1. v03 8 Desember 2017 1
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
Information technology —
Security techniques —
Information security
management systems —
Requirements
Anti-bribery management systems
– Requirements with guidance for
use
Quality management systems -
Requirements
Information technology — Service management — Part 1:
Service management system requirements
1 Scope
This International Standard
specifies the requirements for
establishing,implementing,
maintaining and continually
improving an information security
management system within the
context of the organization.
This International Standard also
includes requirements for the
assessment and treatment of
information security risks tailored
to the needs of the organization.
1 Scope
This standard specifies requirements
and provides guidance for establishing,
implementing, maintaining, reviewing
and improving an anti-bribery
management system.
The system can be stand-alone or
can be integrated into an overall
management system.
This standard addresses the following
in relation to the organization's
activities:
— bribery in the public, private and
not-for- profit sectors;
— bribery by the organization;
— bribery by the organization's
personnel acting on the organization's
behalf or for its benefit;
— bribery by the organization's
business associates acting on the
organization's behalf or for its benefit;
— bribery of the organization;
— bribery of the organization's
personnel in relation to the
organization’s activities;
— bribery of the organization's
business associates in relation to the
organization’s activities;
— direct and indirect bribery (e.g. a
bribe offered or accepted through or
by a third party).
1 Scope
This International Standard specifies
requirements for a quality
management system when an
organization:
a) needs to demonstrate its
ability to consistently provide
products and services that
meet customer and applicable
statutory and regulatory
requirements, and
b) aims to enhance customer
satisfaction through the
effective application of the
system, including processes
for improvement of the
system and the assurance of
conformity to customer and
applicable statutory and
regulatory requirements.
All the requirements of this
International Standard are generic and
are intended to be applicable to any
organization, regardless of its type or
size, or the products and services it
provides.
NOTE 1 In this International Standard,
the terms “product” or “service” only
apply to products and services
intended for, or required by, a
customer.
NOTE 2 Statutory and regulatory
requirements can be expressed as
legal requirements.
1 Scope
1.1 General
This document specifies requirements for an organization to
establish, implement, maintain and continually improve a service
management system (SMS). The requirements specified in this
document include the planning, design, transition, delivery and
improvement of services to meet the service requirements and
deliver value. This document can be used by:
a) a customer seeking services and requiring assurance regarding
the quality of those services;
b) a customer requiring a consistent approach to the service lifecycle
by all its service providers,
including those in a supply chain;
c) an organization to demonstrate its capability for the planning,
design, transition, delivery and improvement of services;
d) an organization to monitor, measure and review its SMS and the
services;
e) an organization to improve the planning, design, transition,
delivery and improvement of services through effective
implementation and operation of an SMS;
f) an organization or other party performing conformity assessments
against the requirements specified in this document;
g) a provider of training or advice in service management.
The term “service” as used in this document refers to the service or
services in the scope of the SMS.
The term “organization” as used in this document refers to the
organization in the scope of the SMS that manages and delivers
services to customers. The organization in the scope of the SMS can
be part of a larger organization, for example, a department of a large
corporation. An organization or part of an organization that manages
and delivers a service or services to internal or external customers
can also be known as a service provider. Any use of the terms
“service” or “organization” with a different intent is distinguished
clearly in this document.
1.2 Application
2. v03 8 Desember 2017 2
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
This standard is applicable only to
bribery. It sets out requirements and
provides guidance for a management
system designed to help an
organization to prevent, detect and
respond to bribery and comply with
anti- bribery laws and voluntary
commitments applicable to its
activities
This standard does not specifically
address fraud, cartels and other anti-
trust/competition offences, money-
laundering or other activities
related to corrupt practices, although
an organization can choose to extend
the scope of the management system
to include such activities.
All requirements specified in this document are generic and are
intended to be applicable to all organizations, regardless of the
organization’s type or size, or the nature of the services delivered.
Exclusion of any of the requirements in Clauses 4 to 10 is not
acceptable when the organization claims conformity to this
document, irrespective of the nature of the organization.
Conformity to the requirements specified in this document can be
demonstrated by the organization itself showing evidence of meeting
those requirements.
The organization itself demonstrates conformity to Clauses 4 and 5.
However, the organization can be supported by other parties. For
example, another party can conduct internal audits on behalf of the
organization or support the preparation of the SMS
Alternatively, the organization can show evidence of retaining
accountability for the requirements specified in this document and
demonstrating control when other parties are involved in meeting
the requirements in Clauses 6 to 10 (see 8.2.3). For example, the
organization can demonstrate evidence of controls for another party
who is providing infrastructure service components or operating the
service desk including the incident management process.
The organization cannot demonstrate conformity to the
requirements specified in this document if other parties are used to
provide or operate all services, service components or processes
within the scope of the SMS.
The requirements set out in this
International Standard are
generic and are intended to be
applicable to all organizations,
regardless of type, size or nature.
Excluding any of the requirements
specified in Clauses 4 to 10 is not
acceptable when an organization
claims conformity to this
International Standard.
The requirements of this standard
are generic and are intended to be
applicable to all organizations (or parts
of an organization), regardless of type,
size and nature of activity, and
whether in the public, private or not-
for- profit sectors. The extent of
application of these requirements
depends on the factors specified in
4.1, 4.2 and 4.5.
NOTE 1 See Clause A.2 for guidance.
NOTE 2 The measures necessary to
prevent, detect and mitigate the risk of
bribery by the organization can be
different from the measures used to
prevent, detect and respond to bribery
of the organization (or its personnel or
The scope of this document excludes the specification for products or
tools. However, this document can be used to help the development or
acquisition of products or tools that support the operation of an SMS.
3. v03 8 Desember 2017 3
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
business associates acting on the
organization's behalf). See A.8.4 for
guidance.
2 Normative references
The following documents, in
whole or in part, are normatively
referenced in this document and
are indispensable for its
application. For dated references,
only the edition cited applies. For
undated references, the latest
edition of the referenced
document (including any
amendments) applies.
ISO/IEC 27000, Information
technology — Security
techniques — Information
security management systems —
Overview and vocabulary
2 Normative references
There are no normative references in
this standard
2 Normative references
The following documents, in whole or
in part, are normatively referenced in
this document and are
indispensable for its application. For
dated references, only the edition
cited applies. For undated
references, the latest edition of the
referenced document (including any
amendments) applies.
ISO 9000:2015, Quality management
systems — Fundamentals and
vocabulary
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this
document, the terms and
definitions given in ISO/IEC 27000
apply.
3 Terms and definitions
For the purposes of this standard, the
following terms and definitions apply.
ISO and IEC maintain terminological
databases for use in standardization at
the following addresses:
— ISO Online browsing platform:
available at http://www.iso.org/obp
— IEC Electropedia: available at
http://www.electropedia.org/
3.1 bribery
offering, promising, giving,
accepting or
soliciting of an undue advantage of any
value (which could be financial or non-
financial), directly or indirectly, and
3 Terms and definitions
For the purposes of this document, the
terms and definitions given in ISO
9000:2015 apply
2 Terms and definitions
For the purposes of this document, the following terms and
definitions apply.
ISO and IEC maintain terminological databases for use in
standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at
https://www.iso.org/obp
3.1 Terms specific to management system standards
3.1.1 audit
systematic, independent and documented process (3.1.18) for
obtaining audit evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an
external audit (second party or third party), and it can be a combined
audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization
(3.1.14) itself, or by an external party on its behalf.
4. v03 8 Desember 2017 4
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
irrespective of location(s), in violation
of applicable law, as an inducement or
reward for a person acting or
refraining from acting in relation to the
performance (3.16) of that person's
duties
NOTE 1 to entry: The above is a
generic definition. The meaning of the
term “bribery” is as defined by the
anti-bribery law applicable to the
organization (3.2) and by the anti-
bribery management system (3.5)
designed by the organization.
3.2 organization
person or group of people that has its
own functions with responsibilities,
authorities and relationships to
achieve its objectives (3.11)
NOTE 1 to entry: The concept of
organization includes, but is not
limited to sole-trader, company,
corporation, firm, enterprise,
authority, partnership, charity or
institution, or part or combination
thereof, whether incorporated or not,
public or private.
NOTE 2 to entry: For organizations
with more than one operating unit,
one or more of the operating units
can be defined as an organization.
3.3
Interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can
affect, be affected by, or perceive
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in
ISO 19011.
3.1.2
competence
ability to apply knowledge and skills to achieve intended results
3.1.3
conformity
fulfilment of a requirement (3.1.19)
Note 1 to entry: Conformity relates to requirements in this document
as well as the organization’s SMS requirements.
Note 2 to entry: The original Annex SL definition has been modified
by adding Note 1 to entry.
3.1.4
continual improvement
recurring activity to enhance performance (3.1.16)
3.1.5
corrective action
action to eliminate the cause or reduce the likelihood of recurrence
of a detected nonconformity (3.1.12) or other undesirable situation
Note 1 to entry: The original Annex SL definition has been changed
by adding text to the original “action to eliminate the cause of a
nonconformity and to prevent recurrence”.
3.1.6
documented information
information required to be controlled and maintained by an
organization (3.1.14) and the medium on which it is contained
EXAMPLE Policies (3.1.17), plans, process descriptions, procedures
(3.2.11), service level agreements (3.2.20) or contracts.
Note 1 to entry: Documented information can be in any format and
media and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.1.9), including related processes
(3.1.18);
— information created in order for the organization to operate
(documentation);
— evidence of results achieved (records (3.2.12)).
Note 3 to entry: The original Annex SL definition has been modified
by adding examples.
3.1.7
effectiveness
extent to which planned activities are realized and planned results
5. v03 8 Desember 2017 5
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
itself to be affected by a decision or
activity
NOTE 1 to entry: A stakeholder can
be internal or external to the
organization
3.4 requirement
need that is stated and obligatory
NOTE 1 to entry: The core definition of
“requirement” in ISO management
system standards is “need or
expectation that is stated, generally
implied or obligatory”. “Generally
implied requirements” are not
applicable in the context of anti-
bribery management.
NOTE 2 to entry: “Generally
implied” means that it is custom or
common practice for the organization
and interested parties that the need or
expectation under consideration is
implied.
NOTE 3 to entry: A specified
requirement is one that is stated, for
example in documented information
3.5
management system
set of interrelated or interacting
elements of an organization (3.2) to
establish policies (3.10) and objectives
(3.11) and processes (3.15) to achieve
those objectives
NOTE 1 to entry: A management
system can address a single discipline
or several disciplines.
achieved
3.1.8
interested party
person or organization (3.1.14) that can affect, be affected by, or
perceive itself to be affected by a decision or activity related to the
SMS (3.2.23) or the services (3.2.15)
Note 1 to entry: An interested party can be internal or external to the
organization.
Note 2 to entry: Interested parties can include parts of the
organization outside the scope of the SMS, customers
(3.2.3), users (3.2.28), community, external suppliers (3.2.4),
regulators, public sector bodies, nongovernment organizations,
investors or employees.
Note 3 to entry: Where interested parties are specified in the
requirements (3.1.19) of this document, the interested parties can
differ depending on the context of the requirement.
Note 4 to entry: The original Annex SL definition has been modified
by deleting the admitted term “stakeholder”, adding “related to the
SMS or the services” to the definition and by adding Notes 1, 2 and 3
to entry.
3.1.9
management system
set of interrelated or interacting elements of an organization (3.1.14)
to establish policies (3.1.17) and objectives (3.1.13) and processes
(3.1.18) to achieve those objectives
Note 1 to entry: A management system can address a single
discipline or several disciplines.
Note 2 to entry: The management system elements include the
organization’s structure, roles and responsibilities, planning,
operation, policies, objectives, plans, processes and procedures
(3.2.11).
Note 3 to entry: The scope of a management system may include the
whole of the organization, specific and identified functions of the
organization, specific and identified sections of the organization, or
one or more functions across a group of organizations.
Note 4 to entry: The original Annex SL definition has been modified
by clarifying that the system is a management
system and listing further elements in Note 2 to entry.
3.1.10
measurement
process (3.1.18) to determine a value
3.1.11
6. v03 8 Desember 2017 6
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
NOTE 2 to entry: The management
system elements include the
organization’s structure, roles and
responsibilities, planning and
operation.
NOTE 3 to entry: The scope of a
management system may include the
whole of the organization, specific and
identified functions of the
organization, specific and identified
sections of the organization, or one or
more functions across a group of
organizations.
<diringkas>
monitoring
determining the status of a system, a process (3.1.18) or an activity
Note 1 to entry: To determine the status there may be a need to
check, supervise or critically observe.
3.1.12
nonconformity
non-fulfilment of a requirement (3.1.19)
Note 1 to entry: Nonconformity relates to requirements in this
document as well as the organization’s SMS
requirements.
3.1.13
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines [such as
financial, health and safety, service management (3.2.22) and
environmental goals] and can apply at different levels [such as
strategic, organizationwide, service (3.2.15), project, product and
process (3.1.18)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as
an intended outcome, a purpose, an operational criterion, as a
service management objective or by the use of other words with
similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of an SMS (3.2.23), service
management objectives are set by the organization,
consistent with the service management policy (3.1.17), to achieve
specific results.
Note 5 to entry: The original Annex SL definition has been modified
by adding “service management” and “service” to Note 2 to entry.
3.1.14
organization
person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve its objectives
(3.1.13)
Note 1 to entry: The concept of organization includes, but is not
limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or
combination thereof, whether incorporated or not, public or private.
Note 2 to entry: An organization or part of an organization that
manages and delivers a service (3.2.15) or
services to internal or external customers (3.2.3) can be known as a
service provider (3.2.24).
7. v03 8 Desember 2017 7
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
Note 3 to entry: If the scope of the SMS (3.2.23) covers only part of an
organization, then organization, when used in this document, refers
to the part of the organization that is within the scope of the SMS.
Any use of the term organization with a different intent is
distinguished clearly.
Note 4 to entry: The original Annex SL definition has been modified
by adding Notes 2 and 3 to entry
3.1.15
outsource, verb
make an arrangement where an external organization (3.1.14)
performs part of an organization’s function or process (3.1.18)
Note 1 to entry: An external organization is outside the scope of the
SMS (3.2.23), although the outsourced
function or process, is within the scope.
3.1.16
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or
qualitative findings.
Note 2 to entry: Performance can relate to the management of
activities, processes (3.1.18), products, services (3.2.15), systems or
organizations (3.1.14).
Note 3 to entry: The original Annex SL definition has been modified
by adding “services” to Note 2 to entry.
3.1.17
policy
intentions and direction of an organization (3.1.14) as formally
expressed by its top management (3.1.21)
3.1.18
process
set of interrelated or interacting activities that use inputs to deliver
an intended result
Note 1 to entry: Whether the “intended result” of a process is called
output, product or service (3.2.15) depends on the context of the
reference.
Note 2 to entry: Inputs to a process are generally the outputs of other
processes and outputs of a process are generally the inputs to other
processes.
Note 3 to entry: Two or more interrelated and interacting processes
in series can also be referred to as a process.
Note 4 to entry: Processes in an organization (3.1.14) are generally
planned and carried out under controlled conditions to add value.
8. v03 8 Desember 2017 8
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
Note 5 to entry: The original Annex SL definition has been changed
from “set of interrelated or interacting activities which transforms
inputs into outputs”. The original Annex SL definition has also been
modified by adding Notes 1 to 4 to entry. The revised definition and
Notes 1 to 4 to entry are sourced from ISO 9000:2015, 3.4.1.
3.1.19
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or
common practice for the organization (3.1.14) and interested parties
(3.1.8) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for
example, in documented information (3.1.6).
Note 3 to entry: In the context of an SMS (3.2.23), service
requirements (3.2.26) are documented and agreed ratherthan
generally implied. There can also be other requirements such as legal
and regulatory requirements.
Note 4 to entry: The original Annex SL definition has been modified
by adding Note 3 to entry.
3.1.20
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive
or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of
information related to understanding or knowledge of, an event, its
consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential
events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences
(as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of
the consequences of an event (including changes in circumstances)
and the associated likelihood (as defined in ISO Guide 73:2009,
3.6.1.1) of occurrence.
3.1.21
top management
person or group of people who directs and controls an organization
(3.1.14) at the highest level
Note 1 to entry: Top management has the power to delegate
authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system (3.1.9) covers
only part of an organization then top management refers to those
9. v03 8 Desember 2017 9
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
who direct and control that part of the organization.
3.2 Terms specific to service management
3.2.1
asset
item, thing or entity that has potential or actual value to an
organization (3.1.14)
Note 1 to entry: Value can be tangible or intangible, financial or non-
financial, and includes consideration of risks (3.1.20) and liabilities. It
can be positive or negative at different stages of the asset life.
Note 2 to entry: Physical assets usually refer to equipment, inventory
and properties owned by the organization.
Physical assets are the opposite of intangible assets, which are non-
physical assets such as leases, brands, digital assets, use rights,
licences, intellectual property rights, reputation or agreements.
Note 3 to entry: A grouping of assets referred to as an asset system
could also be considered as an asset.
Note 4 to entry: An asset can also be a configuration item (3.2.2).
Some configuration items are not assets.
[SOURCE: ISO/IEC 19770-5:2015, 3.2, modified — Note 4 to entry
contains new content.]
3.2.2
configuration item
CI
element that needs to be controlled in order to deliver a service
(3.2.15) or services
3.2.3
customer
organization (3.1.14) or part of an organization that receives a
service (3.2.15) or services
EXAMPLE Consumer, client, beneficiary, sponsor, purchaser.
Note 1 to entry: A customer can be internal or external to the
organization delivering the service or services.
Note 2 to entry: A customer can also be a user (3.2.28). A customer
can also act as a supplier.
3.2.4
external supplier
another party that is external to the organization that enters into a
contract to contribute to the planning, design, transition (3.2.27),
delivery or improvement of a service (3.2.15), service component
(3.2.18) or process (3.1.18)
Note 1 to entry: External suppliers include designated lead suppliers
10. v03 8 Desember 2017 10
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
but not their sub-contracted suppliers.
Note 2 to entry: If the organization in the scope of the SMS is part of a
larger organization, the other party is external to the larger
organization.
3.2.5
incident
unplanned interruption to a service (3.2.15), a reduction in the
quality of a service or an event that has
not yet impacted the service to the customer (3.2.3) or user (3.2.28)
3.2.6
information security
preservation of confidentiality, integrity and availability of
information
Note 1 to entry: In addition, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
[SOURCE: ISO/IEC 27000:2018, 3.28]
3.2.7
information security incident
single or a series of unwanted or unexpected information security
(3.2.6) events that have a significant probability of compromising
business operations and threatening information security
[SOURCE: ISO/IEC 27000:2018, 3.31]
3.2.8
internal supplier
part of a larger organization (3.1.14) that is outside the scope of the
SMS (3.2.23) that enters into a documented agreement to contribute
to the planning, design, transition (3.2.27), delivery or improvement
of a service (3.2.15), service component (3.2.18) or process (3.1.18)
EXAMPLE Procurement, infrastructure, finance, human resources,
facilities.
Note 1 to entry: The internal supplier and the organization in the
scope of the SMS are both part of the same
larger organization.
3.2.9
known error
problem (3.2.10) that has an identified root cause or a method of
reducing or eliminating its impact on a service (3.2.15)
3.2.10
problem
cause of one or more actual or potential incidents (3.2.5)
3.2.11
11. v03 8 Desember 2017 11
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
procedure
specified way to carry out an activity or a process (3.1.18)
Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
3.2.12
record, noun
document stating results achieved or providing evidence of activities
performed
EXAMPLE Audit (3.1.1) reports, incident (3.2.5) details, list of
training delegates, minutes of meetings.
Note 1 to entry: Records can be used, for example, to formalize
traceability and to provide evidence of verification,
preventive action and corrective action (3.1.5).
Note 2 to entry: Generally, records need not be under revision
control.
[SOURCE: ISO 9000:2015, 3.8.10, modified — EXAMPLE has been
added.]
3.2.13
release, noun
collection of one or more new or changed services (3.2.15) or service
components (3.2.18) deployed into the live environment as a result of
one or more changes
3.2.14
request for change
proposal for a change to be made to a service (3.2.15), service
component (3.2.18) or the SMS (3.2.23)
Note 1 to entry: A change to a service includes the provision of a new
service, transfer of a service or the removal
of a service that is no longer required.
3.2.15
service
means of delivering value for the customer (3.2.3) by facilitating
outcomes the customer wants to achieve
Note 1 to entry: Service is generally intangible.
Note 2 to entry: The term service as used in this document means the
service or services in the scope of the SMS (3.2.23). Any use of the
term service with a different intent is distinguished clearly.
3.2.16
service availability
ability of a service (3.2.15) or service component (3.2.18) to perform
its required function at an agreed time or over an agreed period of
time
12. v03 8 Desember 2017 12
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
Note 1 to entry: Service availability can be expressed as a ratio or
percentage of the time that the service or service component is
actually available for use compared to the agreed time.
3.2.17
service catalogue
documented information about services that an organization
provides to its customers
3.2.18
service component
part of a service (3.2.15) that when combined with other elements
will deliver a complete service
EXAMPLE Infrastructure, applications, documentation, licences,
information, resources, supporting services.
Note 1 to entry: A service component can include configuration items
(3.2.2), assets (3.2.1) or other elements.
3.2.19
service continuity
capability to deliver a service (3.2.15) without interruption, or with
consistent availability as agreed
Note 1 to entry: Service continuity management can be a subset of
business continuity management. ISO 22301 is a management
system standard for business continuity management.
3.2.20
service level agreement
SLA
documented agreement between the organization (3.1.14) and the
customer (3.2.3) that identifies services (3.2.15) and their agreed
performance
Note 1 to entry: A service level agreement can also be established
between the organization and an external
supplier (3.2.4), an internal supplier (3.2.8) or a customer acting as a
supplier.
Note 2 to entry: A service level agreement can be included in a
contract or another type of documented agreement.
3.2.21
service level target
specific measurable characteristic of a service (3.2.15) that an
organization (3.1.14) commits to
3.2.22
service management
set of capabilities and processes (3.1.18) to direct and control the
organization’s (3.1.14) activities and resources for the planning,
13. v03 8 Desember 2017 13
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
design, transition (3.2.27), delivery and improvement of services
(3.2.15) to deliver value (3.2.29)
Note 1 to entry: This document provides a set of requirements that
are split into clauses and sub-clauses. Each organization can choose
how to combine the requirements into processes. The sub-clauses
can be used to define the processes of the organization’s SMS.
3.2.23
service management system
SMS
management system (3.1.9) to direct and control the service
management (3.2.22) activities of the organization (3.1.14)
Note 1 to entry: An SMS includes service management policies
(3.1.17), objectives (3.1.13), plans, processes (3.1.18), documented
information and resources required for the planning, design,
transition (3.2.27), delivery and improvement of services to meet the
requirements (3.1.19) specified in this document.
3.2.24
service provider
organization (3.1.14) that manages and delivers a service (3.2.15) or
services to customers (3.2.3)
3.2.25
service request
request for information, advice, access to a service (3.2.15) or a pre-
approved change
3.2.26
service requirement
needs of customers (3.2.3), users (3.2.28) and the organization
(3.1.14) related to the services (3.2.15) and the SMS (3.2.23) that are
stated or obligatory
Note 1 to entry: In the context of an SMS (3.2.23), service
requirements are documented and agreed rather than generally
implied. There can also be other requirements such as legal and
regulatory requirements.
3.2.27
transition
activities involved in moving a new or changed service (3.2.15) to or
from the live environment
3.2.28
user
individual or group that interacts with or benefits from a service
(3.2.15) or services
Note 1 to entry: Examples of users include a person or community of
14. v03 8 Desember 2017 14
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
people. A customer (3.2.3) can also be a user.
3.2.29
value
importance, benefit or usefulness
EXAMPLE Monetary value, achieving service outcomes, achieving
service management (3.2.22) objectives (3.1.13), customer retention,
removal of constraints.
Note 1 to entry: The creation of value from services (3.2.15) includes
realizing benefits at an optimal resource level while managing risk
(3.1.20). An asset (3.2.1) and a service (3.2.15) are examples that can
be assigned a value.
4 Context of the organization
4.1 Understanding the
organization and its context
The organization shall determine
external and internal issues that
are relevant to its purpose and
that affect its ability to achieve
the intended outcome(s) of its
information security management
system.
NOTE Determining these issues
refers to establishing the external
and internal context of the
organization considered in Clause
5.3 of ISO 31000:2009[5].
4 Context of the organization
4.1 Understanding the organization
and its context
The organization shall determine
external and internal issues that are
relevant to its purpose and that affect
its ability to achieve the objectives of
its anti-bribery management system.
These issues will include, without
limitation, the following factors
a) the size, structure and
delegated decision-making
authority of the organization;
b) the locations and sectors in
which the organization
operates or anticipates
operating;
c) the nature, scale and
complexity of the
organization's activities and
operations;
d) the organization’s business
model;
e) the entities over which the
organization has control and
entities which exercise
control over the organization;
4 Context of the organization
4.1 Understanding the organization
and its context
The organization shall determine
external and internal issues that are
relevant to its purpose and its strategic
direction and that affect its ability to
achieve the intended result(s) of its
quality management system.
The organization shall monitor and
review information about these
external and internal issues.
NOTE 1 Issues can include positive and
negative factors or conditions for
consideration.
NOTE 2 Understanding the external
context can be facilitated by
considering issues arising from legal,
technological, competitive, market,
cultural, social and economic
environments, whether international,
national, regional or local.
NOTE 3 Understanding the internal
context can be facilitated by
considering issues related to values,
culture, knowledge and performance
of the organization.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are
relevant to its purpose and that affect its ability to achieve the intended
outcome(s) of its SMS.
NOTE The word “issue” in this context can be factors which have a
positive or negative impact. These are important factors for the
organization in the context of its ability to deliver services of an agreed
quality to its customers.
15. v03 8 Desember 2017 15
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
a) the organization's business
associates;
b) the nature and extent of
interactions with public
officials;
c) applicable statutory,
regulatory, contractual and
professional obligations and
duties.
NOTE An organization has control over
another organization if it directly or
indirectly controls the management of
the organization (see A.13.1.3).
4.2 Understanding the needs and
expectations of interested
parties
The organization shall determine:
a) interested parties that are
relevant to the information
security management system;
and
b) the requirements of these
interested parties relevant to
information security.
NOTE The requirements of
interested parties may include
legal and regulatory requirements
and contractual obligations.
4.2 Understanding the needs and
expectations of stakeholders
The organization shall determine:
a) the stakeholders that are
relevant to the anti-bribery
management system;
b) the relevant requirements of
these stakeholders.
NOTE In identifying the requirements
of stakeholders, an organization can
distinguish between mandatory
requirements and the non-mandatory
expectations of, and voluntary
commitments to, stakeholders
4.2 Understanding the needs and
expectations of interested parties
Due to their effect or potential effect
on the organization’s ability to
consistently provide products and
services that meet customer and
applicable statutory and regulatory
requirements, the organization shall
determine:
a) the interested parties that are
relevant to the quality management
system;
b) the requirements of these
interested parties that are relevant to
the quality management system.
The organization shall monitor and
review information about these
interested parties and their relevant
requirements.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
a) the interested parties that are relevant to the SMS and the services;
b) the relevant requirements of these interested parties.
NOTE The requirements of interested parties can include service,
performance, legal and regulatory requirements and contractual
obligations that relate to the SMS and the services.
4.3 Determining the scope of the
information security
management system
The organization shall determine
the boundaries and applicability
4.3 Determining the scope of the anti-
bribery management system
The organization shall determine the
boundaries and applicability of the
4.3 Determining the scope of the
quality management system
The organization shall determine the
boundaries and applicability of the
4.3 Determining the scope of the service management system
The organization shall determine the boundaries and applicability of the
SMS to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
16. v03 8 Desember 2017 16
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
of the information security
management system to establish
its scope.
When determining this scope, the
organization shall consider:
a) the external and internal issues
referred to in 4.1;
b) the requirements referred to in
4.2; and
c) interfaces and dependencies
between activities performed by
the organization, and those that
are performed by other
organizations.
The scope shall be available as
documented information.
anti-bribery management system to
establish its scope.
When determining this scope, the
organization shall consider:
a) the external and internal issues
referred to in 4.1;
b) the requirements referred to in 4.2
c) the results of the bribery risk
assessment referred to in 4.5
The scope shall be available as
documented information.
NOTE See Clause A.2 for guidance.
quality management system to
establish its scope.
When determining this scope, the
organization shall consider:
a) the external and internal issues
referred to in 4.1;
b) the requirements of relevant
interested parties referred to in 4.2;
c) the products and services of the
organization.
The organization shall apply all the
requirements of this International
Standard if they are applicable
within the determined scope of its
quality management system.
The scope of the organization’s quality
management system shall be available
and be maintained as documented
information. The scope shall state the
types of products and services
covered, and provide justification for
any requirement of this International
Standard that the organization
determines is not applicable to the
scope of its quality management
system.
Conformity to this International
Standard may only be claimed if the
requirements determined as not being
applicable do not affect the
organization’s ability or responsibility
to ensure the conformity of its
products and services and the
enhancement of customer satisfaction.
b) the requirements referred to in 4.2;
c) the services delivered by the organization.
The definition of the scope of the SMS shall include the services in scope
and the name of the organization managing and delivering the services.
The scope of the SMS shall be available and be maintained as
documented information.
NOTE 1 ISO/IEC 20000-3 provides guidance on scope definition.
NOTE 2 The SMS scope definition states the services which are in scope.
This can be all or some of the services delivered by the organization.
4.4 Information security
management system
4.4 Anti-bribery management system 4.4 Quality management system and
its processes
4.4 Service management system
17. v03 8 Desember 2017 17
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
The organization shall establish,
implement, maintain and
continually improve an
information security management
system, in accordance with the
requirements of this International
Standard.
The organization shall establish,
document, implement, maintain and
continually review and, where
necessary, improve an anti- bribery
management system, including the
processes needed and their
interactions, in accordance with the
requirements of this standard.
The anti-bribery management system
shall contain measures designed to
identify and evaluate the risk of, and
to prevent, detect and respond to,
bribery.
NOTE 1 It is not possible to completely
eliminate the risk of bribery, and no
anti-bribery management system will
be capable of preventing and detecting
all bribery.
The anti-bribery management system
shall be reasonable and proportionate,
taking into account the factors
referred to in 4.3.
NOTE 2 See Clause A.3 for guidance
4.4.1 The organization shall establish,
implement, maintain and continually
improve a quality management
system, including the processes
needed and their interactions, in
accordance with the requirements of
this International Standard.
The organization shall determine the
processes needed for the quality
management system and their
application throughout the
organization, and shall:
a) determine the inputs required and
the outputs expected from these
processes;
b) determine the sequence and
interaction of these processes;
c) determine and apply the criteria and
methods (including monitoring,
measurements and related
performance indicators) needed to
ensure the effective operation and
control of these processes;
d) determine the resources needed for
these processes and ensure their
availability;
e) assign the responsibilities and
authorities for these processes;
f) address the risks and opportunities
as determined in accordance with the
requirements of 6.1;
g) evaluate these processes and
implement any changes needed to
ensure that these processes achieve
their intended results;
h) improve the processes and the
quality management system.
4.4.2 To the extent necessary, the
organization shall:
a) maintain documented information
The organization shall establish, implement, maintain and continually
improve an SMS, including the processes needed and their interactions,
in accordance with the requirements of this document.
18. v03 8 Desember 2017 18
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
to support the operation of its
processes;
b) retain documented information to
have confidence that the processes are
being carried out as planned.
4.5 Bribery risk assessment
4.5.1 The organization shall undertake
regular bribery risk assessment(s)
which shall:
a) identify the bribery risks the
organization might reasonably
anticipate given the factors listed in
4.1
b) analyse, assess and prioritize
the identified bribery risks;
c) evaluate the suitability and
effectiveness of the organization's
existing controls to mitigate the
assessed bribery risks
4.5.2 The organization shall establish
criteria for evaluating its level of
bribery risk, which shall take into
account the organization's policies and
objectives.
4.5.3 The bribery risk assessment shall
be reviewed:
a) on a regular basis so that changes
and new information can be properly
assessed based on timing and
frequency defined by the organization;
b) in the event of a significant change
to the structure or activities of the
organization.
4.5.4 The organization shall retain
documented information that
demonstrates that the bribery risk
assessment has been conducted and
19. v03 8 Desember 2017 19
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
used to design or improve the anti-
bribery management system.
NOTE See Clause A.4 for guidance.
5 Leadership
5.1 Leadership and commitment
Top management shall
demonstrate leadership and
commitment with respect to the
information security management
system by:
a) ensuring the information
security policy and the
information security objectives
are established and are
compatible with the strategic
direction of the organization;
b) ensuring the integration of the
information security management
system requirements into the
organization's processes;
c) ensuring that the resources
needed for the information
security management system are
available;
d) communicating the importance
of effective information security
management and of conforming
to the information security
management system
requirements;
e) ensuring that the information
security management system
achieves its intended outcome(s);
f ) directing and supporting
persons to contribute to the
5 Leadership
5.1 Leadership and commitment
5.1.1 Governing body
When the organization has a governing
body, that body shall demonstrate
leadership and commitment with
respect to the anti-bribery
management system by:
a) approving the organization’s anti-
bribery policy;
b) ensuring that the organization’s
strategy and anti-bribery policy are
aligned;
c) at planned intervals receiving and
reviewing information about the
content and operation of the
organization’s anti- bribery
management system;
d) requiring that adequate and
appropriate resources needed for
effective operation of the anti-bribery
management system are allocated and
assigned;
e) exercising reasonable oversight over
the implementation of the
organization’s anti-bribery
management system by top
management and its effectiveness.
These activities shall be carried out by
top management if the organization
does not have a governing body
5 Leadership
5.1 Leadership and commitment
5.1.1 General
Top management shall demonstrate
leadership and commitment with
respect to the quality management
system by:
a) taking accountability for the
effectiveness of the quality
management system;
b) ensuring that the quality policy and
quality objectives are established for
the quality management
system and are compatible with the
context and strategic direction of the
organization;
c) ensuring the integration of the
quality management system
requirements into the organization’s
business processes;
d) promoting the use of the process
approach and risk-based thinking;
e) ensuring that the resources needed
for the quality management system
are available;
f) communicating the importance of
effective quality management and of
conforming to the quality
management system requirements;
g) ensuring that the quality
management system achieves its
intended results;
h) engaging, directing and supporting
persons to contribute to the
effectiveness of the quality
5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with
respect to the SMS by:
a) ensuring that the service management policy and service
management objectives are established and are compatible with the
strategic direction of the organization;
b) ensuring that the service management plan is created, implemented
and maintained in order to support the service management policy, and
the achievement of the service management objectives and service
requirements;
c) ensuring that appropriate levels of authority are assigned for making
decisions related to the SMS and the services;
d) ensuring that what constitutes value for the organization and its
customers is determined;
e) ensuring there is control of other parties involved in the service
lifecycle;
f) ensuring the integration of the SMS requirements into the
organization’s business processes;
g) ensuring that the resources needed for the SMS and the services are
available;
h) communicating the importance of effective service management,
achieving the service management objectives, delivering value and
conforming to the SMS requirements;
i) ensuring that the SMS achieves its intended outcome(s);
j) directing and supporting persons to contribute to the effectiveness of
the SMS and the services;
k) promoting continual improvement of the SMS and the services;
l) supporting other relevant management roles to demonstrate their
leadership as it applies to their areas of responsibility.
NOTE Reference to “business” in this document can be interpreted
broadly to mean those activities that are core to the purposes of the
organization’s existence.
20. v03 8 Desember 2017 20
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
effectiveness of the information
security management system;
g) promoting continual
improvement; and
h) supporting other relevant
management roles to
demonstrate their leadership as it
applies to their areas of
responsibility.
management system;
i) promoting improvement;
j) supporting other relevant
management roles to demonstrate
their leadership as it applies to their
areas of responsibility.
NOTE Reference to “business” in this
International Standard can be
interpreted broadly to mean those
activities that are core to the purposes
of the organization’s existence,
whether the organization is public,
private, for profit or not for profit.
5.1.2 Top management
Top management shall demonstrate
leadership and commitment with
respect to the anti-bribery
management system by:
a) ensuring that the anti-bribery
management system, including policy
and objectives, is established,
implemented, maintained and
reviewed to adequately address the
organization's bribery risks;
b) ensuring the integration of the anti-
bribery management system
requirements into the organization’s
processes;
c) deploying adequate and
appropriate resources for the
effective operation of the anti-bribery
management system;
d) communicating internally and
externally regarding the anti-bribery
policy;
e) communicating internally the
importance of effective anti-bribery
management and of conforming to
5.1.2 Customer focus
Top management shall demonstrate
leadership and commitment with
respect to customer focus by ensuring
that:
a) customer and applicable statutory
and regulatory requirements are
determined, understood and
consistently met;
b) the risks and opportunities that can
affect conformity of products and
services and the ability to enhance
customer satisfaction are determined
and addressed;
c) the focus on enhancing customer
satisfaction is maintained.
21. v03 8 Desember 2017 21
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
the anti-bribery management system
requirements
f) ensuring that the anti-bribery
management system is appropriately
designed to achieve its objectives;
g) directing and supporting
personnel to contribute to the
effectiveness of the anti- bribery
management system;
h) promoting an appropriate anti-
bribery culture within the
organization;
i) promoting continual improvement;
j) supporting other relevant
management roles to demonstrate
their leadership in preventing and
detecting bribery as it applies to their
areas of responsibility;
k) encouraging the use of reporting
procedures for suspected and actual
bribery (see 8.9);
l) ensuring that no personnel will
suffer retaliation, discrimination or
disciplinary action (see 7.2.2.1 d)) for
reports made in good faith or on the
basis of a reasonable belief of violation
or suspected violation of the
organization’s anti-bribery policy, or
for refusing to engage in bribery, even
if such refusal can result in the
organization losing business (except
where the individual participated in
the violation);
m) at planned intervals, reporting to
the governing body (if any) on the
content and operation of the
anti-bribery management system and
of allegations of serious or systematic
bribery.
22. v03 8 Desember 2017 22
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
NOTE See Clause A.5 for guidance.
5.2 Policy
Top management shall establish
an information security policy
that:
a) is appropriate to the purpose
of the organization;
b) includes information security
objectives (see 6.4) or provides
the frameworP for setting
information security objectives;
c) includes a commitment to
satisfy applicable requirements
related to information security;
and
d) includes a commitment to
continual improvement of the
information security management
system. The information security
policy shall:
e) be available as documented
information;
f) be communicated within the
organization; and
g) be available to interested
parties, as appropriate.
5.2 Anti-bribery policy
Top management shall establish,
maintain and review an anti-bribery
policy that:
a) prohibits bribery;
b) requires compliance with anti-
bribery laws that are applicable to the
organization;
c) is appropriate to the purpose of
the organization;
d) provides a framework for setting,
reviewingand achieving anti-bribery
objectives;
e) includes a commitment to satisfy
anti-bribery management system
requirements;
f) encourages raising concerns in good
faith or on the basis of a reasonable
belief in confidence without fear of
reprisal;
g) includes a commitment to continual
improvement of the anti-bribery
management system;
h) explains the authority and
independence of the anti-bribery
compliance function;
i) explains the consequences of not
complying with the anti-bribery policy.
The anti-bribery policy shall:
— be available as documented
information;
— be communicated in appropriate
languages within the organization and
5.2 Policy
5.2.1 Developing the quality policy
Top management shall establish,
implement and maintain a quality
policy that:
a) is appropriate to the purpose and
context of the organization and
supports its strategic direction;
b) provides a framework for setting
quality objectives;
c) includes a commitment to satisfy
applicable requirements;
d) includes a commitment to continual
improvement of the quality
management system.
5.2.2 Communicating the quality
policy
The quality policy shall:
a) be available and be maintained as
documented information;
b) be communicated, understood and
applied within the organization;
c) be available to relevant interested
parties, as appropriate
5.2 Policy
5.2.1 Establishing the service management policy
Top management shall establish a service management policy that:
a) is appropriate to the purpose of the organization;
b) provides a framework for setting service management objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continual improvement of the SMS and the
services.
5.2.2 Communicating the service management policy
The service management policy shall:
a) be available as documented information;
b) be communicated within the organization;
c) be available to interested parties, as appropriate.
23. v03 8 Desember 2017 23
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
to business associates who pose more
than a low risk of bribery;
— be available to relevant
stakeholders, as appropriate.
5.3 Organizational roles,
responsibilities and authorities
Top management shall ensure
that the responsibilities and
authorities for roles relevant to
information security are assigned
and communicated.
Top management shall assign the
responsibility and authority for:
a) ensuring that the information
security management system
conforms to the requirements of
this
International Standard; and
b) reporting on the performance
of the information security
management system to top
management.
NOTE Top management may
also assign responsibilities and
authorities for reporting
performance of the information
security management system
within the organization.
5.3 Organizational roles,
responsibilities and authorities
5.3.1 Roles and responsibilities
Top management shall have overall
responsibility for the implementation
of, and compliance with, the anti-
bribery management system, as
described in 5.1.2.
Top management shall ensure that the
responsibilities and authorities for
relevant roles are assigned and
communicated within and throughout
every level of the organization.
Managers at every level shall be
responsible for requiring that the
anti-bribery management system
requirements are applied and
complied with in their department or
function.
The governing body (if any), top
management and all other personnel
shall be responsible for
understanding, complying with and
applying the anti-bribery management
system requirements, as they relate to
their role in the organization.
5.3 Organizational roles,
responsibilities and authorities
Top management shall ensure that the
responsibilities and authorities for
relevant roles are assigned,
communicated and understood within
the organization.
Top management shall assign the
responsibility and authority for:
a) ensuring that the quality
management system conforms to the
requirements of this International
Standard;
b) ensuring that the processes are
delivering their intended outputs;
c) reporting on the performance of the
quality management system and on
opportunities for
improvement (see 10.1), in particular
to top management;
d) ensuring the promotion of customer
focus throughout the organization;
e) ensuring that the integrity of the
quality management system is
maintained when changes to the
quality management system are
planned and implemented.
5.3 Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities
for roles relevant to the SMS and the services are assigned and
communicated within the organization.
Top management shall assign the responsibility and authority for:
a) ensuring that the SMS conforms to the requirements of this
document;
b) reporting on the performance of the SMS and the services to top
management.
5.3.2 Anti-bribery compliance
function
Top management shall assign to an
anti- bribery compliance function the
responsibility and authority for:
24. v03 8 Desember 2017 24
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
a) overseeing the design and
implementation by the organization of
the anti-bribery management system;
b) providing advice and guidance
to personnel on the anti-bribery
management system and issues
relating to bribery;
c) ensuring that the anti-bribery
management system conforms to the
requirements of this standard;
d) reporting on the performance of the
anti-bribery management system to
the governing body (if any) and top
management and other compliance
functions, as appropriate.
The anti-bribery compliance function
shall be adequately resourced and
assigned to person(s) who have the
appropriate competence, status,
authority and independence.
The anti-bribery compliance function
shall have direct and prompt access to
the governing body (if any) and top
management in the event that any
issue or concern needs to be raised in
relation to bribery or the anti- bribery
management system.
Top management can assign some or
all of the anti-bribery compliance
function to persons external to the
organization. If it does, top
management shall ensure that specific
personnel have responsibility for,
and authority over, those externally
assigned parts of the function.
NOTE See Clause A.6 for guidance.
25. v03 8 Desember 2017 25
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
5.3.3 Delegated decision-making
Where top management delegates to
personnel the authority for the making
of decisions in relation to which there
is more than a low risk of bribery, the
organization shall establish and
maintain a decision- making process or
set of controls which requires that the
decision process and the level of
authority of the decision-maker(s) are
appropriate and free of actual or
potential conflicts of interest. Top
management shall ensure that these
processes are reviewed periodically as
part of its role and responsibility for
implementation of, and compliance
with, the anti-bribery management
system outlined in 5.3.1
NOTE Delegation of decision-making
will not exempt top management or
the governing body (if any) of their
duties and responsibilities as described
in 5.1.1, 5.1.2 and 5.3.1, nor does it
necessarily transfer to the delegated
personnel potential legal
responsibilities.
5.4 Control of parties involved in the service lifecycle
6 Planning
6.1 Actions to address risks and
opportunities
6.1.1 General
When planning for the
information security management
system, the organization shall
consider the issues referred to in
4.1 and the requirements referred
6 Planning
6.1 Actions to address risks and
opportunities
When planning for the anti-bribery
management system, the organization
shall consider the issues referred to in
4.1, the requirements referred to in
4.2, the risks identified in 4.5, and
6 Planning
6.1 Actions to address risks and
opportunities
6.1.1 When planning for the quality
management system, the organization
shall consider the issues referred to in
4.1 and the requirements referred to
in 4.2 and determine the risks and
opportunities that need to be
6 Planning
6.1 Actions to address risks and opportunities
6.1.1
When planning for the SMS, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine
the risks and opportunities that need to be addressed to:
a) give assurance that the SMS can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement of the SMS and the services.
26. v03 8 Desember 2017 26
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
to in 4.2 and determine the risks
and opportunities that need to be
addressed to:
a) ensure the information security
management system can achieve
its intended outcome(s);
b) prevent, or reduce, undesired
effects; and
c) achieve continual
improvement.
The organization shall plan:
d) actions to address these risks
and opportunities; and
e) how to
1) integrate and
implement the actions
into its information
security management
system processes; and
2) evaluate the
effectiveness of these
actions.
6.1.2 Information security risk
assessment
The organization shall define and
apply an information security risk
assessment process that:
a) establishes and maintains
information security risk criteria
that include:
1) the risk acceptance
criteria; and
2) criteria for performing
information security risk
assessments;
opportunities for improvement that
need to be addressed to:
a) give reasonable assurance that the
anti- bribery management system can
achieve its objectives;
b) prevent, or reduce, undesired
effects relevant to the anti-bribery
policy and objectives;
c) monitor the effectiveness of the
anti- bribery management system;
d) achieve continual improvement.
The organization shall plan:
— actions to address these bribery
risks and opportunities for
improvement;
— how to:
— integrate and implement these
actions into its anti-bribery
management system processes;
— evaluate the effectiveness of these
actions..
addressed to:
a) give assurance that the quality
management system can achieve its
intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired
effects;
d) achieve improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and
opportunities;
b) how to:
1) integrate and implement the actions
into its quality management system
processes (see 4.4);
2) evaluate the effectiveness of these
actions.
Actions taken to address risks and
opportunities shall be proportionate to
the potential impact on the
conformity of products and services.
NOTE 1 Options to address risks can
include avoiding risk, taking risk in
order to pursue an opportunity,
eliminating the risk source, changing
the likelihood or consequences,
sharing the risk, or retaining risk by
informed decision.
NOTE 2 Opportunities can lead to the
adoption of new practices, launching
new products, opening new markets,
addressing new clients, building
partnerships, using new technology
and other desirable and viable
possibilities to address the
organization’s or its customers’ needs.
6.1.2.
The organization shall determine and document:
a) risks related to:
1) the organization;
2) not meeting the service requirements;
3) the involvement of other parties in the service lifecycle;
b) the impact on customers of risks and opportunities for the SMS and
the services;
c) risk acceptance criteria;
d) approach to be taken for the management of risks.
6.1.3 The organization shall plan:
a) actions to address these risks and opportunities and their priorities;
b) how to:
1) integrate and implement the actions into its SMS processes;
2) evaluate the effectiveness of these actions.
NOTE 1 Options to address risks and opportunities can include: avoiding
the risk, taking or increasing the risk in order to pursue an opportunity,
removing the risk source, changing the likelihood or consequence of the
risk, mitigating the risk through agreed actions, sharing the risk with
another party or accepting the risk by informed decision.
NOTE 2 ISO 31000 provides principles and generic guidance on risk
management.
27. v03 8 Desember 2017 27
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
b) ensures that repeated
information security risk
assessments produce
consistent, valid and
comparable results;
c) identifies the information
security risks:
1) apply the information
security risk assessment
process to identify risks
associated with the loss
of confidentiality,
integrity and availability
for information within
the scope of the
information security
management system;
and
2) identify the risk owners;
d) analyses the information
security risks:
1) assess the potential
consequences that
would result if the risks
identified in 6...4 c) 1)
were to materialize;
2) assess the realistic
liPelihood of the
occurrence of the risks
identified in 6...4 c) .);
and
3) determine the levels of
risk;
e) evaluates the information
security risks:
1) .) compare the results of
risk analysis with the risk
criteria established in
6...4a); and
28. v03 8 Desember 2017 28
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
2) prioritize the analysed
risks for risk treatment.
The organization shall retain
documented information about
the information security risk
assessment process.
6.1.3 Information security risk
treatment
The organization shall define and
apply an information security risk
treatment process to:
a) select appropriate information
security risk treatment options,
taking account of the risk
assessment results;
b) determine all controls that are
necessary to implement the
information security risk
treatment option(s) chosen;
NOTE Organizations can design
controls as required, or identify
them from any source.
c) compare the controls
determined in 6.1.3 b) above with
those in Annex A and verify that
no necessary controls have been
omitted;
NOTE 1 Annex A contains a
comprehensive list of control
objectives and controls. Users of
this International Standard are
directed to Annex A to ensure
that no necessary controls are
overlooPed.
29. v03 8 Desember 2017 29
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
NOTE 4 Control objectives are
implicitly included in the controls
chosen. The control objectives
and controls listed in Annex A are
not exhaustive and additional
control objectives and controls
may be needed.
d) produce a Statement of
Applicability that contains the
necessary controls (see 6.1.3 b)
and c)) and justification for
inclusions, whether they are
implemented or not, and the
justification for exclusions of
controls from Annex A;
e) formulate an information
security risk treatment plan; and
f ) obtain risk owners' approval of
the information security risk
treatment plan and acceptance of
the residual information security
risks.
The organization shall retain
documented information about
the information security risk
treatment process.
NOTE The information security
risk assessment and treatment
process in this International
Standard aligns with the
principles and generic guidelines
provided in ISO 31000[5].
6.2 Information security
objectives and planning to
achieve them
6.2 Anti-bribery objectives and
planning to achieve them
The organization shall establish anti-
bribery management system
6.2 Quality objectives and planning to
achieve them
6.2.1 The organization shall establish
quality objectives at relevant
functions, levels and processes needed
6.2 Service management objectives and planning to achieve them
6.2.1 Establish objectives
The organization shall establish service management objectives at
relevant functions and levels. The service management objectives shall:
30. v03 8 Desember 2017 30
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
The organization shall establish
information security objectives at
relevant functions and levels.
The information security
objectives shall:
a) be consistent with the
information security policy;
b) be measurable (if practicable);
c) take into account applicable
information security
requirements, and results from
risk assessment and risk
treatment;
d) be communicated; and
e)be updated as appropriate.
The organization shall retain
documented information on the
information security objectives.
When planning how to achieve its
information security objectives,
the organization shall determine:
f ) what will be done;
g) what resources will be
required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be
evaluated.
objectives at relevant functions and
levels.
The anti-bribery management system
objectives shall:
a) be consistent with the anti-bribery
policy;
b) be measurable (if practicable);
c) take into account applicable factors
referredto in 4.1, the requirements
referred to in 4.2 and the bribery risks
identified in 4.5;
d) be achievable;
e) be monitored;
f) be communicated in accordance
with 7.4;
g) be updated as appropriate.
The organization shall retain
documented information on the anti-
bribery management system
objectives.
When planning how to achieve its
anti- bribery management system
objectives, the organization shall
determine:
— what will be done;
— what resources will be required;
— who will be responsible;
— when the objectives will be
achieved;
— how the results will be evaluated
and reported;
— who will impose sanctions or
penalties
for the quality management system.
The quality objectives shall:
a) be consistent with the quality
policy;
b) be measurable;
c) take into account applicable
requirements;
d) be relevant to conformity of
products and services and to
enhancement of customer satisfaction;
e) be monitored;
f) be communicated;
g) be updated as appropriate.
The organization shall maintain
documented information on the
quality objectives.
6.2.2 When planning how to achieve
its quality objectives, the organization
shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
a) be consistent with the service management policy;
b) be measurable;
c) take into account applicable requirements;
d) be monitored;
e) be communicated;
f) be updated as appropriate.
The organization shall retain documented information on the service
management objectives.
6.2.2 Plan to achieve objectives
When planning how to achieve its service management objectives, the
organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
6.3 Planning of changes
When the organization determines the
need for changes to the quality
management system, the changes
6.3 Plan the service management system
The organization shall create, implement and maintain a service
management plan. Planning shall take into consideration the service
management policy, service management objectives, risks and
31. v03 8 Desember 2017 31
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
shall be carried out in a planned
manner (see 4.4)..
The organization shall consider:
a) the purpose of the changes and
their potential consequences;
b) the integrity of the quality
management system;
c) the availability of resources;
d) the allocation or reallocation of
responsibilities and authorities.
opportunities, service requirements and requirements specified in this
document.
The service management plan shall include or contain a reference to:
a) list of services;
b) known limitations that can impact the SMS and the services;
c) obligations such as relevant policies, standards, legal, regulatory and
contractual requirements, and how these obligations apply to the SMS
and the services;
d) authorities and responsibilities for the SMS and the services;
e) human, technical, information and financial resources necessary to
operate the SMS and the services;
f) approach to be taken for working with other parties involved in the
service lifecycle;
g) technology used to support the SMS;
h) how the effectiveness of the SMS and the services will be measured,
audited, reported and improved.
Other planning activities shall maintain alignment with the service
management plan.
7 Support
7.1 Resources
The organization shall determine
and provide the resources needed
for the establishment,
implementation, maintenance
and continual improvement of
the information security
management system.
7 Support
7.1 Resources
The organization shall determine and
provide the resources needed for the
establishment, implementation,
maintenance and continual
improvement of the anti-bribery
management system.
NOTE See Clause A.7 for guidance.
7 Support
7.1 Resources
7.1.1 General
The organization shall determine and
provide the resources needed for the
establishment,
implementation, maintenance and
continual improvement of the quality
management system.
The organization shall consider:
a) the capabilities of, and constraints
on, existing internal resources;
b) what needs to be obtained from
external providers.
7.1.2 People
The organization shall determine and
provide the persons necessary for the
effective implementation of
its quality management system and for
the operation and control of its
processes.
7 Support of the service management system
7.1 Resources
The organization shall determine and provide the human, technical,
information and financial resourcesneeded for the establishment,
implementation, maintenance and continual improvement of the SMS
and the operation of the services to meet the service requirements and
achieve the service management objectives.
32. v03 8 Desember 2017 32
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
7.1.3 Infrastructure
The organization shall determine,
provide and maintain the
infrastructure necessary for the
operation of its processes and to
achieve conformity of products and
services.
NOTE Infrastructure can include:
a) buildings and associated utilities;
b) equipment, including hardware and
software;
c) transportation resources;
d) information and communication
technology.
7.1.4 Environment for the operation
of processes
The organization shall determine,
provide and maintain the environment
necessary for the operation of its
processes and to achieve conformity of
products and services.
NOTE A suitable environment can be a
combination of human and physical
factors, such as:
a) social (e.g. non-discriminatory, calm,
non-confrontational);
b) psychological (e.g. stress-reducing,
burnout prevention, emotionally
protective);
c) physical (e.g. temperature, heat,
humidity, light, airflow, hygiene,
noise).
These factors can differ substantially
depending on the products and
services provided.
33. v03 8 Desember 2017 33
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
7.1.5 Monitoring and measuring
resources
7.1.5.1 General
The organization shall determine and
provide the resources needed to
ensure valid and reliable results when
monitoring or measuring is used to
verify the conformity of products and
services to requirements.
The organization shall ensure that the
resources provided:
a) are suitable for the specific type of
monitoring and measurement
activities being undertaken;
b) are maintained to ensure their
continuing fitness for their purpose.
The organization shall retain
appropriate documented information
as evidence of fitness for purpose of
the monitoring and measurement
resources.
7.1.5.2 Measurement traceability
When measurement traceability is a
requirement, or is considered by the
organization to be an essential part of
providing confidence in the validity of
measurement results, measuring
equipment shall be:
a) calibrated or verified, or both, at
specified intervals, or prior to use,
against measurement standards
traceable to international or national
measurement standards; when no
such standards exist, the basis used for
calibration or verification shall be
retained as documented information;
b) identified in order to determine
their status;
34. v03 8 Desember 2017 34
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
c) safeguarded from adjustments,
damage or deterioration that would
invalidate the calibration status and
subsequent measurement results.
The organization shall determine if the
validity of previous measurement
results has been adversely affected
when measuring equipment is found
to be unfit for its intended purpose,
and shall take appropriate action as
necessary.
7.1.6 Organizational knowledge
The organization shall determine the
knowledge necessary for the operation
of its processes and to achieve
conformity of products and services.
This knowledge shall be maintained
and be made available to the extent
necessary.
When addressing changing needs and
trends, the organization shall consider
its current knowledge and determine
how to acquire or access any
necessary additional knowledge and
required updates.
NOTE 1 Organizational knowledge is
knowledge specific to the
organization; it is gained by
experience. It is information that is
used and shared to achieve the
organization’s objectives.
NOTE 2 Organizational knowledge can
be based on:
a) internal sources (e.g. intellectual
property; knowledge gained from
experience; lessons learned from
failures and successful projects;
capturing and sharing undocumented
35. v03 8 Desember 2017 35
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
knowledge and experience; the results
of
improvements in processes, products
and services);
b) external sources (e.g. standards;
academia; conferences; gathering
knowledge from customers or external
providers).
7.2 Competence
The organization shall:
a) determine the necessary
competence of person(s) doing
worP under its control that affects
its information security
performance;
b) ensure that these persons are
competent on the basis of
appropriate education, training,
or experience;
c) where applicable, take actions
to acquire the necessary
competence, and evaluate the
effectiveness of the actions taken;
and
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions may
include, for example: the
provision of training to, the
mentoring of, or the re-
assignment of current employees;
or the hiring or contracting of
competent persons.
7.2 Competence
7.2.1 General
The organization shall:
a) determine the necessary
competence of person(s) doing work
under its control that affects its anti-
bribery performance;
b) ensure that these persons are
competent on the basis of appropriate
education, training, or experience;
c) where applicable, take actions to
acquire and maintain the necessary
competence, and evaluate the
effectiveness of the actions taken;
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions can include,
for example, the provision of training
to, the coaching of, or the re-
assignment of personnel or business
associates; or the hiring or contracting
of the same.
7.2 Competence
The organization shall:
a) determine the necessary
competence of person(s) doing work
under its control that affects the
performance and effectiveness of the
quality management system;
b) ensure that these persons are
competent on the basis of appropriate
education, training, or experience;
c) where applicable, take actions to
acquire the necessary competence,
and evaluate the effectiveness of the
actions taken;
d) retain appropriate documented
information as evidence of
competence.
NOTE Applicable actions can include,
for example, the provision of training
to, the mentoring of, or the
reassignment of currently employed
persons; or the hiring or contracting of
competent persons.
7.2 Competence
The organization shall:
a) determine the necessary competence of persons doing work under its
control that affects the performance and effectiveness of the SMS and
the services;
b) ensure that these persons are competent on the basis of appropriate
education, training or experience;
c) where applicable, take actions to acquire the necessary competence
and evaluate the effectiveness of the actions taken;
d) retain appropriate documented information as evidence of
competence.
NOTE Applicable actions can include, for example: the provision of
training to, the mentoring of, or the reassignment of currently
employed persons; or the hiring or contracting of competent persons.
7.2.2 Employment process
36. v03 8 Desember 2017 36
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
7.2.2.1 In relation to all of its
personnel, the organization shall
implement procedures such that:
a) conditions of employment require
personnel to comply with the anti-
bribery policy and anti-bribery
management system, and give the
organization the right to discipline
personnel in the event of non-
compliance;
b) within a reasonable period of their
employment commencing, personnel
receive a copy of, or are provided with
access to, the anti-bribery policy and
training in relation to that policy;
c) the organization has procedures
which enable it to take appropriate
disciplinary action against personnel
who violate the anti-bribery policy or
anti-bribery management system; and
d) personnel will not suffer retaliation,
discrimination or disciplinary action
(e.g. by threats, isolation, demotion,
preventing advancement, transfer,
dismissal, bullying, victimization, or
other forms of harassment) for:
1) refusing to participate in, or for
turning down, any activity in respect of
which they have reasonably judged
there to be a more than low risk of
bribery which has not been mitigated
by the organization; or
2) concerns raised or reports made
in good faith, or on the basis of a
reasonable belief, of attempted, actual
or suspected bribery or violation of the
anti-bribery policy or the anti-bribery
management system (except where
the individual participated in the
violation).
37. v03 8 Desember 2017 37
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
7.2.2.2 In relation to all positions
which are exposed to more than a low
bribery risk as determined in the
bribery risk assessment (see 4.5), and
to the anti-bribery compliance
function the organization shall
implement procedures which provide
that:
a) due diligence (see 8.2) is conducted
on persons before they are employed,
and on personnel before they are
transferred or promoted by the
organization, to ascertain as far as is
reasonable that it is appropriate to
employ or redeploy them and that it is
reasonable to believe that they will
comply with the anti-bribery policy
and anti-bribery management system
requirements;
b) performance bonuses, performance
targets and other incentivizing
elements of remuneration are
reviewed periodically to verify that
there are reasonable safeguards in
place to prevent them from
encouraging bribery;
c) such personnel, top management,
and the governing body (if any), file a
declaration at reasonable intervals
proportionate with the identified
bribery risk, confirming their
compliance with the anti-bribery
policy.
NOTE 1 The anti-bribery compliance
declaration can stand alone or be a
component of a broader compliance
declaration process.
NOTE 2 See Clause A.8 for guidance.
38. v03 8 Desember 2017 38
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
7.3 Awareness
Persons doing worP under the
organization's control shall be
aware of:
a) the information security policy;
b) their contribution to the
effectiveness of the information
security management system,
including the benefits of
improved information security
performance; and
c) the implications of not
conforming with the information
security management system
requirements.
7.3 Awareness and training
The organization shall provide
adequate and appropriate anti-bribery
awareness and training to personnel.
Such training shall address the
following issues, as appropriate, taking
into account the results of the bribery
risk assessment (see 4.5):
a) the organization’s anti-bribery
policy, procedures and anti-bribery
management system, and their duty to
comply;
b) the bribery risk and the damage to
them and the organization which
can result from bribery;
c) the circumstances in which bribery
can occur in relation to their duties,
and how to recognize these
circumstances;
d) how to recognize and respond to
solicitations or offers of bribes;
e) how they can help prevent and
avoid bribery and recognize key
bribery risk indicators;
f) their contribution to the
effectiveness of the anti-bribery
management system, including the
benefits of improved anti-bribery
performance and of reporting
suspected bribery;
g) the implications and potential
consequences of not conforming with
the anti-bribery management
system requirements;
h) how and to whom they are able to
report any concerns (see 8,9);
i) information on available training
and resources.
Personnel shall be provided with anti-
bribery awareness and training on a
7.3 Awareness
The organization shall ensure that
persons doing work under the
organization’s control are aware of:
a) the quality policy;
b) relevant quality objectives;
c) their contribution to the
effectiveness of the quality
management system, including the
benefits of improved performance;
d) the implications of not conforming
with the quality management system
requirements.
7.3 Awareness
Persons doing work under the organization’s control shall be aware of:
a) the service management policy;
b) the service management objectives;
c) the services relevant to their work;
d) their contribution to the effectiveness of the SMS, including the
benefits of improved performance;
e) the implications of not conforming with the SMS requirements.
39. v03 8 Desember 2017 39
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
regular basis (at planned intervals
determined by the organization), as
appropriate to their roles, the risks of
bribery to which they are exposed,
and any changing circumstances. The
awareness and training programmes
shall be periodically updated as
necessary to reflect relevant new
information.
Taking into account the bribery risks
identified (see 4.5), the organization
shall also implement procedures
addressing anti-bribery awareness and
training for business associates acting
on its behalf or for its benefit, and
which could pose more than a low
bribery risk to the organization. These
procedures shall identify the business
associates for which such awareness
and training is necessary, its content,
and the means by which the training
shall be provided.
The organization shall retain
documented information on the
training procedures, the content of
the training, and when and to
whom it was provided.
NOTE 1 The awareness and training
requirements for business associates
can be communicated through
contractual or similar requirements,
and be implemented by the
organization, the business associate or
by other parties appointed for that
purpose.
NOTE 2 See Clause A.9 for guidance.
7.4 Communication 7.4 Communication 7.4 Communication 7.4 Communication
40. v03 8 Desember 2017 40
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
The organization shall determine
the need for internal and external
communications relevant to the
information security management
system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which
communication shall be effected.
7.4.1 The organization shall determine
the internal and external
communications relevant to the anti-
bribery management system including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who will communicate;
f) the languages in which to
communicate
The organization shall determine the
internal and external communications
relevant to the quality management
system, including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who communicates.
The organization shall determine the internal and external
communications relevant to the SMS and
the services including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who will be responsible for the communication.
7.4.2 The anti-bribery policy shall be
made available to all the organization’s
personnel and business associates, be
communicated directly to both
personnel and business associates who
pose more than a low risk of bribery,
and shall be published through the
organization’s internal and external
communication channels, as
appropriate.
7.5 Documented information
7.5.1 General
The organization's information
security management system
shall include:
a) documented information
required by this International
Standard; and
b) documented information
determined by the organization
as being necessary for the
effectiveness of the information
security management system.
NOTE The extent of documented
information for an information
security management system can
7.5 Documented Information
7.5.1 General
The organization’s anti-bribery
management system shall include:
a) documented information required
by this standard;
b) documented information
determined by the organization as
being necessary for the effectiveness
of the anti-bribery management
system.
NOTE 1 The extent of documented
information for an anti-bribery
management system can differ from
one organization to another due to:
7.5 Documented information
7.5.1 General
The organization’s quality
management system shall include:
a) documented information required
by this International Standard;
b) documented information
determined by the organization as
being necessary for the effectiveness
of the quality management system.
NOTE The extent of documented
information for a quality management
system can differ from one
organization to another due to:
— the size of organization and its type
of activities, processes, products and
services;
7.5 Documented information
7.5.1 General
The organization’s SMS shall include:
a) documented information required by this document;
b) documented information determined by the organization as being
necessary for the effectiveness of the SMS.
NOTE The extent of documented information for an SMS can differ from
one organization to another due to:
— the size of organization and its type of activities, processes, products
and services;
— the complexity of processes, services and their interfaces;
— the competence of persons.
41. v03 8 Desember 2017 41
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
differ from one organization to
another due to:
1) the size of organization
and its type of activities,
processes, products and
services;
2) the complexity of
processes and their
interactions; and
3) the competence of
persons.
— the size of organization and its type
of activities, processes, products and
services;
— the complexity of processes and
their interactions;
— the competence of personnel.
NOTE 2 Documented information can
be retained separately as part of the
anti-bribery management system, or
can be retained as part of other
management systems (e.g.
compliance, financial, commercial,
audit).
NOTE 3 See Clause A.17 for guidance.
— the complexity of processes and
their interactions;
— the competence of persons.
7.5.2 Creating and updating
When creating and updating
documented information the
organization shall ensure
appropriate:
a) identification and description
(e.g. a title, date, author, or
reference number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic); and
c) review and approval for
suitability and adequacy
7.5.2 Creating and updating
When creating and updating
documented information the
organization shall ensure appropriate:
a) identification and description (e.g. a
title, date, author, or reference
number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability
and adequacy.
7.5.2 Creating and updating
When creating and updating
documented information, the
organization shall ensure appropriate:
a) identification and description (e.g. a
title, date, author, or reference
number);
b) format (e.g. language, software
version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability
and adequacy.
7.5.2 Creating and updating documented information
When creating and updating documented information, the organization
shall ensure appropriate:
a) identification and description (e.g. a title, date, author or reference
number);
b) format (e.g. language, software version, graphics) and media (e.g.
paper, electronic);
c) review and approval for suitability and adequacy
7.5.3 Control of documented
Information
Documented information
required by the information
security management system and
by this International Standard
shall be controlled to ensure:
7.5.3 Control of documented
information
Documented information required by
the anti-bribery management system
and by this standard shall be
controlled to ensure:
a) it is available and suitable for use,
where and when it is needed;
7.5.3 Control of documented
information
7.5.3.1 Documented information
required by the quality management
system and by this International
Standard shall be controlled to ensure:
a) it is available and suitable for use,
where and when it is needed;
7.5.3 Control of documented information
7.5.3.1 Documented information required by the SMS and by this
document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper
use or loss of integrity).
7.5.3.2 For the control of documented information, the organization
shall address the following activities, as applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
42. v03 8 Desember 2017 42
ISO/IEC 27001:2013 ISO 37001:2016 ISO 9001:2015 ISO/IEC 20000-1:2018
a) it is available and suitable for
use, where and when it is needed;
and
b) it is adequately protected (e.g.
from loss of confidentiality,
improper use, or loss of integrity).
For the control of documented
information, the organization
shall address the following
activities,
as applicable:
c) distribution, access, retrieval
and use;
d) storage and preservation,
including the preservation of
legibility;
e) control of changes (e.g. version
control); and
f ) retention and disposition.
Documented information of
external origin, determined by
the organization to be
necessary for the planning and
operation of the information
security management system,
shall be identified as appropriate,
and controlled.
NOTE Access implies a decision
regarding the permission to view
the documented information
only, or the permission and
authority to view and change the
documented information, etc.
b) it is adequately protected (e.g. from
loss of confidentiality, improper use,
or loss of integrity).
For the control of documented
information, the organization shall
address the following activities, as
applicable:
— distribution, access, retrieval and
use;
— storage and preservation, including
preservation of legibility;
— control of changes (e.g. version
control);
— retention and disposition.
Documented information of external
origin determined by the organization
to be necessary for the planning and
operation of the anti-bribery
management system shall be
identified as appropriate, and
controlled.
NOTE Access can imply a decision
regarding the permission to view the
documented information only, or the
permission and authority to view and
change the documented information.
b) it is adequately protected (e.g. from
loss of confidentiality, improper use,
or loss of integrity).
7.5.3.2 For the control of documented
information, the organization shall
address the following activities, as
applicable:
a) distribution, access, retrieval and
use;
b) storage and preservation, including
preservation of legibility;
c) control of changes (e.g. version
control);
d) retention and disposition.
Documented information of external
origin determined by the organization
to be necessary for the planning and
operation of the quality management
system shall be identified as
appropriate, and be controlled.
Documented information retained as
evidence of conformity shall be
protected from unintended
alterations.
NOTE Access can imply a decision
regarding the permission to view the
documented information only, or the
permission and authority to view and
change the documented information.
c) control of changes (e.g. version control);
d) retention and disposition.
Documented information of external origin determined by the
organization to be necessary for the planning and operation of the SMS
shall be identified as appropriate and controlled.
NOTE Access can imply a decision regarding the permission to view the
documented information only, or the permission and authority to view
and change the documented information.
7.5.4 Service management system documented information
The documented information for the SMS shall include:
a) scope of the SMS;
b) policy and objectives for service management;
c) service management plan;
d) change management policy, information security policy and service
continuity plan(s);
e) processes of the organization’s SMS;
f) service requirements;
g) service catalogue(s);
h) service level agreement(s) (SLA);
i) contracts with external suppliers;
j) agreements with internal suppliers or customers acting as a supplier;
k) procedures that are required by this document;
l) records required to demonstrate evidence of conformity to the
requirements of this document and the organization’s SMS.
NOTE Clause 7.5.4 provides a list of the key documents for an SMS.
There are other specified requirements in this document for information
to be held as documented information, to be documented or to be
recorded.
ISO/IEC 20000-2 provides additional guidance.
7.6 Knowledge
The organization shall determine and maintain the knowledge necessary
to support the operation of the SMS and the services.
The knowledge shall be relevant, usable and available to appropriate
persons.