Systematically checking through ISO/IEC 27001:2013 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that.
Here's an example, one of the document templates from SecAware ISMS Launchpad:
That succinct one-pager addresses two requirements from the standard:
- Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance;
- Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness." - an implicit documentation requirement that the certification auditors will probably check for compliance, and although the standard doesn't literally demand it, they may well insist on seeing written evidence that management reviews have been planned.
Those clauses lay out fairly succinctly what it means to internally audit or management review the ISMS: I have interpreted the requirements in terms of activities that might be performed quarterly over two years as shown on the schedule, with brief descriptions about the approaches to be taken ... but, as with all the SecAware materials, they are merely generic suggestions that customers are encouraged to adapt.
Large, mature organisations with Internal Audit functions, for instance, may well engage them to plan and perform the ISMS internal audits using their conventional audit approach and whatever associated documentation they normally produce. They may prefer to audit the ISMS just once during the three year certification cycle, or conversely they may want to focus on a series of specific areas of risk and concern over successive audits, perhaps integrating the ISMS audit work with other IT, risk, cybersecurity or compliance audits.
Small organisations may feel that the absolute minimum of audits and reviews will suffice for them since they are short of resources and are already tackling all the significant issues anyway - but determining 'the absolute minimum' involves interpreting the wording of the standard very carefully, and then hoping the certification auditors accept whatever they do.
Yesterday I completed a supplementary document template with the scopes and objectives of those audits and reviews. Today I'm developing a fill-in-the-blanks reporting template to be used for both audits and reviews: again, these are simple, generic documents, designed to be customised. Based on my experience in this area, we provide 'typical' generic templates in the hope of inspiring customers to develop whatever they need.
Imagine yourself implementing clauses 9.2 and 9.3 of the standard in your organisation. Faced with those requirements, would you know what to do - how to go about the audits and reviews? Or would you be scratching your head, staring blankly at the screen wondering where on Earth to start? We can help with that!
Find out more about the first two packs of SecAware ISMS templates, and keep an eye on this blog for news of the third one, currently in preparation.