Blog Post

 

As an auditor, I often come across the term "Documented requirements of 27001” and of course "we don’t need a document if the standard does not say so". You are of course 100% right, but when the standard (Annex A) says things like "Policy" what do you think an auditor would ask for? ISO27000 defines policy as "Policy; intentions and direction of an organisation as formally expressed by its top management". So if we look at Control A14.2.1 (secure development policy) “Rules for the development of software and systems shall be established and applied to developments within the organization.” Does this need to be documented? Well technically no, but if an auditor asks “well, what are the rules for this then?” would it be better written down as “formally expressed”? If I ask several developers and no one knows what the rules are, we are heading towards trouble! 

Let's have a look what other “Policy” documents you can have, of course all of these controls are optional depending on your risk assessment and selection but let's presume you have selected to implement them.

A.6.2.1 Mobile Device Policy

Does it HAVE to be documented; No

 

A.9.1.1 Access control policy

Does it HAVE to be documented; YES, the control says “An access control policy shall be established, documented and reviewed based on business and information security requirements.”

 

A.10.1.1 Policy on the use of cryptographic controls

Does it HAVE to be documented; No

 

A.11.2.9 Clear desk and clear screen policy

Does it HAVE to be documented; No

 

A.12.3.1 Information back-up

Does it HAVE to be documented; No

 

A.14.2.1 Secure development policy

Does it HAVE to be documented; No

 

A.15.1.1 Information security policy for supplier relationships

Does it HAVE to be documented; No

 

So there it is, whereas you do not HAVE to document these controls it is generally regarded as best practice depending on the size and complexity of your organisation. I may not expect a micro/small organisation to have all of these but again, this depending on the service and industry of the organisation. If in doubt have a read of ISO27000 (this is the reference document for definitions in all 27 documents) says "Policy; intentions and direction of an organisation as formally expressed by its top management".

More Blog Posts