MINIMUM DOCUMENTED INFORMATION FOR ISO 27001:2013
An Overview of ISO 27001:2013
ISO 27001 is an international standard that specifies the requirements to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). The Information Security Management System preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
What is Documented Information?
The “documented information” is defined as the information required to be controlled and maintained by an organization and the medium on which it is contained. The example of documented information can be a record, specification, procedure, drawing, report, standard, etc.
The term “document” is defined as information created in order for the organization to operate e.g. procedures, instructions, specifications, guidelines, and criteria, etc. The term “record” is defined as a document that provides evidence of results achieved or activities performed e.g. evidence of training, operational control, corrective action, internal audit, and management review activities, etc. A set of documented information, for example, specifications and records, is frequently called “documentation”.
ISO 27001:2013 uses a standardized term “documented information” to refer to both documents and records. ISO 27001 uses the term “retain documented information” to describe a record (e.g. retain the results of corrective actions) and “maintain documented information” to describe a document (e.g. maintain the scope of Information Security Management System). The document is live information and needs to be updated as required while a record is a history of an event, activity, or action.
Clause 7.5 of ISO 27001:2013 describes the requirements of the documented information. Documented information can be in any format and media and from any source. The medium can be paper, magnetic, electronic or optical computer disc, photograph or master sample, or combination thereof.
What is the minimum documented information required by the ISO 27001:2013?
Every organization has to produce the minimum documented information required by ISO 27001 standard to demonstrate the conformance to the standard requirements. All the requirements of minimum documented information listed below might not be applicable to every organization depending on its operations and activities and shall be listed as an exclusion in the scope statement of the Information Security Management System (ISMS).
How to determine the requirement for ISO 27001 Documentation?
Clause 7.5 of ISO 27001 describes the requirements for documented information. To demonstrate the conformance to the requirements of ISO 27001, an organization may need to produce more documents and records than the minimum required by the standard because according to the Clause 7.5, the organization’s Information Security Management System (ISMS) shall include:
- documented information required by ISO 27001 (as listed above)
- documented information determined by the organization as being necessary for the effectiveness of Information Security Management System (ISMS) e.g. policies, procedures, instructions, guidelines, and relevant records other than the minimum required. It is quite common that for an effective Information Security Management System (ISMS), organizations establish procedures for hazard identification, risk assessment, compliance obligations, corrective actions, control of documented information and operational control, etc.
The extent of documented information for ISO 27001 may differ from one organization to another due to:
- the size of the organization and its type of activities, processes, products, and services
- the complexity of processes and their interactions
- the competence of persons
The rule of thumb for an organization is to use a risk-based approach to determine the requirement for documented information other than the minimum documented information e.g. an organization may decide that due to lack of documented procedures and work instructions, there might be a risk to information security. The organizations also establish procedures and other documented information to establish controls as a result of a risk assessment or to address a nonconformity.
G-Certi provides ISO registration/certification services in Canada and 50 other countries for a number of ISO Standards including but limited to ISO 9001, ISO 14001, ISO 27001, ISO 27001 and ISO 22301, etc. The auditors of G-Certi ensure that your organization is conforming to the requirements of ISO 27001. Please feel free to visit gcerti.ca and contact one of our representatives for a complimentary pre-assessment to ensure that your organization is ready for ISO 27001 registration/certification.