ISO 27001:2013 Documentation Requirements

At Dionach we often get asked what documentation is required for ISO 27001. Beyond the obvious information security policy, there are quite a few policies and procedures that are required in various sections of the standard. For the most part we find that some requirements are met as part of existing company policies and procedures, for example in the internet and email use policy, employee handbook or larger information security policies. The ISO 27001 gap audits that we will pick up any missing policies. My colleague James took a scientific approach to specific documentation requirements and reviewed ISO 27001:2013 for these specific words: “documented”, “formal”, “policy”, “procedure” and “agreement”, where the word indicated a specific requirement for that section. I’ve collated this information into the following table. There may be some debate on whether anything but “documented” or “formal” strictly requires the information security control to be documented, however “policy”, “procedure” and “agreement” give a strong indication that documentation is a very good idea for an effective ISMS. “Doc” is documented, “For” is formal, “Pol” is policy, “Proc” is procedure and “Agr” is agreement.

Section	Section Heading	Doc. Required
4.3	Scope	Doc
5.2e	Information Security Policy	Doc, Pol
6.1.2, 8.2	Information Security Risk Assessment	Doc
6.1.3, 8.3	Information security risk treatment	Doc
6.2	Information security objectives and planning to achieve them	Doc
7.2	Competence	Doc
7.5	Documented information	Doc
8.1	Operational planning and control	Doc
9.1	Monitoring, measurement, analysis and evaluation	Doc
9.2	Internal audit	Doc
9.3	Management Review	Doc
10.1	Improvement; Nonconformity and corrective action	Doc
A.5.1.1	Information Security Policy	Pol
A.6.2.1	Mobile Device Policy	Pol
A.6.2.2	Teleworking	Pol
A.7.1.2	Terms and conditions of employment	Agr
A.7.2.3	Disciplinary Process	For
A.8.1.3	Acceptable use of assets	Doc
A.8.2.2	Labelling of information	Proc
A.8.2.3	Handling of assets	Proc
A.8.3.1	Management of removable media	Proc
A.8.3.2	Disposal of Media	Proc
A.9.1.1	Access Control Policy	Doc, Pol
A.9.2.1	User Registration and De-registration	For
A.9.2.2	User Access Provisioning	For
A.9.2.4	Management of secret Authentication information of users	For
A.9.4.2	Secure log-on procedures	Proc
A.10.1.1	Policy on the use of cryptographic controls	Pol
A.10.1.2	Key Management	Pol
A.11.2.9	Clear desk and clear screen policy	Pol
A.11.5.1	Working in secure areas	Proc
A.12.1.1	Documented Operating Procedures	Doc, Proc
A.12.3.1	Information Backup	Pol
A.12.5.1	Installation of software on operational systems	Proc
A.13.1.2	Security of network services	Agr
A.13.2.1	Information Transfer Policies and procedures	For, Pol, Proc
A.13.2.2	Agreements on information transfer	Agr
A.13.2.4	Confidentiality or non-disclosure agreements	Doc, Agr
A.14.2.1	Secure Development Policy	Pol
A.14.2.2	System change control procedures	For, Proc
A.14.2.5	Secure System Engineering Principles	Doc
A.15.1.1	Information Security Policy for Supplier Relationships	Doc
A.15.1.2	Addressing security within supplier agreements	Agr
A.15.1.3	Information and communication technology supply chain	Agr
A.15.2.2	Managing changes to supplier services	Pol, Proc
A.16.1.1	Responsibilities and procedures	Proc
A.16.1.5	Response to Information Security Incidents	Doc, Proc
A.16.1.7	Collection of evidence	Proc
A.17.1.2	Implementing information security continuity	Doc, Proc
A.18.1.1	Identification of applicable legislation and contractual requirements	Doc
A.18.1.2	Intellectual property rights	Proc

If you want the statistics, 14 management sections require documentation, as do 39 Annex A sections. If you would like help with aspects/services/ of ISO 27001, please see our ISO 27001 services.