Mandatory documentation in ISO27001

ISO/IEC 27001 formally requires just 14 types of "documented information" of every organisation competently certified conformant with the standard, as a minimum:

1.       ISMS scope (Clause 4.3);

2.       Information security policy (Clause 5.2);

3.       Information security risk assessment procedure (Clause 6.1.2);

4.       Statement of applicability (Clause 6.1.3 d);

5.       Information security risk treatment procedure (Clause 6.1.3);

6.       Information security objectives (Clause 6.2);

7.       Personnel records (Clause 7.2);

8.       ISMS operational information (Clause 8.1);

9.       Risk assessment reports (Clause 8.2);

10.   Risk treatment plan (Clause 8.3);

11.   Security measurements (Clause 9.1);

12.   ISMS internal audit programme and audit reports (Clause 9.2.2);

13.   ISMS management review reports (Clause 9.3.3);

14.   Records of nonconformities and corrective actions (Clause 10.1).

However, in the course of writing an ISMS implementation guideline, I have realised that #8 on the list is, strictly speaking, discretionary, not mandatory.

Clause 8.1 on "Operational planning and control" notes that "Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.", begging the question: who needs confidence? Is it referring to the organisation itself (represented by management), the certification auditors or some other stakeholder with an interest in the ISMS processes?

There are further issues with Clause 8.1. It explicitly but ambiguously refers to "the processes needed to meet requirements, and to implement the actions determined in Clause 6". Which requirements and actions does it mean, in fact? 

Annex SL of the ISO/IEC Directives Part 1 specifies the "harmonized structure" and boilerplate text for the management systems standards.  Clause 6 is supposed to cover risks and opportunities to the ISMS itself.  Clause 6 of ISO/IEC 27001, however, largely concerns the management of "information security risk" - an undefined term.

So, does clause 8.1 only concern information security processes (implying particular sequences of activities or steps, typically as described in procedures) or does it actually include security technologies, physical controls and other non-procedural administrative controls (such as contract clauses)?   

It's a moot point anyway. It is hard to imagine any organisation being sufficiently concerned about information risk and security to invest in a certifiable ISO27001-style information security management system, yet totally lacking any "documented information" concerning the information security controls being managed by it. 

The wording of clause 8.1 is ambiguous, a little unclear at least, which is not ideal for a formal specification, so here is my guidance:
"This requirement is necessarily vague and generic due to the enormous variety of contexts to which it applies. Essentially management institutes whatever information security controls are necessary to reduce (or at least prevent increases in) risks to information, including management information. Proactive management ensures that the controls not only operate as planned (requiring assurance) but, in so doing, fulfil the organisation’s objectives.

ISMS processes can be supported and enabled by automation, including information systems, tools and services. Although the requirement does not explicitly refer to them, they should also be planned, implemented and controlled to achieve the information security objectives, given their close association with the ISMS processes.

Similarly, integration of the ISMS into the wider business implies the need to plan, monitor and control processes, activities and information spanning the ISMS scope boundary. For example, identifying, analysing and evaluating risks to business information requires extensive knowledge about the information, while treating the risks generally involves information security controls that are operated by or involve personnel and activities beyond the ISMS. 

There may be information risk and security aspects to the supply of processes, products, services or information to the organization by external providers, including those relating to the ISMS itself such as:

  • Threat and vulnerability information services;
  • Assurance services such as auditing and certification;
  • ISMS support systems, tools, techniques and templates;
  • Recruitment, legal and other professional services.  

The requirement for documented information in clause 8.1 is discretionary. Management determines the need for assurance that the security processes are operating effectively. A blend of documented and undocumented information can provide the necessary assurance e.g. direct observation and management oversight of ISMS processes in operation, supplemented by records, measurements, management review reports and audit reports."