Here are the ISO 27001:2013 documentation, implementation and audit requirements.
This document specified documentation, implementation and audit requirements for only ISO 27001, but not 114 controls specified in Annex A.
I request IS practitioners to comment and suggest improvements.
1. ISO 27001: 2013 Standard
Documentation, Implementation and Audit Requirements classified
Clause Description Documentation Requirements Implementation Requirements Audit Requirements
4 Context of the organization
4.1
Understanding the
organization and
its context
‘About the Organization’ in the IS
Policy document
Understand the organization, its
nature of business and defining it
in the IS Policy document.
Review the IS Policy
document
4.2
Understanding the
needs and
expectations of
interested parties
‘Target Audience’ in the IS Policy
document
Brainstorming with Management
and including it in the IS Policy
document.
Review the IS Policy
document
4.3
Determining the
scope of the ISMS
‘ISMS Scope’ in the IS Policy
document
Brainstorming with Management
and including it in the IS Policy
document.
Review the IS Policy
document
4.4 ISMS The IS Policy document
Establishment of IS
Appointment of IS Manager
Conducting IS Trainings and
Awareness
Defining RACI
Review the IS Policy
document
2. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
5 Leadership
5.1
Leadership and
commitment
ISMS budget allocations,
Assignment of competent IS
Manager and required staff
Approval of the IS Policy
Allocation of funds
Appointment of IS Manager
and other IS roles
Review and approval of ISMS
changes
Review of ISMS performance
Check for ISMS
head in budget
Identify IS
Manager
Board approval
for ISMS
implementation
activities
5.2 Policy IS Policy Development of the IS Policy
Review the IS Policy
document
5.3
Organizational
roles,
responsibilities
and authorities
Appointment of IS Manager
and required staff
Defining ISMS reporting
structure
Defining RACI
IS responsibilities in
Employee JD
Appointment of IS Manager
and required competent staff
Development of ISMS
reporting line
Development of RACI
Defining employee common
IS responsibilities
Identify IS
Manager
Review ISMS
reporting
structure
Review ISMS RACI
Review
Employment
documents
3. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
6 Planning
6.1
Actions to address
risks and
opportunities
- - -
6.1.1 General
ISMS Risk Management
Methodology
Defining and documenting ISMS
Risk Management Methodology
Review ISMS Risk
Management
Methodology
6.1.2
IS Risk
Assessment
Define Risk Assessment
Process
List of Risk Owners
Develop and document Risk
Assessment Process including
defining risk acceptance criteria,
identifying risk owners
Review Risk
Assessment Process
6.1.3 IS Risk Treatment
Define Risk Treatment Process
and SoA
Develop and document Risk
Treatment Process including
development of SoA
Review Risk
Treatment Process
6.2
IS Objectives and
planning to
achieve them
Objectives in the IS Policy
document
Defining IS objectives of relevant
functions and levels of the
organization
Review IS Policy
4. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
7 Support
7.1 Resources
Appointment of required
ISMS staff
Allocation of budget
Conducting Management
Reviews
Appointment of IS Manager, IS
training and awareness
Identify ISMS Staff
Review ISMS staff
responsibilities
7.2 Competence
IS Manager Job Description
IS Staff qualifications and
experience
Appointment of competent IS
Manager and required staff
Review IS
Manager and staff
qualifications
7.3 Awareness
IS Training and Awareness
activities (training materials,
schedules, assessments,
appreciations)
Conducting staff IS Training
and awareness activities
Review staff IS
Training and
Awareness activities
7.4 Communication
List of ISMS Interested Parties,
and Communication Plan
Identify and list ISMS
Interested parties
Gather communication
requirements and develop a
plan
Review list of
interested parties and
ISMS Communications
Plan
7.5
Documented
Information
- - -
5. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
7.5.1 General
All documents identified as
necessary by the ISO and
Organization
7.5.2
Creating and
Updating
ISMS Documentation Process
Revision/Document History
to be included in all ISMS
documentation
Document distribution List
Define ISMS Documentation
process
Review ISMS
Documentation
process
Check for
Revision/Docume
nt History in ISMS
documentation
7.5.3
Control of
documented
information
List of all ISMS related
Documents (policies,
processes, procedures) and
Records (Decisions, Change
Records, Communications,
Reports, Alerts, Logs)
Data Labeling process
(distribution and access)
Data Retention & Archival
process
Adding Revision/Document
History for all ISMS
documents (Labeling,
Version control, list of
changes)
Identification and gathering of
all ISMS related documents
and records
Defining controls for
developing and maintaining
documented information –
including Revision/Document
History, labeling, distribution,
access, versioning and
changes
Review of ISMS
Documents and
Records
Review
documents
labeling,
distribution,
version and
change details
6. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
8 Operation
8.1
Operational
planning and
control
Documents related to the IS
operational plans, processes,
procedures, actions
implemented
ISMS Change Register
IS Communications, logs and
reports
Third party security reports
Identification of ISMS Operational
plans and control activities
Review ISMS
operations and control
activities
8.2
IS Risk
Assessment
Risk Assessment Reports Conducting Risk Assessment
Review of periodic IS
Risk Assessment
reports
8.3 IS Risk Treatment
Risk Treatment plans, actions
and results
Implementing Risk Treatment
activities
Review of IS Risk
Treatment plans,
actions and results
9 Performance Evaluation
7. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
9.1
Monitoring,
measurement,
analysis and
evaluation
Documents, logs, periodic reports
on IS Risks, Incidents and
Changes
Identifying various IS Metrics
to be monitored and
measured.
Assigning monitoring
responsibilities to the
competent staff
Review reports on
various ISMS metrics,
and measurements
9.2 Internal Audit Periodic Internal Audit Reports
Defining Internal Audit Plans and
procedures (including defining
Audit Criteria (ISO 27001),
conducting Internal Audits
periodically and reporting to
Management)
Review Internal Audit
reports and results
9.3
Management
Review
MR Meeting minutes/decision
related to ISMS.
Ensuring Management
reviews ISMS performance
periodically
Management conducting
periodic reviews on ISMS
performance, status of
previous issues, risk
assessments reports, Audits,
NCs, Corrective actions, and
feedback)
Review ISMS
performance
reviews
Review results of
MRs (Corrective
actions)
10 Improvement
8. Clause Description Documentation Requirements Implementation Requirements Audit Requirements
10.1
Nonconformity
and corrective
action
ISO 27001 ISMS NC Register
along with corrective action
details.
Developing and maintaining
an NC Register
Defining procedures for ISMS
NC corrective actions
Review ISO ISMS NC
Register and status of
corrective actions and
its results.
10.2
Continual
improvement
Periodic Risk Assessments
reports, Audit reports, MRs and
feedbacks.
Defining processes for
deriving ISMS improvements
through periodic risk
assessments, internal and
external audits, periodic MRs
and interested parties
feedback
Adding improvements to the
ISMS policies, processes and
procedures
Review ISMS continual
improvement on the
basis of risk
assessments, pervious
audits reports, MRs
and feedback.
9. The ISO 27001:2013 standard does not require the organizations to prepare a separate ISMS policy explicitly. However, the
organizations can prepare it if they want. The organizations already having both IS Policy and ISMS Policy can continue or merge into
one single IS Policy document with minor changes.
About IS vs ISMS
Information security (IS) is achieved through the implementation of an applicable set of controls. The controls are selected through the
chosen risk management process and managed using an ISMS (Information Security Management System). The ISMS includes policies,
processes, procedures, organizational structures, software and hardware to protect the identified information assets.
- According to ISO 27000:2012 ISMS Vocabulary Document
About IS Policy Vs ISMS Policy
IS Policy is the responsibility of the Board / Senior Management. ISMS Policy is the responsibility of Executive Management. The board
delegate IS responsibilities to the Management, which are achieved effective through establishing, operating, monitoring, reviewing,
maintaining and improving the ISMS.
- Explained in the PECB ISO 27001 Lead Implementer Course Material