Managing ISO27001 Documentation

20th March 2020


For an organisation looking to demonstrate their information security capability; whether to reduce risk, attract customers or avoid financial or legislative penalties, the international standard ISO/IEC27001:2013 is most commonly used as a benchmark for independent, external validation.

In this blog, we will look into how best to manage ISO27001 documentation, including what’s required and the ongoing steps you must take.

Digesting 30+ pages containing over 150 specific requirements

You’ll start to notice the repeated phrase, ‘shall retain documented information’. This is setting the expectation that you need to be documenting and retaining policies, procedures and work instructions (controlled documents).

This is alongside records that demonstrate your compliance with the many ISO27001 requirements.

This is not a trivial requirement, as even the smallest of organisations will have more than 100 controlled documents and supporting records, and significantly more for larger, more complex businesses.

For each controlled document, resources need to be provided to meet the following requirements:

  •         Understanding what is required, in the context of the security posture of the organisation
  •         Properly and clearly drafted, in a style which can be easily understood by colleagues
  •         Progressed through a cycle of formal reviews and final approval sign-off
  •         Either published as “live” once approved, or returned to the originator if not-approved
  •         Communicated to the organisation, so they understand its location and purpose
  •         Subject to regular reviews, including during internal audit assessments
  •         Readily updated to reflect changing requirements or organisational developments

However, very few organisations ever get this right the first time, with common issues and errors arising from:

  •          Insufficient time or resources to prepare documentation properly
  •          Not understanding the requirements of ISO27001, so producing non-compliant documents
  •          Inexperience in document authoring, or lack of clarity, hindering widespread adoption
  •          Not involving business stakeholders to ensure the documentation is accurate
  •          Misalignment of policies, procedures and their supporting records

We’ve already helped hundreds of organisations worldwide to address their ISO27001 documentation needs.

With over 20 years’ experience, we have produced a set of documentation templates and forms to address the most common requirements, which:

  •          Address the requirements of mandatory elements of ISO/IEC27001:2013
  •          Have been used as the basis for many successful ISO27001 external assessments
  •          Have been authored by experienced ISO27001 Lead Auditors and Implementers
  •          Provide well-structured content, which is easily edited to meet each customer’s needs
  •          Are written in plain-English, helping to highlight activities and controls needed
  •          Will save your organisation significant time and effort over creating your own content

Through our Documentation page, you’ll note that we have a range of documentation packs, which can be purchased and downloaded individually or together:

  •          Pack 1: ISO27001 Essentials
  •          Pack 2: Policy Kit
  •          Pack 3: Internal Audit Kit
  •          Pack 4: Supporting Information
  •          Pack 5: Information Security A4 Awareness Posters

Need some support?

We’re here for you. Get in touch with our team to discuss your requirements.

Back to Insights

Share Insight: