ISO Clause 7.5.1 General Guideline Documented information
Required activity
The organization includes documented information within the ISMS as directly required by ISO/IEC 27001, also as determined by the organization as being necessary for the effectiveness of the ISMS.
Implementation Guideline
Documented information is required to define and communicate information security objectives, policy, guidelines, instructions, controls, processes, procedures, and what persons or groups of individuals are expected to try to do and the way they’re expected to behave. Documented information is additionally needed for audits of the ISMS and to take care of a stable ISMS when persons in key roles change. Further, documented information is required for recording actions, decisions and outcome(s) of ISMS processes and knowledge security controls.
Documented information can contain:
- Information about information security objectives, risks, requirements and standards;
- Information about processes and procedures to be followed;
- Records of the input (e.g. for management reviews) and therefore the outcomes of processes (including plans and outcomes of operational activities).
There are many activities within the ISMS that produce documented information that’s used, most of the time, as an input for an additional activity. ISO/IEC 27001 requires a group of mandatory documented information and contains a general requirement that additional documented information is required if it’s necessary for the effectiveness of the ISMS.
The amount of documented information needed is usually associated with the dimensions of the organization. In total, the mandatory and extra documented information contains sufficient information to permit the performance evaluation requirements laid out in Clause 9 to be administered.
The organization should determine what documented information is important for ensuring effectiveness of its ISMS additionally to mandatory documented information required by ISO/IEC 27001.The documented information should be there to suit the aim. Factual and ‘to the point’ information is what’s needed.
Examples of documented information which will be determined by the organization to be necessary for ensuring effectiveness of its ISMS are:
- The results of the context establishment;
- The roles, responsibilities and authorities;
- Reports of the various phases of the danger management;
- Resources determined and provided;
- The expected competence;
- Plans and results of awareness activities;
- Plans and results of communication activities;
- Documented information of external origin that’s necessary for the ISMS;
- Process to regulate documented information;
- Policies, rules and directives for guiding and operating information security activities;
- Processes and procedures required to implement, maintain and improve the ISMS and therefore the overall information security status;
- Action plans;
- Evidence of the results of ISMS processes (e.g. incident management, access control, information security continuity, equipment maintenance, etc.).
Documented information’s are often of internal or external origin.
ISO 27001 Clause 7.5.2 Creating and updating
Required activity
When creating and updating documented information, the organization ensures its appropriate identification and outline, format and media, and review and approval.
Implementation Guideline
The organization identifies intimately how the documented information is best structured and defines an appropriate documentation approach. Review and approval by appropriate management ensures that the documented information is correct, suitable for the aim, and in an adequate form and detail for the intended audience. Regular reviews ensure continued suitability and adequacy of documented information.
Documented information could also be retained in any form, e.g. traditional documents (in both paper and electronic form), web pages, databases, computer logs, computer generated reports, audio and video. Moreover, documented information may contain specifications of intent (e.g. the knowledge security policy) or records of performance (e.g. the results of an audit) or a mix of both. the subsequent guidance applies on to traditional documents and will be interpreted appropriately when applied to other sorts of documented information.
Organizations should create a structured documented information library, linking different parts of documented information by:
- Determining the structure of the documented information framework;
- Determining the quality structure of the documented information;
- Providing templates for various sorts of documented information;
- Determining the responsibilities for preparing, approving, publishing and managing the documented information;
Determining and documenting the revision and approval process to make sure continual suitability and adequacy.
Organizations should define a documentation approach that has common attributes of each document, which permit clear and unique identification. These attributes usually include document type (e.g. policy, directive, rule, guideline, plan, form, process or procedure), the aim and scope, title, date of publication, classification, reference number, version number, and a revision history. The identification of the author and therefore the person(s) currently liable for the document, its application and evolution, also because the approver(s) or approval authority should be included.
Format requirements can include definition of suitable documentation languages, file formats, software version for working with them and graphical content. Media requirements define on which physical and electronic media the knowledge should be available. Statements and literary genre should be tailored to the audience and scope of the documentation.
Duplication of data in documented information should be avoided and cross-references used instead of replicating an equivalent information in several documents. The documentation approach should ensure timely review of the documented information which all documentation changes are subject to approval. Suitable review criteria are often timing related (e.g. maximum time periods between document reviews) or content related. Approval criteria should be defined, which ensures that the documented information is correct, suitable for the aim, and in an adequate form and detail for the intended audience.
ISO 27001 Clause 7.5.3 Control of documented information
Required activity
The organization manages documented information throughout its lifecycle and makes it available where and when needed.
Implementation Guideline
Once approved, the documented information is communicated to its intended audience. Documented information is out there where and when it’s needed, while preserving its integrity, confidentiality, and relevance throughout the entire lifecycle. Note that activities described “as applicable” in ISO/IEC 27001:2013 got to be performed if they will be performed and are useful, considering the organization’s needs and expectations.
A structured documented information library are often wont to facilitate access to documented information. All of the documented information should be classified (see ISO/IEC 27001:2013) in accordance with the organization’s classification scheme. Documented information should be protected and handled in accordance with its classification level (see ISO/IEC 27001:2013).
A change management process for documented information should make sure that only authorized persons have the proper to vary and distribute it as required through appropriate and predefined means.
Documented information should be protected to make sure it keeps its validity and authenticity. Documented information should be distributed and made available to authorized interested parties. For this, the organization should establish who are the relevant interested parties for every documented information (or groups of documented information), and therefore the means to use for distribution, access, retrieval and use (e.g. an internet site with appropriate access control mechanisms). The distribution should suit any requirements associated with protecting and handling of classified information.
The organization should establish the acceptable retention period for documented information consistent with its intended validity and other relevant requirements. The organization should make sure that information is legible throughout its retention period (e.g. using formats which will be read by available software or verifying that paper isn’t corrupted).
The organization should establish what to try to do with documented information after its retention period has expired. The organization should also manage documented information of external origin (i.e. from customers, partners, suppliers, regulatory bodies, etc.).
Documented information on this activity and its outcome is mandatory only within the form and to the extent the organization determines as necessary for the effectiveness of its management system (see ISO/IEC 27001:2013).
ISO 27001 Requirements
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement
ISO 27001 Annex A Controls
Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews
About ISO 27002
- ISO 27002 – INTRODUCTION
- ISO 27002 Information technology Security techniques Code of practice for information security controls
This Blog Article is posted by
Infosavvy, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – www.infocerts.com
