Mandatory vs discretionary ISMS documentation

Whereas ISO/IEC 27001 indicates that only fourteen (14) types of ISMS documentation are strictly required, that is barely a start. Both mandatory and discretionary documents are essential.

ISO/IEC 27001 clause 4.4 states:

“The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.”

Documentation (termed 'documented information' in the standard - see clause 7.5) is generally the best way for management to inform workers about their information security responsibilities e.g. through written policies, procedures/work instructions and job/role descriptions, accompanied by awareness and training materials such as guidelines and briefings. In addition, many security-related processes generate 'records' such as completed forms, reports and authorisations.

By the way, electronic rather than printed documents are perfectly acceptable and are more readily controlled and circulated. They are more eco-friendly too.

Clause 8.1 reads: 

“Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.”

In theory someone might gain sufficient confidence without any written records: they might simply observe the processes being performed. However, this is unlikely to satisfy the certification auditors in practice. They typically expect to review all the mandatory documentation and sufficient discretionary items to confirm that the ISMS both conforms with the standard and is operational. Without auditable documentation, major non-conformities against clauses 4.4 or 8.1 are almost inevitable.

Having said that, there is a tendency to go overboard on ISMS documentation, creating reams of red tape. The costs of creating, approving, using and maintaining excessive documentation can easily outstrip the business benefits. For example, if the ISMS is too complex and regimented, it may be harder to make improvements and slower to respond to the ever-changing information risks and business needs. The trick, then, is to keep things in check. Write simpler, shorter policies and procedures using plain language and diagrams where appropriate. Only formalise things that need to be formalised.  Generate and retain records only so long as they genuinely add value.

In conclusion, while ISO/IEC 27001 only requires a few specific items, adequate documentation is the foundation of a business-like ISMS.