ISO 27001 Documentation Requirements. And The “ISO 27001 PDF Download Checklist”
It seems that many people look for an ISO 27001 PDF Download Checklist on the web.
We are not in favour of the approach behind an ISO 27001 PDF Download Checklist as we wrote here. Like most ISO standards, successful approval will involve the whole business. Not a checklist in the IT department. Or anywhere else.
We do, however, make our key ISO 27001 PDF download templates available for sale via our shop page. These are not checklists, but the solid foundations for system design. And they are fully remote-supported by our staff .
However, as an ISO Consultant, I’m frequently asked the same question about ISO 27001:-
“So ISO 27001 is all about IT Security isn’t it ?”
Well, “yes”. But mainly “no”.
What Is It About, Then?
The standard is about installing a quality management system. This manages the security of all information held by the organisation (IT security does, of course, play a part in this), As a result has a significantly wide wide reach across a business.
But just how wide?
Here’s a list of the documentation used by us for a recently approved company. Are you sitting comfortably? And this isn’t even the complete version.
Policy for all Staff
Information Security Policy Statement – Statement of system requirements
Information Security – Objectives Table – Progress in implementing the IS Policy Statement
Information Security Management System Manual – System explanation & responsibilities for all staff
Company Organisation Chart
Management Responsibility Statements and Job Descriptions – Documented responsibility statements for those holding security responsibilities
Network and Server Architecture Diagram – Diagram of all the IT network and services covered by the Information Security Management System
Approved Software – Software which can be installed on PS’s as required
Network Capture/Analysis/Scanning Tools – List of network tools that can only be used by IT Support staff
Control of Non-Conformance and Corrective Action Procedure – What to do if you think there is a security breach,and what will be done subsequently. .
Use of Email, Internet, and Social Media – Specifics on use of email, social media etc.
( Possible Addition to the Employee Handbook)
IT Support Procedure – How to log security breaches or any other IT issues you need help with.
Control of Documented Policy & Procedures, – How to update/get a policy or procedure updated
Data and Records
Human Resources Index – Staff Handbook and HR related procedures
Information Security Risk Assessment & Treatment Plan – What the risks are to our information
Statement of Applicability for ISO 27001 – Responses with evidence for the Appendix Compliance Questions
Register of Legislation and Handling – Register of applicable legislation
Business Continuity Plan – How to keep the business running if an emergency occurs.
Supplier and Sub-Contractor Management – How to select sub-contractors and suppliers and what security practices affecting them should be in place
Approved suppliers and sub-contractors list- List of those who have confirmed acceptance of your security practices.
Internal and External Audit Procedure – How to complete ISO audits
ISO 27001 Audit Plan – Schedule/Plan for audits
Audit Report Form Template – Template for audit results
Preventive Action and Management Review- Planning the development of the security system and implementing a full review of the system by management.
Management Procedure for Training and Competence –Description of how staff are trained and make themselves familiar with the management system and competent with security issues.
Information Systems Continuous Improvement plan
Data Protection Registration
Requirements for Specific Roles
IT Network Managers Security Procedures – Security procedures specific to the Network Management Role
Backup Procedures – Procedures for backing up information and records
Assets and Services – List of all IT and Information Assets
Induction Checklist Evidence that new joiners are made aware of information security system practices and requirements.
PR process – Process to ensure press releases etc. are suitable approved prior to release.
Phew! Yes, it really is that involved. I think that this is outside the scope of most ISO DIY-ers with their ISO 27001 PDF Download Checklist . We’ve even left some things out of this.
However, this is simply a “to-do list”. A “how to do” approach is what is really needed.
All ISO standards should be bespoke to the business. Otherwise, they don’t “fit” it’s aims, activities, and culture. And, if they don’t fit, they don’t work. Hence why you need an ISO consultant to help.
Successful approval to ISO 27001 and it’s is way more than what you’d find in an ISO 27001 PDF Download Checklist. If you think we could help, please drop us a line!.