Having an ISO 27001 system in place mandates a set of documents. These documents may be the most visible manifestation of a system and certainly the starting point for any ISO 27001 auditor.
Naturally before starting to draft documents the organisation will have performed a planning phase and a risk assessment. Annex A contains an excellent starting point but may be too much for a small company or miss some company specific element for others.
Deciding what documents to produce
First of all there is a list of documents (Annex A) which are mandatory, which gives a good starting point. However, there is also a much longer list which are not mandatory, this second list is where problems arise.
The ISO 27001 process demands that the selection of controls must be a direct consequence of the risk assessment and risk treatment process. The consequence of this is you cannot simply select the controls and use documents that you already have or can get templates for.
Performing the risk assessment and risk treatment process thoroughly, will highlight which risks need to be catered for in the documentation.
Having decided on which controls must be applied plus the mandatory documents list, the next decision is the level of detail per document.
In general smaller companies tend to group multiple controls into a single document and not document each control in great depth. Larger companies on the other hand tend to have a document per control with each control described in some depth.
In the 2013 version of ISO 27001 Annex A there are 114 controls. Not all of which are mandatory, but in choosing not to use these controls an organisation needs to make and document a clear choice. A clear choice to adapt the documentation to your real company needs, this flexibility makes ISO 27001 so popular.
Documentation level example
In our experience smaller companies will produce a single document to describe policies and/or procedures that cover several controls.
For example one Access Control Policy document often covers: all the 14 controls from section A.9 (without writing detailed procedures),
A single Bring Your Own Device (BYOD) Policy can cover A.6.2.1 (Mobile device policy), A.6.2.2 (Teleworking), and A.13.2.1 (Information transfer policies and procedures)
The most common policy for all organisation is the Acceptable Use Policy, which normally applies to all employees and can covers controls from various sections of Annex A, A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1, A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2, A.13.2.3, and A.18.1.2.
Bigger companies usually produce documentation that is more extensive and detailed:
The different sections from Annex A will be each be covered with a policy – e.g., Organization of Information Security Policy (A.6), Human Resources Security Policy (A.7), Asset Management Policy (A.8), etc.
Within each policy will be detailed procedures or operational procedure instructions (OPIs) that cover individual controls – for example, Information classification procedure (control A.8.2.1), Information labelling procedure (control A.8.2.2), Information handling procedure (control A.8.2.3), etc.
In conclusion one of the great strengths of the ISO 27001 standard is its flexibility and risk driven work structure. This means the document you produce and not written for pro forma reasons but to support your company’s needs.