What is Required under Clause 7.5 of ISO 27001:2022?
Anyone familiar with operating to a recognised international ISO IEC standard will know the importance of documentation for the management system. One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification from a body like UKAS. ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system. ISO 27001 clause 7.5 is broken down as follows:
Clause 7.5.1 - General documentation for ISO 27001
The ISMS needs to clearly include:
- A description of how it addresses 4.1 to 10.2 of the core requirements, including the risk assessment and treatment which leads onto the selection of the Annex A controls.
- The relevant Annex A controls that are part of the statement of applicability - which effectively means you need to have all controls listed. Even if an organisation decides that a control is not relevant it should document, then it needs to show the auditor it has considered there is no risk and no need for that control.
Clause 7.5.2 - Creating and updating documented information for ISO 27001
ISO 27001 wants clarity in documentation, looking for identification and description, format, review and approval for suitability and adequacy to serve its purpose. It is easy to miss the nuances of these requirements but practically this means consideration of author, date, title, reference etc, and that approval process is also very important for dovetailing with Annex A 5.1 as described below.
Clause 7.5.3 - Control of documented information for ISO 27001
At the heart of the ISMS is the Confidentiality, Integrity and Availability principle for the information. It is the same for the ISMS itself, it needs to be available when required and adequately protected from loss of confidentiality, unauthorised use or potential integrity compromise.
Simply dumping the ISMS contents on the team shared drive and having it uncontrolled or with ineffective permissions for access would almost certainly lead to problems for the organisation in an audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem so consideration needs to be given to numerous areas for effective control. ISO looks for an organisation to address the following aspects:
- sharing and distribution clarity, controls over access to some or all of the ISMS - bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
- storage and preservation, including control of changes (showing older versions, historical approvals etc)
- retention and disposal also needs consideration
This requirement also aligns with the regular review of policies highlighted in Annex A.5.1 also touched on below.
How much has to be written for documentation of the information security management system to be considered acceptable by an auditor?
One question that is often asked about information security management documentation is 'how much is enough'. The short answer is that it is about quality, not quantity. As long as the organisation is complying with the requirements summarised below, and can demonstrate that it does not need lengthy verbose documentation the auditor will no doubt take that into account during an audit - e.g. because it is a small organisation with few participants around the ISMS, stable, clear, well maintained and simple in operation.
Is documentation for the information security management system 'word style documents' or are other forms of content allowed?
Queries about what sort of documentation is expected is one of the other frequently asked questions about clause 7.5 documentation for the information security management system. In fact ISO 27001 does clearly state in its note aside clause 7.5.1:
"The extent of documented information for an information security management system can differ from one organization to another due to:”
- the size of organization and its type of activities, processes, products and services;
- the complexity of processes and their interactions; and
- the competence of persons."
A number of ISO 27001 information security documentation 'toolkit' providers have perpetuated the myth that documented information for an ISMS must be word documents and excel spreadsheets. Clearly these documents can have a place in an ISMS (e.g. where pictures or complex processes need to be communicated too) but should be used sparingly given the advent of better online tools.
When you consider clause 7.5 requirements also dovetail with the control objectives in the Annexes, it makes even more sense to think about a joined up well coordinated management system instead of old fashioned documents and shared drives for storage. Examples of where to join up clause 7.5 with the Annex A controls include:
- Annex A 5.1 - In addition to be defined, information security policies need to be approved by management, published and communicated to employees and relevant external parties. It is not easy to demonstrate approval for documents per se, and publishing heavyweight documents is unlikely to be digested or understood by the stakeholders even if they have been communicated (leaving the organisation at risk of non compliance and threat of loss by ignorance).
- Annex A 5.1 - Review of the policies for information security. ISO 27001 says that policies should be reviewed regularly at planned intervals (or if significant changes occur) to ensure their ongoing suitability. Independent ISO auditors will expect to see that review done at least annually for each policy.
- Annex A 5.35 - This Annex A control is about independent review of information security and done well it integrates neatly with clause 7.5 for documentation management of an ISMS including independent reviews, checks for compliance and where appropriate technical compliance as well. Reviewing, version controlling, showing updates and then approving old fashioned documents where they don't need to be documents per se can really slow down administrators of the ISMS. It can also delay or lose staff engagement and lead to non compliance.