What is Required under Clause 7.5 of ISO 27001:2013?
Anyone familiar with operating to a recognised international ISO IEC standard will know the importance of documentation for the management system. One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification from a body like UKAS. ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system. ISO 27001 clause 7.5 is broken down as follows:
Clause 7.5.1 – General documentation for ISO 27001
The ISMS needs to clearly include:
- A description of how it addresses 4.1 to 10.2 of the core requirements, including the risk assessment and treatment which leads onto the selection of the Annex A controls.
- The relevant Annex A controls that are part of the statement of applicability – which effectively means you need to have all controls listed. Even if an organisation decides that a control is not relevant it should document that e.g. if it does not have a need for delivery and loading areas in Annex A 11.1.6 because its a purely digital business, then it needs to show the auditor it has considered there is no risk and no need for that control.
Clause 7.5.2 – Creating and updating documented information for ISO 27001
ISO 27001 wants clarity in documentation, looking for identification and description, format, review and approval for suitability and adequacy to serve its purpose. It is easy to miss the nuances of these requirements but practically this means consideration of author, date, title, reference etc, and that approval process is also very important for dovetailing with Annex A 5.1.2 as described below.
Clause 7.5.3 – Control of documented information for ISO 27001
At the heart of the ISMS is the Confidentiality, Integrity and Availability principle for the information. It is the same for the ISMS itself, it needs to be available when required and adequately protected from loss of confidentiality, unauthorised use or potential integrity compromise.
Simply dumping the ISMS contents on the team shared drive and having it uncontrolled or with ineffective permissions for access would almost certainly lead to problems for the organisation in an audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem so consideration needs to be given to numerous areas for effective control. ISO looks for an organisation to address the following aspects:
- sharing and distribution clarity, controls over access to some or all of the ISMS – bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
- storage and preservation, including control of changes (showing older versions, historical approvals etc)
- retention and disposal also needs consideration
This requirement also aligns with the regular review of policies highlighted in Annex A.5.1.2 also touched on below.
How much has to be written for documentation of the information security management system to be considered acceptable by an auditor?
One question that is often asked about information security management documentation is ‘how much is enough’. The short answer is that it is about quality, not quantity. As long as the organisation is complying with the requirements summarised below, and can demonstrate that it does not need lengthy verbose documentation the auditor will no doubt take that into account during an audit – e.g. because it is a small organisation with few participants around the ISMS, stable, clear, well maintained and simple in operation.
Is documentation for the information security management system ‘word style documents’ or are other forms of content allowed?
Queries about what sort of documentation is expected is one of the other frequently asked questions about clause 7.5 documentation for the information security management system. In fact ISO 27001 does clearly state in its note aside clause 7.5.1:
“The extent of documented information for an information security management system can differ from one organization to another due to:
- 1) the size of organization and its type of activities, processes, products and services;
- 2) the complexity of processes and their interactions; and
- 3) the competence of persons.”
A number of ISO 27001 information security documentation ‘toolkit’ providers have perpetuated the myth that documented information for an ISMS must be word documents and excel spreadsheets. Clearly these documents can have a place in an ISMS (e.g. where pictures or complex processes need to be communicated too) but should be used sparingly given the advent of better online tools.
Online services like ISMS.online facilitate documents in the more traditional manner and also offer more effective ways of managing documentation that can show better control and coordination, better ways for sharing and publishing to audiences and make the whole process of documentation management for the requirements of clause 7.5 below much easier. It also means the old days of wasting time with front pages of documents showing all the version changes and approvals via email are long gone!
When you consider clause 7.5 requirements also dovetail with the control objectives in the Annexes, it makes even more sense to think about a joined up well coordinated management system instead of old fashioned documents and shared drives for storage. Examples of where to join up clause 7.5 with the Annex A controls include:
- Annex A 5.1.1 – In addition to be defined, information security policies need to be approved by management, published and communicated to employees and relevant external parties. It is not easy to demonstrate approval for documents per se, and publishing heavyweight documents is unlikely to be digested or understood by the stakeholders even if they have been communicated (leaving the organisation at risk of non compliance and threat of loss by ignorance).
- Annex A 5.1.2 – Review of the policies for information security. ISO 27001 says that policies should be reviewed regularly at planned intervals (or if significant changes occur) to ensure their ongoing suitability. Independent ISO auditors will expect to see that review done at least annually for each policy.
- Annex A 18.2 – This Annex A control is about information security reviews and done well it integrates neatly with clause 7.5 for documentation management of an ISMS including independent reviews, checks for compliance and where appropriate technical compliance as well.Reviewing, version controlling, showing updates and then approving old fashioned documents where they don’t need to be documents per se can really slow down administrators of the ISMS. It can also delay or lose staff engagement and lead to non compliance.
How to manage documentation in your information security management system?
Clause 7.5 is easy to misunderstand and flail around, leading to an audit failure, or perhaps over engineer a solution for and spend way too long building a management system structure that is too hard to maintain at the first change. The ISMS.online business case planner looks at the options for build versus buy so do check that out if you are thinking about creating your own solution.
It is really hard to get right and meet all the requirements of clause 7.5 and the related Annex A controls too. It’s why many organisations look for a purpose-built ISMS software solution and want something with the characteristics of ISMS.online.
After all, you wouldn’t waste time constructing your own CRM or Finance system when others have already spent time developing the right solution that can be delivered straight out-of-the-box for a fraction of the cost of a DIY solution that is not part of the organisation’s core competences.
ISMS.online provides an easy to follow structure for all the required documentation. It follows exactly the same structure as the standard itself so you and an auditor can easily and quickly navigate to the required documentation. It has built in roles and permissions for accessing, editing, approving and sharing. There is also automatic version control and reminders for reviews. We’ve even gone one step further and included policy and control documentation that you can adopt, adapt and add to, straight-out-of-box.
Using the ISMS.online software solution will allow you to focus on your ISMS goals. ISMS.online makes light work of the administration, so you can easily create, control, coordinate, manage and share your documentation to stakeholders including through Policy Packs which heightens the end to end confidence for compliance. It will also give you all the tools to perform the many work processes required by the standard. It’s also why we say that the documents we provide are ‘actionable‘. They are more than simple document templates that leave you to interpret and find a way of demonstrating your processes…ISMS.online is a whole ISMS solution all in one place.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement