Which information do you have to document?
Clauses 4 to 10 refer to processes, policies and registers that must be established by management (e.g. the aforementioned Information Security Policy, and the Statement of Applicability).
Annex A contains documentation which is required if the respective control is in scope to be implemented as part of the ISMS.
For example, the Supplier Security Policy.
If you have no suppliers (that pose any risk for information security) then you won't need control 5.19: Information security in supplier relationships. And if you are not implementing this control, you are also not implementing a Supplier Security Policy.
In practice, however, virtually all ISO27001-certified organisations have suppliers and therefore need to have this policy in place.
Documented information
This chapter describes the most common information to be documented as part of the implementation of an ISO27001-compliant ISMS. Where documented information needs to be available, it is just that. The information needs to be documented somewhere. By using Tidal some documented information will be prepared as you work in implementing you ISMS, and do not have to be prepared explicitly. Other documentation, such as policies, always require management review and acceptance.
Once again Tidal Control helps. We have already compiled a list of the most common documents as part of the ISMS implementation and added templates of these documents to their respective controls in the Tidal platform.
| Doc. ref. | Document Name | Required ? | Where is it located in Tidal |
|---|---|---|---|
| ISMS_001 | Organisation context | Yes | Policies page |
| ISMS_002 | Scope of the ISMS | Yes | Policies page |
| ISMS_003 | Legal and contractual requirements | Yes | Policies page |
| ISMS_004 | Information security policy | Yes | Policies page |
| ISMS_005 | Information classification and management policy | Yes | Policies page |
| ISMS_006 | Risk management framework | Yes | Policies page |
| ISMS_007 | Risk assessment report | Yes | Risks page |
| ISMS_008 | Statement of applicability | Yes | Policies page |
| ISMS_009 | Information security objectives | Yes | Policies page |
| ISMS_010 | Internal audit framework | Yes | Policies page |
| ISMS_011 | Internal audit plan | Yes | Policies page |
| ISMS_012 | Internal audit report | Yes | Policies page |
| ISMS_013 | Management review of the ISMS | Yes | Policies page |
| ISMS_014 | Acceptable use policy | No, but recommended | Policies page |
| ISMS_015 | Access control policy | No, but recommended | Policies page |
| ISMS_016 | Secure baseline | No, but recommended | Policies page |
| ISMS_017 | Incident response framework | No, but recommended | Policies page |
| ISMS_018 | Incident in-take form | No, but recommended | Policies page |
| ISMS_019 | Incident log | No, but recommended | Issues page |
| ISMS_020 | Incident evidence register | No, but recommended | Policies page |
| ISMS_021 | Incident action plan | No, but recommended | Issues page |
| ISMS_022 | Secure development policy | No, but recommended | Policies page |
| ISMS_023 | Business continuity framework | No, but recommended | Policies page |
| ISMS_024 | Business impact analysis | No, but recommended | Assets page |
| ISMS_025 | Disaster recovery test report | No, but recommended | Policies page |
| ISMS_026 | Supplier security policy | No, but recommended | Policies page |
| ISMS_027 | Privacy policy | No, but recommended | n/a |
| ISMS_028 | Data protection impact assessment (GDPR) | No, but recommended | Policies page |
| ISMS_029 | Data processing register (GDPR) | No, but recommended | Policies page |
| ISMS_030 | Roles & Responsibilities | No, but recommended | Policies page |
| ISMS_031 | Third party register | No, but recommended | Policies page |
| ISMS_032 | Logging and Monitoring policy | No, but recommended | Policies page |