Scribd
Upload
4K views

ISO 27001 2022 Documentation Simplified Checklist and Guide

Uploaded by

Technical - GR
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
4K views

ISO 27001 2022 Documentation Simplified Checklist and Guide

Uploaded by

Technical - GR
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

ISO 27001:2022

Documentation Shelter from the Storm

Checklist & Guide

Documenting is a vital part of implementing ISO 27001:2022.


This guide will take you through the mandated documentation
required to achieve certification to the standard. Additionally,
it provides helpful advice to consider when creating,
structuring and deploying documents.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
The Breakdown
ISO 27001:2022 is broken down into two key areas: the 4-10 clauses, which define the
governance aspects, and the Annex A controls which, when implemented, will define how you
manage risk. Clauses 4 to 10 are a mandatory part of your Information Security Management
System (ISMS), you will also need the appropriate supporting documents and records. The
Annex A controls are optional (although most will apply), you will need the appropriate policies
and the evidence that the controls selected are effective.

Information Security Managers need to understand how the standard is structured and how
the clauses and controls are organised. With each clause and subclause, there are a set of
guidelines to be followed to achieve compliance. It is important to be attentive to the
requirements in terms of processes, activities and documents.

This checklist is designed to be used as a benchmarking tool to enable you to understand how
close (or far) your current suite of documents aligns with ISO 27001. It’s also helpful for
conducting a gap analysis, responding to customer security questionnaires, or conducting
management reviews of your ISMS.

The Required ISO 27001 Documents

If your company is intending to gain ISO 27001 certification, these are the required processes,
documents, and policies that need to be included or created to deliver a compliant system.

Operational documents to be used by the security team and key risk stakeholders include:

Clause Required Documents

4.3 The Scope of the ISMS

5.2 Information Security Policy

6.1.2 Information Security Risk Assessment Process

6.1.3 Statement of Applicability

6.1.3 Information Security Risk Assessment Process

6.2 Information Security Objectives

7.2 Evidence of Competence

7.5.1 Documented Information Necessary for the Effectiveness of the ISMS

8.1 Documented Information Necessary for the Processes of the ISMS

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
8.2 Results of the Information Security Risk Assessment

8.3 Results of the Information Security Risk Treatment

9.1 Evidence of the Results of Monitoring and Measurement

9.2.2 Evidence of the Audit Programmes and the Audit Results

9.3.3 Evidence of the Results of Management Reviews

9.1 Evidence of the Monitoring and Measurement of Results

9.2 A Documented Internal Audit Process

9.2 Evidence of the Audit Programmes and the Audit Results

9.3 Evidence of the Results of Management Reviews

10.2 Evidence of the Nature of the Non-Conformities and Any Subsequent Actions Taken

10.2 Evidence of the Results of Any Corrective Actions

The Policies
In addition, the following policy documents should be in place. Each policy applies to either
all staff or specific functions, i.e. IT, HR, Facilities etc.

Control Policy

A.5.1 Information Security Policy and Topic-Specific Policies

A.5.9 Inventory of Information and Other Associated Assets


Rules For the Acceptable Use and Procedures for Handling Information and Other
A.5.10
Associated Assets
A.5.13 An Appropriate Set of Procedures for Information Labelling

A.5.14 Information Transfer Rules, Procedures or Agreements

A.5.18 Topic-Specific Policy on And Rules for Access Control


Processes And Procedures to Manage the Information Security Risks Associated with the
A.5.19
Use of Supplier’s Products or Services
Processes and Procedures to Manage the Information Security Risks Associated with the
A.5.21
ICT Products and Services Supply Chain
A.5.23 Processes for Acquisition, Use, Management and Exit from Cloud Services

A.5.24 Information Security Incident Management Processes, Roles and Responsibilities

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
A.5.28 Procedures for the Identification, Collection, Acquisition and Preservation of Evidence
Legal, Statutory, Regulatory and Contractual Requirements Relevant to
A.5.31
Information Security
A.5.32 Procedures To Protect Intellectual Property Rights

A.5.37 Operating Procedures for Information Processing Facilities

A.6.2 Employment Contractual Agreements

A.6.4 Disciplinary Process

A.6.6 Confidentiality or Non-Disclosure Agreements

A.8.3 Topic-Specific Policy on Access Control

A.8.5 Topic-Specific Policy on Access Control


Configurations, Including Security Configurations, of Hardware, Software, Services
A.8.9
and Networks
A.8.11 Topic-Specific Policy on Access Control

A.8.13 Topic-Specific Policy on Backup

A.8.15 Logs that Record Activities, Exceptions, Faults, and Other Relevant Events

A.8.21 Security Mechanisms, Service Levels and Service Requirements of Network Services

A.8.24 Rules for the Effective Use of Cryptography

A.8.25 Rules for the Secure Development of Software and Systems

A.8.26 Information Security Requirements

A.8.27 Principles for Engineering Secure Systems

A.8.29 Security Testing Processes

Additional policies or supporting procedures may be required depending on the activities.

Organisation. For example, if you are a software developer you would be expected to have a
comprehensive documented Software Development Life Cycle (SDLC) procedure.

Records are another important consideration. The operational procedures and policies will
need to generate a variety of outputs to demonstrate that they are working and delivering
security and business benefits.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
Tips for Creating, Structuring and Deploying
The lists provided may look like an awful lot of bureaucratic documentation. Risk Crew
advises…to be realistic about the volume of documentation that you reasonably need to create,
use, manage and maintain. It’s best practice to keep documents and policies down to the
minimum at the beginning, as you can always expand to add more later – as your ISMS matures.

Additional Recommendations

1. Keep policies as simple as possible so that staff can understand and follow them. Each
policy should have a succinct:
• Policy Statement – This should simply state ‘what we need to do’
• Policy Objective – Will concisely explain ‘why we need to do it’

2. Create an easy to navigate document hierarchy. For small/medium organisations, Risk


Crew recommends the following:
• ISMS Manual – Contain all operational processes/requirements
• Risk Assessment Spreadsheet – Contain the Asset Inventory, Risk Assessment,
Risk Treatment Plan and Statement of Applicability
• Acceptable Use Policy – Contain all policies that apply to all staff
• IT Security Policy – Contain all policies applicable to the IT Department
• HR Security Policy – Contain all policies applicable to the HR Department
• Information Security Manager Policy – Contain all policies applicable to the
management of security

3. If you adopt the above hierarchy method…that will cover all your mandated policies and
procedures covered within six documents. Here are more tips to keep in mind:
• Writing Techniques – Policies should be written to align with the culture of
the company. Try to avoid making them too academic or technical. Give
specific company examples to help bring them to life.
• Communication – You now have developed a fully compliant suite of security
policies…great. But they are virtually worthless if they are not communicated
to staff.
• Enforcement – You now need to ensure that staff are adhering to the policies.
One method to consider is appointing departmental ‘policy champions’ whose
role is to monitor and educate staff within their area.

How Risk Crew Can Help


Writing and assembling the required documentation can be a gruelling task but it doesn’t have
to be. Risk Crew consultants can support you with all your ISO 27001 requirements to help
you achieve certification. Risk Crew has been delivering ISO consultancy services for over 30
combined years. Our experts are working practitioners that use their knowledge to accelerate
your compliance with the standard.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
ISO 27001 Compliance Services

Four services are available – providing you with flexible options to get ISO 27001 working for
your organisation. You get the exact amount of expertise and assistance you need to help
meet your compliance objectives. Nothing more, nothing less.

Risk Crew also provides Security Penetration Testing, we can be your partner in helping you
gain ISO compliance and help you stay compliant.

All services are delivered under our 100% satisfaction guarantee.

ISO 27001 Resources


Whether you are just starting your ISO 27001 compliance project or if you're looking to learn
more, you're in the right place! Choose from Risk Crew’s complimentary resources and tools.

ISO 27001 Readiness 1-2-1 Complimentary ISO 27001 Service


Assessment Discovery Session Overview Brochure

Learn what additional Get a mini-gap Find out how Risk Crew
steps it would take for assessment and advice can help your
your organisation to from an ISO 27001 organisation achieve
reach compliance with expert. Schedule a call compliance. Choose
this online tool. or online meeting today. from 4 service options
to meet your needs.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
Let our experts help you
stay achieve & accelerate
your ISO 27001 Certification.

Shelter from
the Storm
Contact us for more information

5 Maltings Place [email protected]


169 Tower Bridge Road +44 (0) 20 3653 1234
London SE1 3JB riskcrew.com
United Kingdom

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales.
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU22:1222
ISOGU240822

You might also like