ISO 27001 Documentation

ISO 27001 Documentation and templates have been the top keywords searched in Google regarding ISO 27001 and Information Security Management System. You may be one of them by landing on this page.

At the end of this blog, I’ve included a FREE Download title: “ISO 27001 Documentation” that will save you a lot of time and money.

Continue reading to find out more…

Blog cover image for ISO 27001 Documentation

In this blog, I shall share with you the mandatory ISO 27001 Documentation and ISO 27001 Template for you to kick-start your ISO 27001 certification journey (Read also: ISO 27001 Certification Roadmap)

Before that, let me explain to you the framework of ISO 27001 Documentation Hierarchy by first explaining the critical differences between ISO Standards, Policies, Procedures, Work Instructions and Records.

ISO Standards Document VS Policies VS Procedures VS Work Instructions VS Records

Many are still unclear about the definition and differences between ISO Standard, Organisation Policies, Organisation Procedures and Organisation Work Instructions and Records. Many have used this interchangeably, believing it is the same. Let me break this down using a layman’s explanation of the process of “Getting to Work On Time“:

The ISO 27001 Standard

A standard is a global best practice or regulatory compliance standard of which you choose or are required to comply with.

In this instance, Organisation can refer to The “Malaysian Employment Law” as the “Standard”, which states that the Maximum Working Hours are 45 hours per week, with a maximum of 8 working hours per day and six working days per week. As long as organizations in Malaysia adhere to this standard is fine.

How each Organisation sets their working hours would depend on the nature of work. For example, a Call Center would set their working hours around the clock having 2 – 3 shifts; the guiding principle is as long as each shift falls within the “Malaysia Employment Law” is fine.

The same goes for the ISO 27001 standard, which is the guiding principle of designing and developing your Organisation’s Information Security Management System (ISMS).

ISO 27001 Documentation: Organisation Policies

Following the Standard stated above, Organisation policies are set at the highest level, which states the boundaries to which every employee in the company should adhere to. Failing to comply with the Organisation’s Policies, employees are subjected to disciplinary actions.

In this instance of “Getting to Work on Time”. The Organisation Policy is:

Working Hours 9 am – 5 pm, Monday – Friday.

ISO 27001 Documentation: Organisation Procedures

Since Organisation Policies do not provide details on processes, organization procedures are established to detail the processes that will get you to meet the Organisation’s Policies. In this instance, to get you to work by 9 a.m.

Tips: Organisation Procedures should be improvised from time to time. Process KPIs or Metrics should be defined in line with Organisation Policies. This shall provide you with a Bird’s-eye view of the effectiveness of the Procedures in meeting your Organisation’s Policy.

ISO 27001 Documentation: Organisation Work Instructions

Work Instructions are Step by step Instructions that act as “Dummy Guides” to take you through steps involved in a procedure. Let’s take the example of the process of “Take a Bus at 8.10a.m”;

The relevant Work instructions would be Work Instructions on “Which bus stop should you wait at”, “what Busses Numbers will get you to your destination”, “what payment method is accepted on the bus” and other instructions with the intention of reducing the chances of error thus ensuring compliance to the Organisation Procedures.

Tips: Work Instructions are not mandatory for all Process in your procedures, develop only work instructions base on lessons you learnt where errors and non-compliances occur.

ISO 27001 Documentation: Organisation Records

Organization records serve as the audit evidence of you conducting and performing the particular process according to your Organisation’s Procedures. Using the same example of procedure “Taking a bus at 8.10.m.”, the bus ticket is your record and evidence to prove that you had taken the correct bus at a time earlier than 8.10 a.m.

If you are late to work due to the breakdown of the bus, the bus ticket becomes part of the record and evidence to justify whether or not the steps you took complied with the Procedure.

Tips: Organisation records can be replaced with Digital WorkFlow Systems where digital records and logs of the systems are treated as records. Records retention policy shall be set, in Malaysia, Records Retention should be at least 7 years.

ISO 27001 Hierarchy of Documentation

List of Mandatory ISO 27001 Documentation

I have included here a comprehensive list of ISO 27001 Mandatory Documentation to assist you in the beginning or completing your ISO 27001 Certification Journey.

Read also my other blog Titled: ISO 27001 Certification Roadmap

FREE DOWNLOAD: “List of ISO 27001 Mandatory Documentation and Requirements”

Stay Up To Date

Stay updated on the latest trends, best practices, and innovations in quality management and information security.