on our experience
but this is not definitive. The titles of documents may vary in practice and in some cases there may be multiple variants (e.g. risk assessment
reports for different situations, systems etc.).

Purpose
The table below can be used by the organization as a checklist prior to a certification audit to confirm that everything is in order, and to collate
the mandatory documents ready for the auditors to review. It can also be used up front when planning and implementing the ISMS as a guide
to the documentation that will have to be created and produced. We have provided a status column for such purposes.

Copyright
fIsButton1fLayoutInCell1
This work is copyright © 2009, ISO27k Implementers' Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-

Copyright © 2009 ISO27k Implementers’ Forum Page 1 of 8


Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial
product, (b) it is properly attributed to the ISO27k Implementers’ Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.
ISO27001security.com Mandatory ISMS documentation

The mandatory ISMS documents

Documents
mandated by Status Interpretation
ISO/IEC 27001
4.3 Documentation requirements
4.3.1 General
 Designed
Documentation shall include Records of key management decisions regarding the ISMS e.g. minutes of management
 Allocated
records of management meetings, investment decisions, mandating of policies, reports etc. [not individually specified
decisions …  Drafted in the standard apart from the following specific items …]
 Approved
Information security policy set matching the characteristics of the business, the
organization, its location, [information] assets and technology, being a “superset of”
(i.e. including) both of the following:
The ISMS documentation
shall include: An ISMS policy defining the objective-setting management framework for the ISMS, giving
it an overall sense of direction/purpose and defining key principles. The ISMS policy must:
a) Documented statements  Designed
of the ISMS policy (see  Allocated • Take account of information security compliance obligations defined in laws,
4.2.1.b) and objectives;  Drafted regulations and contracts;
 Approved • Align with the organization’s strategic approach to risk management in general;
• Establish information security risk evaluation criteria (the “risk appetite”);
• Be approved by management.; and
 Designed
Information security policy or policies specifying particular information security control
 Allocated
b) objectives or requirements in one or more documents [these should also be approved by
 Drafted management to have full effect].
 Approved

Copyright © 2009 ISO27k Implementers’ Forum Page 3 of 8


Documents
mandated by Status Interpretation
ISO/IEC 27001
 Designed
ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the
c) The scope of the ISMS  Allocated
business, the organization, its location, [information] assets and technology. Any exclusions
(see 4.2.1.a))  Drafted from the ISMS scope must be explicitly justified.
 Approved
 Designed Information security procedures i.e. written descriptions of information security
d) Procedures and controls  Allocated processes and activities e.g. procedures for user ID provisioning and password changes,
in support of the ISMS  Drafted security testing of application systems, information security incident management response
 Approved etc.
 Designed
 Allocated Controls documentation e.g. technical security standards, security architectures/designs
e)
 Drafted etc. and probably referencing ISO/IEC 27002 (details very between ISMSs).
 Approved
 Designed
f) A description of the risk Risk assessment methods i.e. policies, procedures and/or standards describing how
 Allocated
assessment methodology information security risks are assessed, probably referencing ISO?IEC TR 1335-3 and/or
(see 4.2.1.c))  Drafted ISO/IEC 27005.
 Approved
Risk assessment reports documenting the results/outcomes/recommendations of
 Designed information security risk assessments using the methods noted above. For identified risks
g) The risk assessment
 Allocated to information assets, possible treatments are applying appropriate controls; knowing and
report (see 4.2.1.c) to
 Drafted objectively accepting the risks (if they fall within the risk appetite); avoiding them; or
4.2.1.g))
 Approved transferring them to third parties. The reference to 4.2.1c-g implies that information security
control objectives and controls should be identified in these reports.

 Designed
h) The risk treatment plan  Allocated Risk treatment plan i.e. a [project?] plan describing how the identified information security
(see 4.2.2.b)  Drafted control objectives are to be satisfied, with notes on funding plus rôles and responsibilities.
 Approved
ISO27001security.com Mandatory ISMS documentation

Documents
mandated by Status Interpretation
ISO/IEC 27001
i) Documented procedures
needed by the
organization to ensure the  Designed
effective planning, ISMS operating procedures i.e. written descriptions of the management processes and
 Allocated
operation and control of activities necessary to plan, operate and control the ISMS e.g. policy review and approvals
its information security  Drafted process, continuous ISMS improvement process.
process and describe how  Approved
to measure effectiveness
of controls (see 4.2.3.c)
 Designed
Information security metrics describing how the effectiveness of the ISMS as a whole,
 Allocated
j) plus key information security controls where relevant, are measured, analyzed, presented to
 Drafted management and ultimately used to drive ISMS improvements.
 Approved
See 4.3.3 below. “Records” means information security paperwork such as user ID
k) Records required by this authorizations, and electronic documents such as system security logs, that are used
International Standard n/a routinely while operating the ISMS and should be retained and made available for the
(see 4.3.3) certification auditors to sample and check. Collectively, these prove that the ISMS has been
properly designed, mandated by management and put into effect by the organization.

 Designed Statement of Applicability stating the information security control objectives and controls
l) The Statement of  Allocated that are relevant and applicable to the ISMS, generally a consolidated summary of the
Applicability  Drafted results of the risk assessments, cross-referenced to the control objectives from ISO/IEC
 Approved 27002 that are in scope.
4.3.2 Control of Documents

Copyright © 2009 ISO27k Implementers’ Forum Page 5 of 8


Documents
mandated by Status Interpretation
ISO/IEC 27001

Documents required by the


Designed Document control procedure explaining how ISMS documents are approved for use,
ISMS shall be protected and 
reviewed/updated/re-approved as necessary, version managed, disseminated as
controlled. A documented  Allocated
necessary, marked etc. (see 4.3.2 for the full list). If the organization already has a Quality
procedure shall be  Drafted Management System conforming to ISO 9000, the QMS document control procedure (or
established to define the  Approved equivalent from another management system) may be applied to the ISMS.
management actions …

4.3.3 Control of records

… The controls needed for


the identification, storage,  Designed Records control procedure explaining how records proving conformity to ISMS
protection, retrieval, retention  Allocated requirements and the effective operation of the ISMS (as described elsewhere in the
time and disposition of  Drafted standard) are protected against unauthorized changes or destruction. Again, this procedure
records shall be documented  Approved may be copied from the QMS or other management systems.
and implemented.

5 Management responsibility
ISO27001security.com Mandatory ISMS documentation

Documents
mandated by Status Interpretation
ISO/IEC 27001

5.2.2 d) The organization


shall maintain records of
education, training, skills,  Designed Security awareness, training and education records documenting the involvement of all
experience and qualifications  Allocated personnel having ISMS responsibilities in appropriate activities (e.g. security awareness
(see 4.3.3)  Drafted programs and security training courses such as new employee security induction/orientation
classes).
… The organization shall also  Approved
ensure that all relevant
personnel are aware of the  Designed Various other clauses in section 5 mandate management support for information security
relevance and importance of  Allocated awareness activities in general, therefore while not directly stated, the requirement for
their information security  Drafted information security awareness materials, training evaluation/feedback reports etc.
activities and how they  Approved may be inferred from this section.
contribute to the achievement
of the ISMS objectives

6 Internal ISMS audits


The organization shall
 Designed Internal ISMS audit plans and procedures stating the auditors’ responsibilities in relation
conduct internal ISMS audits
 Allocated to auditing the ISMS, the audit criteria, scope, frequency and methods.
at planned intervals …
 Drafted
… The responsibilities and  Approved
requirements for planning and
conducting audits, and for  Designed While not stated directly, further comments in section 6 re the need for actions arising from
reporting results and  Allocated audits to be taken without undue delay could be taken to imply that ISMS audit reports,
maintaining records (see
 Drafted agreed action plans and follow-up/verification/closure reports should be retained and
4.3.3) shall be defined in a
 Approved made available to the certification auditors on request.
documented procedure.
7 Management review of the ISMS
7.1 Management shall review  Designed This implies the need to retain records (such as management review plans and reports)

Copyright © 2009 ISO27k Implementers’ Forum Page 7 of 8


Documents
mandated by Status Interpretation
ISO/IEC 27001
the organization’s ISMS at
planned intervals (at least
once a year) to ensure its
continued suitability,
adequacy and effectiveness  Allocated
…  Drafted proving that management does in fact review the ISMS at least once a year.
 Approved
7.3 The output from the
management review shall
include and decisions and
actions relating to …
8.2 Corrective action
 Designed
…The documented procedure Corrective action procedure documenting the way in which nonconformities which exist
 Allocated
for corrective action shall are identified, root-causes are analyzed and evaluated, suitable corrective actions are
define …  Drafted carried out and the results thereof are reviewed.
 Approved
8.3 Preventive Action
 Designed
…The documented procedure Preventive action procedure similar to the corrective action procedure but focusing more
 Allocated
for preventive action shall on preventing the occurrence of nonconformities in the first place, with such activities being
define …  Drafted prioritized on the basis of the assessed risk of such nonconformities.
 Approved
*** End of list ***

S-ar putea să vă placă și