For those geeks who just want to know what ISO27001 is all about in a nutshell.
ISO/IEC 27001 was completely rewritten and re-issued in September 2013.
Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.
The following mandatory documentation is explicitly required for certification:
- ISMS scope (as per clause 4.3)
- Information security policy (clause 5.2)
- Information risk assessment process (clause 6.1.2)
- Information risk treatment process (clause 6.1.3)
- Information security objectives (clause 6.2)
- Evidence of the competence of the people working in information security (clause 7.2)
- Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
- Operational planning and control documents (clause 8.1)
- The results of the [information] risk assessments (clause 8.2)
- The decisions regarding [information] risk treatment (clause 8.3)
- Evidence of the monitoring and measurement of information security (clause 9.1)
- The ISMS internal audit program and the results of audits conducted (clause 9.2)
- Evidence of top management reviews of the ISMS (clause 9.3)
- Evidence of nonconformities identified and corrective actions arising (clause 10.1)
- Various others:Annex A mentions but does not fully specify further documentation including the rules for
- acceptable use of assets,
- access control policy,
- operating procedures,
- confidentiality or non-disclosure agreements,
- secure system engineering principles,
- information security policy for supplier relationships,
- information security incident response procedures,
- relevant laws,
- regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.
