If you heard that ISO 27001 requires many procedures, this is not quite true. The standard actually requires only four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. The term “documented” means that “the procedure is established, documented, implemented and maintained” (ISO/IEC 27001, 4.3.1 Note 1).
Note: in this blog post I will not write about other mandatory documents like ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, etc. – here I focus on procedures only.
The procedure for the control of documents (document management procedure) should define who is responsible for approving documents and for reviewing them, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function.
The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.
The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.
The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.
But why is it that ISO 27001 requires documented procedures that are not related to information security, while security procedures are not mandatory?
The answer is in risk assessment – ISO 27001 does require you to perform risk assessment, and when this risk assessment identifies certain unacceptable risks, then ISO 27001 requires a control from its Annex A to be implemented that will decrease the risk(s). The control can be technical (for instance, anti-virus software for decreasing the risk of malicious software attack), but could also be organizational – to implement a policy or a procedure (for instance, implement a back-up procedure). Therefore, the procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.
One important note though – as opposed to the four mandatory procedures which must be documented, the procedures arising from controls in Annex A do not have to be documented. It is up to the organization to estimate whether such a procedure is to be documented or not.
You could consider the four mandatory procedures as the pillars of your management system (together with the security policy) – after they are firmly set in the ground, you can start building the walls of your house. This becomes obvious when you look at other management systems – the same four procedures are mandatory there, too – in ISO 9001 (quality management systems), ISO 14001 (environmental management systems), and BS 25999-2 (business continuity management systems). As a consequence, you can use these procedures as the main link between different management systems if you want to develop the so called “integrated management system”.
You can also check out our video tutorial How to Write ISO 27001/ISO 22301 Document Control Procedure (commercially sold video).