The mandatory ISMS documents

Documents
Required by ISO/IEC Interpretation
27001
4.3 Documentation requirements
4.3.1 General

Documentation shall include Records of key management decisions regarding the ISMS e.g. minutes of management meetings, investment
records of management decisions, mandating of policies, reports etc. [not individually specified in the standard apart from the following
decisions … specific items …]

Information security policy set matching the characteristics of the business, the organization, its location,
[information] assets and technology, being a “superset of” (i.e. including) both of the following:
An ISMS policy defining the objective-setting management framework for the ISMS, giving it an overall sense of
direction/purpose and defining key principles. The ISMS policy must:
The ISMS documentation  Take account of information security compliance obligations defined in laws, regulations and contracts;
shall include:
 Align with the organization’s strategic approach to risk management in general;
a) Documented statements
of the ISMS policy (see  Establish information security risk evaluation criteria (the “risk appetite”);
4.2.1.b) and objectives;  Be approved by management.; and

Information security policy or policies specifying particular information security control objectives or requirements
in one or more documents [these should also be approved by management to have full effect].

b) The scope of the ISMS ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the business, the organization,
(see 4.2.1.a)) its location, [information] assets and technology. Any exclusion from the ISMS scope must be explicitly justified.
 Documents
Required by ISO/IEC Interpretation
27001
Information security procedures i.e. written descriptions of information security processes and activities
e.g. procedures for user ID provisioning and password changes, security testing of application systems, information
security incident management response etc.
c) Procedures and controls
in support of the ISMS
Controls documentation e.g. technical security standards, security architectures/designs etc. and probably
referencing ISO/IEC 27002 (details very between ISMSs).

d) A description of the risk

Risk assessment methods i.e. policies, procedures and/or standards describing how information security risks are
assessment methodology
assessed, probably referencing ISO/IEC TR 1335-3 and/or ISO/IEC 27005.
(see 4.2.1.c))
Risk assessment reports documenting the results/outcomes/recommendations of information security risk
e) The risk assessment assessments using the methods noted above. For identified risks to information assets, possible treatments are
report (see 4.2.1.c) to applying appropriate controls; knowing and objectively accepting the risks (if they fall within the risk appetite);
4.2.1.g)) avoiding them; or transferring them to third parties. The reference to 4.2.1c-g implies that information security
control objectives and controls should be identified in these reports.

f) The risk treatment plan Risk treatment plan i.e. a [project?] plan describing how the identified information security control objectives are to
(see 4.2.2.b) be satisfied, with notes on funding plus roles and responsibilities.

g) Documented procedures
needed by the
organization to ensure the
effective planning,
operation and control of
its information security
process and describe how
to measure effectiveness
ISMS operating procedures i.e. written descriptions of the management processes and activities necessary to
plan, operate and control the ISMS e.g. policy review and approvals process, continuous ISMS improvement
process.
Information security metrics describing how the effectiveness of the ISMS as a whole, plus key information
security controls where relevant, are measured, analyzed, presented to management and ultimately used to drive
ISMS improvements.
 Documents
Required by ISO/IEC Interpretation
27001
of controls (see 4.2.3.c)

See 4.3.3 below. “Records” means information security paperwork such as user ID authorizations, and electronic
h) Records required by this
documents such as system security logs, that are used routinely while operating the ISMS and should be retained
International Standard
and made available for the certification auditors to sample and check. Collectively, these prove that the ISMS has
(see 4.3.3)
been properly designed, mandated by management and put into effect by the organization.

Statement of Applicability stating the information security control objectives and controls that are relevant and
i) The Statement of
applicable to the ISMS, generally a consolidated summary of the results of the risk assessments, cross-referenced
Applicability
to the control objectives from ISO/IEC 27002 that is in scope.

4.3.2 Control of Documents

Documents required by the

ISMS shall be protected and
controlled. A documented
procedure shall be
established to define the
management actions …
Document control procedure explaining how ISMS documents are approved for use, reviewed/updated/re-
approved as necessary, and version managed, disseminated as necessary, marked etc. (see 4.3.2 for the full list).
If the organization already has a Quality Management System conforming to ISO 9000, the QMS document control
procedure (or equivalent from another management system) may be applied to the ISMS.

4.3.3 Control of records

… The controls needed for

the identification, storage,
Records control procedure explaining how records proving conformity to ISMS requirements and the effective
protection, retrieval, retention
operation of the ISMS (as described elsewhere in the standard) are protected against unauthorized changes or
time and disposition of
destruction. Again, this procedure may be copied from the QMS or other management systems.
records shall be documented
and implemented.
 Documents
Required by ISO/IEC Interpretation
27001

5 Management responsibility

5.2.2 d) The organization

shall maintain records of
education, training, skills,
experience and qualifications Security awareness, training and education records documenting the involvement of all personnel having ISMS
(see 4.3.3) responsibilities in appropriate activities (e.g. security awareness programs and security training courses such as
… The organization shall also new employee security induction/orientation classes).
ensure that all relevant
personnel are aware of the Various other clauses in section 5 mandate management supports for information security awareness activities in
relevance and importance of general, therefore while not directly stated, the requirement for information security awareness materials,
their information security training evaluation/feedback reports etc. may be inferred from this section.
activities and how they
contribute to the achievement
of the ISMS objectives

6 Internal ISMS audits

The organization shall
conduct internal ISMS audits Internal ISMS audit plans and procedures stating the auditors’ responsibilities in relation to auditing the ISMS, the
at planned intervals … audit criteria, scope, frequency and methods.
… The responsibilities and
requirements for planning and
conducting audits, and for While not stated directly, further comments in section 6 re the need for actions arising from audits to be taken
reporting results and without undue delay could be taken to imply that ISMS audit reports, agreed action plans and follow-
maintaining records (see up/verification/closure reports should be retained and made available to the certification auditors on request.
4.3.3) shall be defined in a
 Documents
Required by ISO/IEC Interpretation
27001
documented procedure.

7 Management review of the ISMS

7.1 Management shall review
the organization’s ISMS at
planned intervals (at least
once a year) to ensure its
continued suitability,
adequacy and effectiveness This implies the need to retain records (such as management review plans and reports) proving that
… management does in fact review the ISMS at least once a year.
7.3 The output from the
management review shall
include and decisions and
actions relating to …

8.2 Corrective action

…The documented procedure
Corrective action procedure documenting the way in which nonconformities which exist are identified, root-causes
for corrective action shall
are analyzed and evaluated, suitable corrective actions are carried out and the results thereof are reviewed.
define …

8.3 Preventive Action

…The documented procedure Preventive action procedure similar to the corrective action procedure but focusing more on preventing the
for preventive action shall occurrence of nonconformities in the first place, with such activities being prioritized on the basis of the assessed
define … risk of such nonconformities.