Working within Activity areas

Activity areas allow you to document your approach to part of the standard

ISO is very big on documented records, policies and ‘showing your working’ to demonstrate you are in control of your information security. You also need to show that you are following certain practices, regularly reviewing policies and continuously improving. That doesn’t mean you need to develop bureaucratic word documents or have policies that prevent you from achieving your work. makes the management of your management system a breeze!

You can allocate Activity owners and timelines to drive your implementation.

Policies, controls, procedures and related records documentation can be captured in Notes, Documents, To-Dos and Discussions – at whatever level makes sense for your organisation. The Activity area keeps everything in one place and provides rich detail of your actions and decision making to show you are in control.

We recommend you choose the right tool for the communicating job – for example:

  • Notes – ideal for documenting your policies and procedures, and recording evidence of whether something has been considered but not required (ISO needs to know you have considered all areas of Annex A controls in ISO 27001)
  • Documents – some policies might be longer than basic Notes or may need diagrams or pictures alongside them. Other documents uploaded can help demonstrate your working or evidence your compliance, eg: a photo of a process mapped out on flip-chart
  • Discussions – By holding a discussion in with colleagues you retain that knowledge in one place and demonstrate your decision making or logic around a requirement to an auditor
  • To-do’s – set simple tasks for yourself and other team members, perhaps to break down work even further or address specific issues in a more structured fashion

At the top of the project area, the tabs show all the Notes, Documents, To-do’s or Discussions from within each policy Activity area in their aggregated format. Each item also has a link back to its parent Activity where relevant.

You can edit and amend Notes, upload and version documents, add and edit tasks etc all the time your Activity is open and you are working on it. Once you are finished, we recommend you submit it for approval and show the auditor it has had independent/peer review.