I have partly covered this insome other articles but I thought I would try to bring it all together into one place.
The Clauses
The only mandatory requirements/processes in ISO27001 that you must implement and operate are requirements 4 to 10 of the standard. These are most usually called clauses.
However, some of clauses 4 to 10 are more important than others and there are some clauses that people rarely implement (they should) and some clauses that the certification auditors very rarely ask about (they should). Don’t try and judge this yourself! This is one of the reasons that people employ professional help as it is very easy to get this wrong and either just get something wrong or spend a lot of time on something that you don’t need to.
If as part of designing and implementing clauses 4 to 10 you specify that you will do X then you are making X a mandatory requirement for the operation of your Information Security Management System (ISMS). An example. There is nothing in ISO27001 that says that you must have an information security committee. However, if you decide that you need one and you say that it must meet every month then you have made the requirement for the information security committee to meet every month a mandatory requirement. So it must meet every month! This means that whatever you say you are going to do to operate your ISMS you must do. The certification auditors will sample check this and if you are not doing what you say then you will get a non conformity.
The Controls
There is nothing in clauses 4 to 10 that specify any mandatory information security controls that must be implemented. There is a very common myth that you have to implement at least some of the Annex A controls. This is not true. You can have an ISMS that fully conforms to all the requirements of ISO27001 that does not use any Annex A controls.
You determine a set of controls that are necessary to manage your risks and then by definition you are now making these mandatory for you to implement and operate. Make sure you do.
Guidance on selecting controls is in this article. https://www.linkedin.com/pulse/iso27001-how-you-should-choose-controls-needed-manage-chris-hall
Also, whatever you say you are going to do to operate your controls you must do. If you say – either verbally or in a document that you have a Change Advisory Board that meets every week then it must meet every week. If it doesn’t then that is a non conformity that may be raised by an ISO27001 certification auditor.
Mandatory Documentation relating to the clauses and controls
If you read the standard carefully it tells you which of the clauses must have documented information. This is it:
4.3 Scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment process
6.1.3 d) Statement of Applicability
6.2 Information security objectives
7.2 d) Evidence of competence
7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
8.1 Operational planning and control
8.2 Results of the information security risk assessments
8.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement results
9.2 g) Evidence of the audit programme(s) and the audit results
9.3 Evidence of the results of management reviews
10.1 f) Evidence of the nature of the nonconformities and any subsequent actions taken
10.1 g) Evidence of the results of any corrective action
You must have all of these although it is surprising how often certification auditors skip some of them.
There are no other mandatory requirements for any other documentation but, as stated above, if your design of a clause or control says it needs documentation then must have it. I.e. you can and should make clause documentation or control documentation mandatory for your ISMS if you think it is needed to operate your ISMS effectively. This is meeting the requirement of clause 7.5.1 b) “Documented information determined by the organization as being necessary for the effectiveness of the ISMS”. This means that a large organisation will and should have a lot more documentation than an organisation with only 3 people.
Apart from the mandatory documentation, if your design of your ISMS or controls does not specify the need for documentation on X then you don’t need to keep it.
By documentation here we mean both documentation on how the control works (e.g. a procedure document) plus also the documentation produced by operating the control. As an example, we may have a procedure document that explains how the visitor process works. We may well also have some documentation that is the daily lists of who were the visitors that day.
Note that if you are using Annex A controls then some of them specifically say that you must have documentation associated with them. For example, “A.8.1.3 Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented” Note the word “documented” in here.
In summary, there are some mandatory requirements and documentation you must have in place to conform to ISO27001 but some of this is decided by you.
Chris
