What documentation do you need for ISO 27001?

| Sieuwert van Otterloo | Security

If you want an external auditor to certify your information security management system, you need to store documentation of for all elements in your policy. To make audits to go swiftly and smoothly, you should store all documented information in one easy-to-access place. In this post we provide an overview of what information needs to be stored and provide practical guidelines on how to structure all documentation. We strongly recommend any team to decide how to manage their documentation as soon as possible.

Policy documentation

The following list is a minimal list of information that all organisations should have because these are required elements. These elements are required by both the best known standard ISO 27001 and the more agile standard Security Verified. When setting up an ISMS you should create a starting document or list for each of these items. You should also decide on a place where to keep the official latest version of each document.

A security policy document. This is a management document (prepared by information security team, adopted by top management) listing the scope, goals and main principles of the information security management system. This document should be available to management and leadership and the security team. We recommend to not include too many technical details. If you can keep this document high-level, it only has to be updated and re-approved once a year.

Operating procedures. If you want to evaluate and improve your procedures, you need to have a good description of the procedure that is followed by all staff. In order to reach a basic level of security, you need descriptions for many common procedures. Examples are employee screening, onboarding, PC and server installation, firewall changes,  and physical security. You can start with one document listing all procedures, accessible to all senior staff. For larger organisations, you probably want to split it into multiple documents. One procedure that is mandatory is the procedure for reporting data breaches.

Staff guidelines. In any ISMS there will be rule that apply to most or all staff, such as the obligation to take security seriously and to manage passwords carefully. We recommend to create one overall staff guidelines document and make it available to all staff.

Lists and inventories

The following items typically use a list or spreadsheet based structure.

Asset inventory. The goal of information security is to protect the information assets. To do this properly, you need to have a list of assets. In this detailed article we explain what you need to document exactly.

Risk inventory. You need to maintain a list of all risks. There are many ways to do this, one way is to use this simple risk management methodology.

Incident register. You will need to log any incident, so that you can keep track of each incident and make sure you made an immediate fix and later took additional measures to prevent risks in the future. We recommend to not only include serious incidents, but also include other signals, such as questions from employees and stakeholders in this inventory.

Statement of Applicability (SoA). It is mandatory under ISO 27001 that you have a document called ‘Statement of Applicability’. This document is a list where you document which of the typical security measures from the ISO27001 appendix you have implemented. If you have not implemented a measure, you must document your reason for not implementing it. If you do implement something, you must add a pointer with further information on what you implemented and how. Many organisations maintain two versions: a clean, external version that can be shared with stakeholders, and an internal version with additional practical information for the information security team.

Security calendar. It is useful for audit purposes to have one calendar with all upcoming security activities (training, management review, team meetings, audits, security tests). This makes is easier for auditors to see how much and what type of effort the organisation is making.

Meeting minutes

Information security team meeting minutes. The information security team should meet regularly and apply PDCA: they should check if controls are working, act upon incidents and issues, make new plans and decide on new actions. While doing this, they will probably review and update some of the documents. It is important to keep detailed minutes as evidence that the work was executed.

Management review meeting minutes. It is mandatory under ISO 27001 and Security Verified that management is involved and that they approve key documents such as the security policy. This happens in a regular management review meeting and should be documented in some way.

Other documentation

Supporting evidence. The evidence folder of your ISMS can contain any documents that show that controls are executed and/or effective. This can include filled-in check lists, signed documents and test reports. You must guard consistency: only include evidence that is clearly linked to a specific policy. E.g. it only makes sense to include a PEN-test report as evidence if there is a policy that refers to PEN-tests. Store all evidence in subfolders depending on type. Ideally every control is repeated regularly, so each folder should have multiple items.

Data processing agreements. The data processing agreement or bewerkersovereenkomst is a mandatory document under Dutch privacy law. You must have a signed agreement for each supplier that receives access to personal data from you (outgoing). You must also have a signed agreement with each supplier that you receive personal data from (incoming). Create two subfolders to keep the incoming and outgoing documents separated.

Audit reports. If you want to be compliant with ISO 27001, you must have an internal audit programme that describes how and how often internal audits are executed.  There should be one folder where you can see the outcomes of all previous audits and it should also be clear (from meeting minutes or from separate documents) how audit findings have been addressed. Note: under the lighter, more agile standard Security Verified, it is not mandatory to have an internal audit program. It is still recommended to have a place to store audit reports, as it is still required to address any findings from audits that do take place.

Where and how to store documents

Each team can decide by themselves how they store documents. In theory you could store all information as printed out documents in a binder in the office. In practice most organisations choose an online solution: they use a network drive, a cloud drive or an online platform such as confluence of sharepoint.
Whichever solution you choose, remember that the basic principles of CIA (explained in our post on asset inventory). You must make sure that each document is available to people who need it (Availability). You should also make sure that you can see when and by whom the latest changes were made (Integrity) and you must make sure people who need the information have access (Confidentiality). You will also need version control. Different people should not work simultaneously on different versions, and you should not distribute new versions via email but rather keep the latest version in a central place.

For more articles about information security, visit this page.

Image credit: Timetrax23 via Flickr

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.