With the new revision of ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?
So here is the list – below you will see not only mandatory documents, but also the most commonly used documents for ISO 27001 implementation.
Mandatory documents and records required by ISO 27001:2013
Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)
* Scope of the ISMS (clause 4.3)
* Information security policy and objectives (clauses 5.2 and 6.2)
* Risk assessment and risk treatment methodology (clause 6.1.2)
* Statement of Applicability (clause 6.1.3 d)
* Risk treatment plan (clauses 6.1.3 e and 6.2)
* Risk assessment report (clause 8.2)
* Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
* Inventory of assets (clause A.8.1.1)
* Acceptable use of assets (clause A.8.1.3)
* Access control policy (clause A.9.1.1)
* Operating procedures for IT management (clause A.12.1.1)
* Secure system engineering principles (clause A.14.2.5)
* Supplier security policy (clause A.15.1.1)
* Incident management procedure (clause A.16.1.5)
* Business continuity procedures (clause A.17.1.2)
* Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
* Monitoring and measurement results (clause 9.1)
* Internal audit program (clause 9.2)
* Results of internal audits (clause 9.2)
* Results of the management review (clause 9.3)
* Results of corrective actions (clause 10.1)
* Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
To find the Non-mandatory documents and more information, visit ISO 27001 2013 revisions
**Click here to download a white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision) with more detailed information on the most common ways for structuring and implementing mandatory documents and records.**
Expert in information security management (ISO 27001 standard) and business continuity management (ISO 22301/BS 25999-2 standard)
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.