Documented Information for ISO 27001 Requirement 7.5
What is Required under Sect.7.5 of ISO 27001:2013?
The requirement under this section covers documented information.
One of the main overarching requirements for ISO 27001 is to be able to describe your understanding of information security and then to demonstrate how you achieve it in your organisation. This is why it is incredibly important that everything is documented and maintained in your information security management system.
ISO 27001 Section 7.5 is broken down as follows:
Section 7.5.1 – General
The contents of any information security management system should hold any documents that are required by the International Standardisation Organisation (ISO), as well as documentation that is essential for the organisation itself. The extent of the documentation will vary depending on the size of the organisation and its complexity.
Section 7.5.2 – Creating and updating
This is where your information security management system should shine You should be able to demonstrate a clear and robust audit trail. Whenever a document is added to or updated in the ISMS, certain details should be recorded.
- Document title, date, author, reference number
- File format and media types
- Review and approval processes to ensure suitability and adequacy
Section 7.5.3 – Control of Documented Information
This section discusses the importance of the Confidentiality, Integrity, and Availability (CIA) of your documented ISMS. The information security management system should aim to ensure that the documents held within it are:
- available when needed;
- protected from deletion, unauthorised change, or improper use
The documents should be controlled by managing distribution and access, maintain preservation, retain and dispose of appropriately, and implement version control for any changes made.
How to manage documentation in your information security management system?
Your documentation needs to:
- address the ISO 27001 requirements and cover the Annex A controls as identified through the risk assessment process
- be structured for easy and fast retrieval by authorised parties
- be protected against CIA issues
- demonstrate a clear approval and review process
- be version controlled with an audit trail and retention of previous versions
It is simple for an organisation to fail in its ISO 27001 certification on this point alone. If they have purchased an off-the-shelf document toolkit, there is still a requirement to store, manage and review documentation, let alone ensure the contents are fit for purpose and describe processes that the organisation can demonstrate are being followed.
Building structured online folders with the required permissions, access and update protocols and audit trails can also be extremely time-consuming and unnecessarily complex.
It’s why many organisations look for a purpose-built ISMS software solution. After all, you wouldn’t waste time constructing your own CRM or Finance system when experts have already spent time developing the right solution that can be delivered straight out-of-the-box.
In ISMS.online we not only provide a structure for all the required documentation, we have also built in roles and permissions for accessing, editing, approving and sharing. It follows exactly the same structure as the standard itself so you and your auditor can easily and quickly navigate to the required documentation. There is also automatic version control and reminders for reviews. We’ve even gone one step further and included policy and control documentation that you can adopt, adapt and add to, straight-out-of-box.
Using the ISMS.online software solution will not only help you manage your documentation but will also give you all the tools to perform the many work processes required by the standard. It’s why we say that the documents we provide are ‘actionable‘. They are more than simple document templates that leave you to interpret and find a way of demonstrating your processes…ISMS.online is a total ISMS solution.
Discover how to manage your ISO 27001 documentation
and meet all your ISMS requirements using ISMS.online
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001