As well as a document defining the broad outline of the Information Security Management System (ISMS), you will need to ensure that, at the very least, you have the following available, whether in documents (such as a spreadsheet) or by using online tools:

• Information Security Policy
• Statement of Applicability
• Risk Assessment and Risk Treatment Plan (often combined with the Risk Assessment in a more general Risk Register)

The following is not an exhaustive list, but documented information is required for:

• Scope of the ISMS
• Information Security risk treatment process
• Objectives
• Competence
• Criteria and controls for any processes identified during risk assessment and risk treatment, and that are detailed in the Statement of Applicability
• Records towards monitoring and measurement, ensuring information security performance and effectiveness
• Audit programme and audit results
• Management Review
• Nonconformities and Corrective actions – including the nature of the nonconformity and any actions taken

ISO 27001 lists requirements for the creation and maintenance of any documented information including, for example, format & title and document control. This includes the control of documents of external origin.

This list is extensive and, as you prepare for certification, you will find that the number of documents expands, and the difficulty of controlling all increases!

Cambridge Risk Solutions specialises in developing effective and user-friendly information security management systems; contact us today for additional support.