I’ve been working as an ISO27001 auditor since November 2021. In all the audits I’ve done I can see that some companies make a real mountain out of a molehill when it comes to creating the documentation around the Information Security Management System.
This is a brief, no nonsense, guide to what you need, and what you don’t need in an ISMS.
Let’s start with a brief overview of ISO27001 starting with what it is and what it isn’t. ISO27001 is a “framework” for identifying the information an organisation holds, the threats to that information and the risk levels and the controls to mitigate those risks. What it isn’t is a guarantee that by introducing ISO27001 will mean you are never hacked.
ISO27001 consists of a series of clauses, starting at clause 4 and going up to clause 10 and a series of controls in annex A. You have to follow the clauses, you can opt out of some controls if they don’t apply to you. I’ll hopefully come to the Statement of Applicability later.
What any of the ISOs don’t do is to tell you how to do something. It will tell you what you need to do but not how to do it. You have to read the ISOs clearly. If it says the organisation shall do something then you had better do it. For example if the standard says there shall be a cryptographic policy you’d better have one.
There is also the misapprehension that ISOs are documentation heavy. They don’t have to be but you do have to be able to justify how you do something to an auditor and the best way to do that is to document a process or policy. Having said that it’s important not to do anything purely for the auditor. That’s the tail wagging the dog. You have to do the work for the benefit of your organisation. The documentation you do have should accurately reflect what you actually so. Taking a template ISMS and changing the name to Your Company will be picked up by an auditor who will take a dim view of it.