What is ISO 27001 Documented Information?
The standard requires documentation for the information security management system ( ISMS ) and the organisations operational procedures.
The driver is based on having process maturity.
The standard wants processes to be conducted in the same way and to deliver the same result irrespective of who operates it.
It acknowledges that the extent of the documented information can differ depending on organisational size.
The level and extent of your documentation will be based on
- your size
- your activity
- your products
- your services
- the complexity of who you are
- your processes
- and the competency of persons.
Why is it important?
Having documentation is important for the following reasons
Consistency: having documented processes ensures a consistent approach to doing things. In turn this can reduce errors and mistakes.
Evidence: having processes that create documented records will evidence that the process is in place and that the process is operating effectively and as intended.
Process Maturity: having process maturity can provide a model of progressive improvement in processes that can be used to assess an organisation’s capabilities and to provide an improvement path.
Accountability: documented information drives organisational accountability.
ISO 27001 requirement for Documented Information
As the standard heavily relies on documented information the following ISO 27001 Clauses and ISO 27001 Annex A controls address it directly. You should read implementation guide for details on exactly what is required and how to implement it.
ISO 27001 Clause 7.5.1 Documented Information
ISO 27001 Clause 7.5.2 Creating and Updating Documented Information
ISO 27001 Clause 7.5.3 Control of Documented Information
ISO 27001 Annex A 5.37 Documented operating procedures
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.