ISO 27001 mapped to templates

How to meet ISO 27001: the ISO 27001 standard mapped to templates

ISO 27001 the international standard for Information Security is a simple and straight forward management system that is often over complicated by consultants and solution providers.

Here we take a look at mapping the standard to the simple, easy, pre written templates that satisfy it. These are all part of the ISO 27001 Templates Toolkit.

CLAUSECONTROLTEMPLATES
ISO 27001 Clause 4.1Understanding the organisation and its contextContext of Organisation
ISO 27001 Clause 4.2Understanding the needs and expectations of interested partiesContext of Organisation
ISO 27001 Clause 4.3Determining the scope of the information security management systemDocumented ISMS Scope
ISO 27001 Clause 4.4Information security management systemThe Information Security Management System
ISO 27001 Clause 5.1Leadership and commitmentOrganisation Overview describes the business and its objectives and mission and values.

The Information Security Management System sets out the information security objectives. These are managed and reviewed at the Management Review Team meeting which is documented in Information Security Roles Assigned and Responsibilities.

Information security policies are in place in line with the standard.

Information Security Policy sets out the objectives and the senior leadership commitment statement.

Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.

ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control

Information Security Awareness and Training Policy sets out training and awareness

Communication Plan sets out the communications for the year across media and approaches

The Management Review Team meeting agenda covers the requirements of the standard.

A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year.

Continual Improvement Policy sets out the continual improvement approach.

Incident and Corrective Action Log captures and manages the corrective actions.

Competency Matrix captures the core competencies and training requirements of staff in relation to information security.

ISO 27001 Clause 5.2PolicyInformation Security Policy is the main information security policy and is part of a framework of policies. It includes the Information Security Objectives. It includes the requirements to meet legal and regulatory obligations. It includes a commitment to continual improvement.

Legal and Contractual Requirements Register sets out the legal, regulatory and contractual obligations

Continual Improvement Policy sets out the continual improvement policy.

The information security management system and associated documents are available electronically to the organisation based on the persons role and business need.

Communication Plan sets out the communications for the year across media and approaches

Documents are available to interested parties based on Non Disclosure Agreements and Contracts being place.

Policies provided:

Data protection Policy
Data Retention Policy 
Information Security Policy 
Access Control Policy 
Asset Management Policy 
Risk Management Policy 
Information Classification and Handling Policy 
Information Security Awareness and Training Policy 
Acceptable Use Policy 
Clear Desk and Clear Screen Policy 
Mobile and Teleworking Policy 
Business Continuity Policy 
Backup Policy 
Malware and Antivirus Policy 
Change Management Policy 
Third Party Supplier Security Policy 
Continual Improvement Policy
Logging and Monitoring Policy 
Network Security Management Policy
Information Transfer Policy 
Secure Development Policy 
Physical and Environmental Security Policy 
Cryptographic Key Management Policy 
Cryptographic Control and Encryption Policy 
Document and Record Policy
Significant Incident Policy and Collection of Evidence Policy
Patch Management Policy
ISO 27001 Clause 5.3Organisational roles, responsibilities and authoritiesInformation Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.

The Management Review Team meeting agenda covers the requirements of the standard.

Competency Matrix captures the core competencies and training requirements of staff in relation to information security.

Management Review Team is documented in the document: Information Security Roles Assigned and Responsibilities and has responsibility for overseeing the Information Security Management System. This group reports to the board and has board representation and certain board designated authority for decision making. The Management Review Team meeting at least quarterly and follow the agenda as defined in the standard.
ISO 27001 Clause 6.1.1Planning GeneralRisk Management Policy and Risk Management Procedure describe the risk management process.

Risk Register captures, manages and reports risks. These are reported to and overseen by the Management Review Team meeting.

Risk Management is part of the Continual Improvement Policy and process

Continual improvement is managed, tracked and reported using Incident and Corrective Action Log
ISO 27001 Clause 6.1.2Information security risk assessmentThere is a risk management process in place and documented.

Risk Management Policy and Risk Management Procedure describe the risk management process.

Risk Register captures, manages and reports risks.
ISO 27001 Clause 6.1.3Information security risk treatmentThere is a risk management process in place and documented.

Risk Management Policy and Risk Management Procedure describe the risk management process.

Risk Register captures, manages and reports risks.

All controls required are assessed and document in the Statement of Applicability

Statement of Applicability describes the applicability of controls and why they are / are not applicable.

A Risk Treatment Plan guidance is documented in the Risk Register

Residual risk acceptance is recorded in the risk register and via Management Review Team meeting and standing agenda with minutes.

Risk Owners and Treatment Owners are identified in the Risk Register
ISO 27001 Clause 6.2.1Information security objectives and planning to achieve themThe Information Security Management System describes the information security objectives and the process and roles and responsibilities.

The Information Security Policy sets out the information security objectives in policy form.

Communication Plan sets out the communications for the year across media and approaches

Documents are updated as part of the Continual Improvement Policy and process and evidence as signed of by the Management Review Team
ISO 27001 Clause 7.1ResourcesInformation Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.

ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control
ISO 27001 Clause 7.2CompetenceCompetency Matrix captures the core competencies and training requirements of staff in relation to information security.

Information Security Roles Assigned and Responsibilities sets out the roles and responsibilities with allocated resource.

ISMS Annex A Controls – Accountability Matrix assigns responsibility for each ISO 27002 / Annex A Control
ISO 27001 Clause 7.3AwarenessCompetency Matrix captures the core competencies and training requirements of staff in relation to information security.

Communication Plan sets out the communications for the year across media and approaches

Information Security Awareness and Training Policy sets out the training and awareness requirements

All policies include a statement on non conformance.

Grievance and disciplinary policy and processes are needed to be in place.

Employment contracts and third party contracts need to include coverage of information security requirements.
ISO 27001 Clause 7.4CommunicationCommunication Plan sets out the communications for the year across media and approaches. It lays out what, when, who and how and records evidence.
ISO 27001 Clause 7.5.1Documented information GeneralThe information security system is in place and evidenced and is high level described in document: The Information Security Management System. Documents as described per each control.
ISO 27001 Clause 7.5.2Creating and updatingDocument and Record Policy

Documents appropriate to the organisation and evidenced as having the mark up included

Documents are reviewed and signed of by the Management Review Team and evidenced as such.

Documents are updated in line with Continual Improvement Policy and the continual improvement process
ISO 27001 Clause 7.5.3Control of documented informationDocuments stored and accessible appropriate to the organisation.

Version control and document history in place.

Documents retained and disposed in line with the Data Retention Policy.
ISO 27001 Clause 8.1Operational planning and controlThe information security management system and associated processes are evidenced as being in place.

Documents and version control are in place. Audit Plan kept for a minimum of 1 year in line with the Data Retention Policy

Change Management Policy 

Third Party Supplier Security Policy 

Third Party Supplier Register is in place with periodic reviews needed based on criticality, risk and business need.
Current in date contracts are needed to be in place for all key suppliers.
ISO 27001 Clause 8.2Information security risk assessmentThere is a risk management process in place and documented.

Risk Management Policy 

Risk Register

All controls required are assessed and document in the Statement of Applicability

Risk assessment is performed at points of significant change on introduction of new technology and at least annually.

Risk Meeting Minutes in place.
ISO 27001 Clause 8.3Information security risk treatmentThere is a risk management process in place and documented.

Risk Management Policy 

Risk Register

All controls required are assessed and document in the Statement of Applicability

Risk assessment is performed at points of significant change on introduction of new technology and at least annually.

Risk Meeting Minutes in place.

Risk assessment is needed to be performed at points of significant change on introduction of new technology and at least annually.
ISO 27001 Clause 9.1Monitoring, measurement, analysis and evaluationThe Information Security Management System sets out the objectives.

These are managed and reviewed at the Management Review Team meeting which is documented in the document: Information Security Roles Assigned and Responsibilities.

The agenda template covers the requirements of the standard and is seen to be in operation in the meeting minutes.

A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year.

Continual Improvement Policy sets out the continual improvement policy.

Incident and Corrective Action Log captures and manages the corrective actions.
ISO 27001 Clause 9.2Internal auditThe ISO 27001 Audit Toolkit provides everything that is needed.

Easy to follow step by step guide – How to Conduct an Internal Audit
The ISO 27001 ISMS 114 Controls – audit work sheet
The ISO 27002:2013 Annex A  – audit work sheet
The ISO 27002:2022 Annex A  – audit work sheet
Management Audit Report
Audit Meeting Template
Audit 12 Month Planner 
ISO 27001 Clause 9.3Management reviewThe Management Review Team which is documented in the document: Information Security Roles Assigned and Responsibilities meets at least quarterly.

Document: Management Review Team Meeting Agenda, the agenda template covers the requirements of the standard
ISO 27001 Clause 10.1Nonconformity and corrective actionA non conformity occurs as a result of audit, incident or observation.

A program of internal audit is conducted and document: Audit Plan sets out the audit plan for the year.

Continual Improvement Policy sets out the continual improvement policy.

Incident and Corrective Action Log captures and manages the corrective actions.

Management Review Team oversees non conformity and corrective action as part of standing agenda
ISO 27001 Clause 10.2Continual improvementContinual Improvement Policy sets out the continual improvement policy. A process of continual improvement is in place.
ISO 27001 Certification

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Shopping Cart