In this article we lay bare ISO27001 Clause 7.5.1 Documented Information. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Clause 7.5.1
Table of contents
- What is ISO27001 Clause 7.5.1 Documented Information?
- What are the ISO27001:2022 Changes to Clause 7.5.1?
- ISO27001 Clause 7.5.1 Definition
- ISO27001 Annex A / ISO27002 2022 Guidance on Documented Information
- How To comply with ISO27001 Clause 7.5.1
- ISO27001 Clause 7.5.1 Implementation Guide
- How do you demonstrate compliance to ISO27001 clause 7.5.1?
- ISO27001 Clause 7.5.1 Templates
- ISO27001 Clause 7.5.1 FAQ
- Reference
What is ISO27001 Clause 7.5.1 Documented Information?
The ISO27001 standard requires an organisation to document the information security management system.
It works on the premise that if it is not written down then it does not exist.
There is a lot of documentation required for ISO27001.
Compliance with the standard may not make you more secure.
Often the ISO27001 certification is about the minutia of documentation rather than whether you are actually secure. Unless you are buying an ISO27001 document templates toolkit you are going to have a lot of ISO27001 documents to create.
We are not here to defend it, rather to show you how to do it.
Hopefully saving you some time and money along the way.
ISO27001 Clause 7.5.1 Documented Information is about documentation, documentation, documentation.
The ISO27001 standard for ISO27001 certification wants you to document pretty much everything. It is one of the ISO27001 controls.
What are the ISO27001:2022 Changes to Clause 7.5.1?
Great news. There are no material changes to ISO27001 Clause 7.5.1 in the 2022 update. There is a general update across the standard to replace the words ‘International Standard’ to the word ‘document’. But this is not material but refers to how the standard refers to itself in the text.
ISO27001 Clause 7.5.1 Definition
The ISO27001 standard defines clause 7.5.1 as:
The organisation’s information security management system shall include:
a) documented information required by this International Standard; and
ISO27001 Clause 7.5.1 Documented Information
b) documented information determined by the organisation as being necessary for the effectiveness of the information security management system.
ISO27001 Annex A / ISO27002 2022 Guidance on Documented Information
There is further guidance provided in the ISO27001 Annex A Controls that was revised in 2022 with changes to the ISO27002 standard and specifically calls out required communications. Let’s take a look at what Annex A says.
In broad brush terms, without exception, everything needs documenting. Everything.
It would be fruitless to list every ISO27001 2022 control here as we have provided a complete guide to the ISO27001 controls that includes the ISO27002 / Annex A controls. Just be assured that you are going to have document everything.
I am not sure I have mentioned that you will have to document everything enough.
Lets take just a couple of examples to whet your appetite:
ISO27002 Clause 5.1 Policies for Information Security
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
ISO27002 Clause 5.1 Policies for Information Security
Here we see we need to document Information Security Policies.
ISO27002 Clause 5.24 Information security incident management planning and preparation
The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities
ISO27002 Clause 5.24 Information security incident management planning and preparation
Documenting the incident management process is a key step so that everyone knows what to do if things go wrong. The basics would be to document ‘how to report and incident’ and ‘who is responsible for information security’.
ISO27002 Clause 6.4 Disciplinary Process
A disciplinary process should be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
ISO27002 Clause 6.4 Disciplinary Process
This is usually the function of the HR department and part of good HR practice. HR will have many documentation requirements of their own but we are interested for ISO27001 certification in ensuring that they have documented the disciplinary process. The disciplinary process must include steps for what happens if staff breach information security.
You get the idea. Without exception, everything needs documenting. Everything.
How To comply with ISO27001 Clause 7.5.1
Time needed: 5 days.
How to comply with ISO27001 Clause 7.5.1 Documented Information
- Build your Information Security Management System
Rather than building your information security management system from scratch, download a copy of the ISO27001 toolkit. The ISO27001 toolkit will save you months of effort and thousands in consulting fees. It has been built specifically to address the requirements of ISO27001. We can not over emphasise what a bad idea it is to build your information security management system from scratch.
- Document your processes
All of your operational process require documenting. You will document what you actually do not what you think an auditor wants to hear. When it comes time to be audited, and auditor can only audit you against what you say you do. If what you have written down is not what you do then you will fail. Why set yourself up for the fall?
- Retain documented evidence of operation
For the processes that you operate you want to ensure that you have documented evidence of their operation. This could take the form of operational reports, management reports, system reports, system logs, help desk tickets, change tickets, version control in documents. There are many ways to evidence the effective operation of the Information Security Management System.
- Before you get audited
Check, double check and recheck your documentation before you get audited. The documentation is the primary thing that you will be audited on. Make sure all your version controls are up to date, documents are clean of comments and review mark up, that they have appropriate approvals, appropriate document markup. Ensure that the version control has been touched at least once in the last 12 months before the audit happens.
ISO27001 Clause 7.5.1 Implementation Guide
There are many ways to document your information security management system. Some are more efficient and proven than others.
Our ISO27001 toolkit has been built over 20 years and is used globally by thousands of businesses who want to save vast amounts of time and money.
You may be considering an Information Security Management System online solution.
These software solutions can be a great help to information security managers in larger organisations but they come at a massive cost.
Which ever route you go .. document everything.
How do you demonstrate compliance to ISO27001 clause 7.5.1?
Having a documented information security management system, documented policies and document records of the effective operation of your processes will show you comply with ISO27001 clause 7.5.1
You need the appropriate document mark up and you need to ensure that they are updated at least within the last 12 months.
ISO27001 Clause 7.5.1 Templates
ISO27001 templates are a great way to implement your information security management system. Whilst an ISO27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO27001 clause 7.5.1
ISO27001 Clause 7.5.1 FAQ
The ISO27001 standard requires an that the organisation documents everything and retains copies of documentation for audit including:
a) Documented policies
b) Documented Information Security Management System
c) Documented records of the effective operation of processes
d) Appropriate documentation markup with version control
e) Documentation review and approved within the last 12 months
You evidence compliance to the ISO27001 Clause 7.5.1 by having a good documentation in place. You document everything.
a) Documented policies
b) Documented Information Security Management System
c) Documented records of the effective operation of processes
d) Appropriate documentation markup with version control
e) Documentation review and approved within the last 12 months
You can download ISO27001 7.5.1 Documented Information templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO27001 Clause 7.5.1 can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
The ISO27001 documentation templates toolkit can be downloaded here: https://hightable.io/product/communication-plan/
ISO27001 Certification Requirements
ISO27001 Certification Requirements set out clause by clause with these complete certification guides that include everything you need to know, what you need to do and ISO 27001 templates.
- ISO27001 Clause 4.1 Understanding The Organisation And Its Context
- ISO27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO27001 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO27001 Clause 4.4 Information Security Management System (ISMS)
- ISO27001 Clause 5.1 Leadership And Commitment
- ISO27001 Clause 5.2 Information Security Policy
- ISO27001 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO27001 Clause 6 Planning
- ISO27001 Clause 6.1.1 Planning General
- ISO27001 Clause 6.1.2 Information Security Risk Assessment
- ISO27001 Clause 6.1.3 Information Security Risk Treatment
- ISO27001 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO27001 Clause 7.1 Resources
- ISO27001 Clause 7.2 Competence
- ISO27001 Clause 7.3 Awareness
- ISO27001 Clause 7.4 Communication
- ISO27001 Clause 7.5.1 Documented Information
- ISO27001 Clause 7.5.2 Creating And Updating Documented Information
- ISO27001 Clause 7.5.3 Control Of Documented Information
- ISO27001 Clause 8.1 Operational Planning And Control
- ISO27001 Clause 8.2 Information Security Risk Assessment
- ISO27001 Clause 8.3 Information Security Risk Treatment
- ISO27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO27001 Clause 9.2 Internal Audit
- ISO27001 Clause 9.3 Management Reviews
- ISO27001 Clause 10.1 Continual Improvement
- ISO27001 Clause 10.2 Non Conformity and Corrective Action
Read Next
- ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- ISO27001 Reference Guide: Clause by Clause
Reference
ISO/IEC 27001 Information Security Management
FREE 30 minute ISO27001 strategy session.
Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.
