ExamSimul
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Information Security
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • Agile PM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM
    • Agile Scrum Product Owner
    • Agile Scrum Master
    • Design Thinking
    • DevOps
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
    • ISO 31000
    • IT Governance
    • ITIL
      • ITIL Foundation
      • ITIL Managing Professional
      • ITIL Strategic Leader
      • ITIL Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • OpenSM
      • OpenSM Foundation
      • OpenSM MP
      • OpenSM SL
    • PM2
      • PM2 Foundation
    • PRINCE2
      • PRINCE2 Foundation
      • PRINCE2 Practitioner
    • PRINCE2 Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Design Thinking
      • DT Method® Foundation
    • Cloud Management
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • OpenSM
      • OpenSM Foundation
    • PM2
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us

Signup  Login

Requirements 7.5

  • Home\
  • Blog \
  • Learn\
  • ISO 27001\
  • ISO 27001 Requirements\
  • Clause 7\
  • Requirements 7.5

What is Required under Clause 7.5 of ISO 27001:2022?

Anyone familiar with operating to a recognised international ISO IEC standard will know the importance of documentation for the management system. One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification from a body like UKAS. ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system. ISO 27001 clause 7.5 is broken down as follows:

Clause 7.5.1 - General documentation for ISO 27001

The ISMS needs to clearly include:

  • A description of how it addresses 4.1 to 10.2 of the core requirements, including the risk assessment and treatment which leads onto the selection of the Annex A controls.
  • The relevant Annex A controls that are part of the statement of applicability - which effectively means you need to have all controls listed. Even if an organisation decides that a control is not relevant it should document, then it needs to show the auditor it has considered there is no risk and no need for that control.

Clause 7.5.2 - Creating and updating documented information for ISO 27001

ISO 27001 wants clarity in documentation, looking for identification and description, format, review and approval for suitability and adequacy to serve its purpose. It is easy to miss the nuances of these requirements but practically this means consideration of author, date, title, reference etc, and that approval process is also very important for dovetailing with Annex A 5.1 as described below.

Clause 7.5.3 - Control of documented information for ISO 27001

At the heart of the ISMS is the Confidentiality, Integrity and Availability principle for the information. It is the same for the ISMS itself, it needs to be available when required and adequately protected from loss of confidentiality, unauthorised use or potential integrity compromise.

Simply dumping the ISMS contents on the team shared drive and having it uncontrolled or with ineffective permissions for access would almost certainly lead to problems for the organisation in an audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem so consideration needs to be given to numerous areas for effective control. ISO looks for an organisation to address the following aspects:

  • sharing and distribution clarity, controls over access to some or all of the ISMS - bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
  • storage and preservation, including control of changes (showing older versions, historical approvals etc)
  • retention and disposal also needs consideration

This requirement also aligns with the regular review of policies highlighted in Annex A.5.1 also touched on below.

How much has to be written for documentation of the information security management system to be considered acceptable by an auditor?

One question that is often asked about information security management documentation is 'how much is enough'. The short answer is that it is about quality, not quantity. As long as the organisation is complying with the requirements summarised below, and can demonstrate that it does not need lengthy verbose documentation the auditor will no doubt take that into account during an audit - e.g. because it is a small organisation with few participants around the ISMS, stable, clear, well maintained and simple in operation.

Is documentation for the information security management system 'word style documents' or are other forms of content allowed?

Queries about what sort of documentation is expected is one of the other frequently asked questions about clause 7.5 documentation for the information security management system. In fact ISO 27001 does clearly state in its note aside clause 7.5.1:

"The extent of documented information for an information security management system can differ from one organization to another due to:”

  1. the size of organization and its type of activities, processes, products and services;
  2. the complexity of processes and their interactions; and
  3. the competence of persons."

A number of ISO 27001 information security documentation 'toolkit' providers have perpetuated the myth that documented information for an ISMS must be word documents and excel spreadsheets. Clearly these documents can have a place in an ISMS (e.g. where pictures or complex processes need to be communicated too) but should be used sparingly given the advent of better online tools.

When you consider clause 7.5 requirements also dovetail with the control objectives in the Annexes, it makes even more sense to think about a joined up well coordinated management system instead of old fashioned documents and shared drives for storage.  Examples of where to join up clause 7.5 with the Annex A controls include:

  • Annex A 5.1 - In addition to be defined, information security policies need to be approved by management, published and communicated to employees and relevant external parties.  It is not easy to demonstrate approval for documents per se, and publishing heavyweight documents is unlikely to be digested or understood by the stakeholders even if they have been communicated (leaving the organisation at risk of non compliance and threat of loss by ignorance).
  • Annex A 5.1 - Review of the policies for information security.  ISO 27001 says that policies should be reviewed regularly at planned intervals (or if significant changes occur) to ensure their ongoing suitability.  Independent ISO auditors will expect to see that review done at least annually for each policy.
  • Annex A 5.35 - This Annex A control is about independent review of information security and done well it integrates neatly with clause 7.5 for documentation management of an ISMS including independent reviews, checks for compliance and where appropriate technical compliance as well. Reviewing, version controlling, showing updates and then approving old fashioned documents where they don't need to be documents per se can really slow down administrators of the ISMS.  It can also delay or lose staff engagement and lead to non compliance.
 
 
 
  • Learn
    Learn
    • Agile
      Agile
      • Agile History
      • Manifesto Agile
      • AgilePM
        AgilePM
        • About AgilePM
        • Choosing DSDM
    • Design Thinking
      Design Thinking
      • Background
      • About Design Thinking
      • What is Design Thinking
      • Design Thinking Process
    • Enterprise Architecture
      Enterprise Architecture
      • About TOGAF® Standard, 10th Edition
      • Structure of TOGAF® Standard, 10th Edition
      • Migration TOGAF® EA certification
    • ISO 27001
      ISO 27001
      • ISO 27001 Requirements
        ISO 27001 Requirements
        • Clause 4
          Clause 4
          • Requirements 4.1
          • Requirements 4.2
          • Requirements 4.3
          • Requirements 4.4
        • Clause 5
          Clause 5
          • Requirements 5.1
          • Requirements 5.2
          • Requirements 5.3
        • Clause 6
          Clause 6
          • Requirements 6.1
          • Requirements 6.2
        • Clause 7
          Clause 7
          • Requirements 7.1
          • Requirements 7.2
          • Requirements 7.3
          • Requirements 7.4
          • Requirements 7.5
        • Clause 8
          Clause 8
          • Requirements 8.1
          • Requirements 8.2
          • Requirements 8.3
        • Clause 9
          Clause 9
          • Requirements 9.1
          • Requirements 9.2
          • Requirements 9.3
        • Clause 10
          Clause 10
          • Requirements 10.1
          • Requirements 10.2
    • Lean Six Sigma
      Lean Six Sigma
      • LSS Define Phase
        LSS Define Phase
        • The Basics of Six Sigma
          The Basics of Six Sigma
          • Meanings of Six Sigma
          • History of Six Sigma
          • LSS Project Deliverables
          • y= f(x)
          • Voice of Customer
          • Six Sigma Teams
      • LSS Measure Phase
      • LSS Analyze Phase
      • LSS Improve Phase
      • LSS Control Phase
    • Project Management
      Project Management
      • PM2
    • Service Management
      Service Management
      • ISO/IEC 20000
        ISO/IEC 20000
        • ISO20k vs Practices
      • ITIL® 4
        ITIL® 4
        • ITIL® 4 Roles based
        • ITIL® 4 Practices based
        • ITIL® 4 Certification guide
        • ITIL® 4 DITS Practical Assignments
  • News
    News
    • Agile Scrum
    • Design Thinking
    • Enterprise Architecture
    • Examination Institute
    • Information Security
    • Project Management
    • Service Management
DevOps Mock Exam | Need More Time
DevOps Mock Exam | Need More Time
6.00‎€
Exam Simulator for TOGAF® Foundation Mock Exam | Need More Time
Exam Simulator for TOGAF® Foundation Mock Exam | Need More Time
6.00‎€
ISO 27001 Mock Exam | Need More Time
ISO 27001 Mock Exam | Need More Time
6.00‎€
ITIL® 4 Specialist: High Velocity IT exam (RETAKE)
ITIL® 4 Specialist: High Velocity IT exam (RETAKE)
675.00‎€
View Details

ExamSimul - is the training centre for the BITIL.COM group - an organization of professionals and senior experts whose main interest is the spread of knowledge and the application of methodologies Agile, Scrum, ITIL, Prince2, CobiT, TOGAF®, Design Thinking and Standard International. [...]

Latest downloads

PRINCE2 7 Brochure
PRINCE2 7 WHATS NEW
The TOGAF® Standard, 10th Edition Reference Cards (Personal PDF Edition) (Italian Translation)

Quick link

  • Course Catalogue
  • News
  • FAQs
  • Term of Use
  • Privacy Policy
  • Contact

Contact

Where we areEmail: info@examsimul.com
Linkedin Group: ExamSimul
2023 © Copyright ExamSimul - All Right Reserved
ITIL®, PRINCE2®, PRINCE2 Agile® are Registered Trade Marks of AXELOS Limited. TOGAF® is a registered trademarks of The Open Group in the United States and other countries. COBIT® 2019 is a Registered Trade Marks of the Information Systems Audit and Control Association and the IT Governance Institute. APMG International Scrum, APMG-International™ AgilePM®, APMG-International™ ISO/IEC 20000, APMG-International™ ISO/IEC 27001 are Trade Marks of APM Group Limited. FitSM® is a registered trademark of ITEMO e.V.
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Information Security
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • Agile PM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM
    • Agile Scrum Product Owner
    • Agile Scrum Master
    • Design Thinking
    • DevOps
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
    • ISO 31000
    • IT Governance
    • ITIL
      • ITIL Foundation
      • ITIL Managing Professional
      • ITIL Strategic Leader
      • ITIL Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • OpenSM
      • OpenSM Foundation
      • OpenSM MP
      • OpenSM SL
    • PM2
      • PM2 Foundation
    • PRINCE2
      • PRINCE2 Foundation
      • PRINCE2 Practitioner
    • PRINCE2 Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Design Thinking
      • DT Method® Foundation
    • Cloud Management
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • OpenSM
      • OpenSM Foundation
    • PM2
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us
  0  - 0.00‎€
Your shopping cart is empty!
USD EUR GBP
Top

Sales

100% OFF Exam Simulator 

Immediate access to realistic exam sample questions

Course Catalogue    Corporate Training    Course Calendar  Contact Us