As described in our earlier blog, ISO 27001:2013 is the international standard for an information security management system (ISMS). An ISMS manages the risks to information security within an organisation. Organisations can certify against ISO 27001:2013 to provide assurance that security is embedded throughout, and that data is appropriately managed against risks to confidentiality, integrity and availability. An ISO 27001:2013 certified ISMS ensures that requirements for information security are established, implemented, monitored, maintained and improved.
As part of the ISO 27001 implementation process, there are documents and records that are either ‘mandatory’ or ‘recommended’. Not all organisations will have the resources to implement all the recommended standards, (and there are many!), so these can be selected according to the organisation’s needs. In this blog I discuss a selection of the mandatory documents and then I highlight a couple of the recommended documents which I think should be created to manage common risks.
Mandatory ISO 27001 Documents
The following mandatory ISO 27001 documents and records are key for a robust ISMS. It doesn’t mean the other mandatory ones (not mentioned) are less important, however, the ones mentioned below lay the foundations and ensure certain actions are repeatable:
- The Scope of the ISMS – The scope is vital to the management of the ISMS. It is an organisational decision on what will be included, this could be the headquarters, or it could be a select number of offices.
- Information Security Policy and Objectives – This high-level document will generally include the scope, the management commitment and the security objectives which should align with the business objectives. During management reviews (which must take place at least annually), these objectives should be reviewed and new ones should be set as the ISMS matures.
- Risk Assessment and Risk Treatment Methodology – The ISMS uses a risk-based approach to managing information security. An organisation may already have a methodology for identifying and managing the risks to different areas of the business. It can choose a different methodology or adapt the current one to assess and treat the information security risks.
- Inventory of Assets – The ISMS requires you to identify assets, including hardware, software or any other type of asset the organisation deems to have value. If these can be identified, they can be listed and accounted for. Once you identify all assets, you can identify the risks to each as well as assign them to individuals.
- Definition of Security Roles and Responsibilities – Assigning roles and responsibilities within the organisation means that individuals will take on certain tasks relating to the ISMS, this should provide reassurance that progression is always made.
- Statement of Applicability (SoA) – The SoA is a document that lists all the 114 controls within ISO 27001:2013 Annex A. Organisations should review these to see which are applicable and how the controls are to be implemented. Some of the controls may not apply. For example, if you don’t develop applications then secure software development controls can be excluded. If a control is excluded, justification for its exclusion must be documented to prove compliance. I’ve blogged separately on the Statement of Applicability here.
- Records of Employee Skills, Training, Experience and Qualifications – This may already be in place through Human Resources but having documentation of employee’s experience will help you locate those that have knowledge of an ISMS or hold qualifications that are relevant. These should be called upon to assist in the implementation and/or be given a role in its management.
- Logs of User Activities, Exceptions and Security Events – Recording security incidents can help you prove what actions you’ve taken or are going to take to prevent the same event from happening again. Far from showing weakness, it demonstrates continuous learning and improvement.
Recommended ISO 27001 Documents
Among the recommended documents that organisations could include in their ISMS, the following two are simple to implement but provide a valuable layer of information security.
- Password Policy – the number of passwords that we now must remember is onerous and often leads to people creating weak passwords and using them multiple times just so they can remember them. A password policy could recommend a password manager and advise on how to choose good, strong and memorable passwords. The latest NCSC password guidance suggests using passphrases and not mandating password changes.
- Information Classification Policy – Different types of information require varying levels of security. Holding a customer name alone requires quite a different level of security to financial, medical or biometric data for example. An Information Classification Policy could help employees determine what level of sensitivity is required for each type of data, describe the labelling process, and explain how to store the data and who will have access to it. It creates clarity for employees and sets a structure to be applied to all information.
If you’re thinking of gaining ISO 27001 accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO 27001 project or manage your ISMS for you.
If you’d like to understand more about our service, we’d be delighted to hear from you. You can find out more about our ISO 27001 services and you can contact us here.