ISO 27001 & BS 25999

 

ISO 27001/BS 25999 documents, presentation decks and implementation guidelines


Free_Downloads
 
 
 
 
    

UPCOMING WEBINARS

    

 
ISO 27001 benefits: How to obtain management support

    

Wednesday
February 15, 2012

    Register_now_green
     

 
Risk Management Part 1: Risk assessment methodology and risk assessment process

    

Tuesday
February 28, 2012

Wednesday
April 11, 2012

    Register_now_green
 
 
 
 

Mandatory documented procedures required by ISO 27001

'By 'Dejan Kosutic on May 04, 2010
Share

If you heard that ISO 27001 requires many procedures, this is not quite true. The standard actually requires only four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. The term “documented” means that “the procedure is established, documented, implemented and maintained” (ISO/IEC 27001, 4.3.1 Note 1).

Note: in this blog post I will not write about other mandatory documents like ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, etc. – here I focus on procedures only.

The procedure for the control of documents (document management procedure) should define who is responsible for approving documents and for reviewing them, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function.

The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.

The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.

The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.

But why is it that ISO 27001 requires documented procedures that are not related to information security, while security procedures are not mandatory?

The answer is in risk assessment – ISO 27001 does require you to perform risk assessment, and when this risk assessment identifies certain unacceptable risks, then ISO 27001 requires a control from its Annex A to be implemented that will decrease the risk(s). The control can be technical (for instance, anti-virus software for decreasing the risk of malicious software attack), but could also be organizational – to implement a policy or a procedure (for instance, implement a back-up procedure). Therefore, the procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.

One important note though – as opposed to the four mandatory procedures which must be documented, the procedures arising from controls in Annex A  do not have to be documented. It is up to the organization to estimate whether such a procedure is to be documented or not.

You could consider the four mandatory procedures as the pillars of your management system (together with the security policy) – after they are firmly set in the ground, you can start building the walls of your house. This becomes obvious when you look at other management systems – the same four procedures are mandatory there, too – in ISO 9001 (quality management systems), ISO 14001 (environmental management systems), and BS 25999-2 (business continuity management systems). As a consequence, you can use these procedures as the main link between different management systems if you want to develop the so called “integrated management system”.

0saves
Save
If you enjoyed this post, please consider leaving a comment in a box below or subscribing to the RSS feed to have future articles delivered to your feed reader.

This post is also available in: German, Japanese, Spanish, Croatian, Portuguese (Brazil)


«
»

This entry was posted on Tuesday, May 4th, 2010 at 15:16 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

  • Dave Parker

    In 4.3.3 of ISO/IEC 27001:2005 it says that the “controls needed . . of records shall be documented and implemented.”

    This implies the need for a fifth documented procedure.

  • Dejan Kosutic

    It is true that ISO 27001 says that control of records must be documented, but it doesn’t require separate documented procedure for it. Usually, in ISO 27001 records management is documented through other documents like Document management procedure, or through procedures describing other processes.

    This is where ISO 27001 is different from ISO 9001 – ISO 9001 requires that separate Records management procedure must exist.

  • Elder Guerra

    Hi, i’m a technologist, specialiced in busines strategy, i’m new to ISMS but several years implementing ISO 9K and BalancedScorecards, and i have joined the two procedures of documents control and registers, maybe because i’m a systems engineer and have know how of ISO 9K i’m feeling confortable with ISO 27K, your blogs are helping me a lot Dejan, we have to raise up latin america, you are being so helpfull. I have clients that have implemented the management review as another process (On ISO 9K) and for order it helped, is that ok on ISO 27K too?? regards from a coallegue at Guatemala, Central América.

  • Dejan Kosutic

    Hi Elder,

    Thank you for your compliments – I’m really glad that you find my blog useful.

    If I understood well, you are asking me if you can use your ISO 9001 Management Review for ISO 27001 also – the answer is yes, but you have to amend the timetable with requirements from ISO 27001.

    This approach will work for smaller organizations because the structure of Management Review described in those two standards is rather similar. However, for larger organization it may be more practical to do these reviews separately because the issues for quality and information security for a big company will be quite different.

  • Elder Guerra

    Ok, thanks Dejan, clear with that, it will help because we’re implementing ISO 27K in a company of 50 employees that already have the ISO 9K certification. One more, as i read in your blog, i understand that Management Review is not a mandatory procedure, because is not part of the four procedures that you list, am i right ?? of course that the results from audits, corrective actions, etc. are an input. For me, in ISO 9k it helped a lot to document the management review as a procedure, but how about for ISO 27K ??

  • Dejan Kosutic

    Neither ISO 9001 nor ISO 27001 require a documented procedure for Management Review – however if you consider such a procedure to be helpful, you can write it for any of these standards.

    What both ISO 9001 and ISO 27001 explicitly do require is to have a record from Management Review.

    Maybe this blog post can help you: Using ISO 9001 for implementing ISO 27001 http://blog.iso27001standard.com/2010/03/08/using-iso-9001-for-implementing-iso-27001/

  • Clinton

    Hi Dejan,

    I am a small company (2 staff). I am thinking of going for certification. I am a ISO27K certified but never take a company through the certification process (I assist with minor internal policies when i was with another company). I am hoping to do so myself and use my company as a genepeg. I was wondering how long you think this wold take to get all the documentation in place in a organised manner for the certification body.

    I noticed you mentioned four key procedures in the article above. For such a small company, what other core documentations would you suggest I need?

    Many thanks

    Clinton

  • Dejan Kosutic

    Hi Clinton,

    For a very small company (2 employees) ISO 27001 implementation might take somewhere between 2 and 4 months – if you want to do it right.

    Besides the 4 mandatory procedures, every organization that wants to get certified against ISO 27001 must have these documents at minimum: ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability and Risk Treatment Plan.

    However, depending on which controls you have selected as applicable in Statement of Applicability, you will also need to document some of the controls too – for instance, Access control policy (A.11.1.1) must be documented if selected applicable. Therefore, after you write your Statement of Applicability search for the term “documented” in ISO 27001 Annex A.

  • Arif

    Hi,
    Just goign through your tips and it’s really help full. I am just in the process of implemeting ISMS, I would like to know if GAP report is a must before ISMS implementation or SOA is enough?

    During the ISMS quaterly review do i have to submit a report as ISMS manager to ISC?

  • Dejan Kosutic

    Hi Arif,

    Gap report is not required by ISO 27001, so Statement of Applicability is enough.

    I’m not sure what you meant by ISC?

  • Arif

    Thanks a lot for your reply.
    We are now implementing ISMS and we are planned to review it quaterly so as ISMS implementor and manager do i have to generate a report at end of every review and submitted it to management (ISC is information security comittee.

    ISMS team has to review it or shell we ask each operation team to review their own assets and procedures by them self?

    Sorry for bothering you so much.

  • Dejan Kosutic

    Hi Arif,

    No bother at all!

    ISO 27001 does not require a formal report to be send to security committee, you can do it also in some informal way. However, the certification auditor will ask you for an evidence that such committee did receive all the important information, so it is recommended to put such information in writing (it could also be in a form of email).

    Each level of management needs to review the assets/information security processes for which they are responsible – therefore, both the operation teams need to do it (on the basic level – clause 4.2.3 b), and ISMS team needs to do it (on mid-level – control A.6.1.2). However, the top management too needs to do the review on the high level (through Management Review – clause 7).

    Therefore, everyone needs to consider whether his or her activities regarding information security are OK – like for any other field of management.

  • Arif

    Thanks for the detailed clarificationa and valuable information.

©2010-2012 Dejan Kosutic. Proudly powered by WordPress
Entries (RSS) and Comments (RSS).