ISO 27001 Documentation and templates have been the top keywords searched in Google regarding ISO 27001 and Information Security Management System. You may be one of them by landing on this page.
At the end of this blog, I’ve included a FREE Download title: “ISO 27001 Documentation” that will save you a lot of time and money.
Continue reading to find out more…
In this blog, I shall share with you the mandatory ISO 27001 Documentation and ISO 27001 Template for you to kick-start your ISO 27001 certification journey (Read also: ISO 27001 Certification Roadmap)
Before that, let me explain to you the framework of ISO 27001 Documentation Hierarchy by first explaining the critical differences between ISO Standards, Policies, Procedures, Work Instructions and Records.
Many are still unclear about the definition and differences between ISO Standard, Organisation Policies, Organisation Procedures and Organisation Work Instructions and Records. Many have used this interchangeably, believing it is the same. Let me break this down using a layman’s explanation of the process of “Getting to Work On Time“:
A standard is a global best practice or regulatory compliance standard of which you choose or are required to comply with.
In this instance, Organisation can refer to The “Malaysian Employment Law” as the “Standard”, which states that the Maximum Working Hours are 45 hours per week, with a maximum of 8 working hours per day and six working days per week. As long as organizations in Malaysia adhere to this standard is fine.
How each Organisation sets their working hours would depend on the nature of work. For example, a Call Center would set their working hours around the clock having 2 – 3 shifts; the guiding principle is as long as each shift falls within the “Malaysia Employment Law” is fine.
The same goes for the ISO 27001 standard, which is the guiding principle of designing and developing your Organisation’s Information Security Management System (ISMS).
Following the Standard stated above, Organisation policies are set at the highest level, which states the boundaries to which every employee in the company should adhere to. Failing to comply with the Organisation’s Policies, employees are subjected to disciplinary actions.
In this instance of “Getting to Work on Time”. The Organisation Policy is:
Working Hours 9 am – 5 pm, Monday – Friday.
Since Organisation Policies do not provide details on processes, organization procedures are established to detail the processes that will get you to meet the Organisation’s Policies. In this instance, to get you to work by 9 a.m.
Work Instructions are Step by step Instructions that act as “Dummy Guides” to take you through steps involved in a procedure. Let’s take the example of the process of “Take a Bus at 8.10a.m”;
The relevant Work instructions would be Work Instructions on “Which bus stop should you wait at”, “what Busses Numbers will get you to your destination”, “what payment method is accepted on the bus” and other instructions with the intention of reducing the chances of error thus ensuring compliance to the Organisation Procedures.
Organization records serve as the audit evidence of you conducting and performing the particular process according to your Organisation’s Procedures. Using the same example of procedure “Taking a bus at 8.10.m.”, the bus ticket is your record and evidence to prove that you had taken the correct bus at a time earlier than 8.10 a.m.
If you are late to work due to the breakdown of the bus, the bus ticket becomes part of the record and evidence to justify whether or not the steps you took complied with the Procedure.
I have included here a comprehensive list of ISO 27001 Mandatory Documentation to assist you in the beginning or completing your ISO 27001 Certification Journey.
Read also my other blog Titled: ISO 27001 Certification Roadmap
FREE DOWNLOAD: “List of ISO 27001 Mandatory Documentation and Requirements”
Stay updated on the latest trends, best practices, and innovations in quality management and information security.