pr ISMS Documented Information (lite).pdf
0 likes487 views
The document outlines ISO 27001:2022 requirements concerning documented information in Information Security Management Systems (ISMS). It details mandatory documentation, policy structures, and procedures for creating, updating, and controlling these documents, as well as classification and labelling of information. Additionally, it provides insights into appropriate practices, examples of document templates, and recommended toolkits for implementing ISMS.
pr ISMS Documented Information (lite).pdf
- 1. ISO 27001:2022. ISMS Documented Information by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov lite 1.0, 21.02.2024
- 2. Agenda 2 1. Requirements and Recommendations 2. Documented Information (the term) 3. Required (mandatory) documented information 4. ISMS Documentation Pyramid 5. IS Policy 6. Topics mentioned in A.5.1 7. Operational procedures (A.5.37) 8. An extended list of ISMS documents 9. The shortest list of ISMS documents and some comments 10.ISMS Documents and Interested parties (example) 11.Creating and updating 12.Policy structure (template) 13.Content of policies 14.Who, What, When, Where, Why and How 15.Verbal forms 16.Where to find inspiration? 17.TOP5 ISMS toolkits 18.Examples of policy templates 19.Information classification and Labelling 20.Classification of confidential information (simple approach) 21.Traffic Light Protocol 2.0 22.Control of documented information 23.Sanity checklist
- 3. 3 Requirements Recommendations ISO 27001 ISMS Requirements • 7.5 Documented information • 7.5.1 General • 7.5.2 Creating and updating • 7.5.3 Control of documented information • 5.2 Policy • and other clauses (see further) ISO 27002 IS Controls • 5.1 Policies for information security • 5.12 Classification of information • 5.13 Labelling of information • 5.33 Protection of records • 5.37 Documented operating procedures ISO 27003 ISMS Guidance ISO 27007 Guidelines for ISMS auditing ISO 27008 Guidelines for the assessment of information security controls Information and documentation. Management systems for records: • ISO 30301 Requirements • ISO 30302 Guidelines for implementation
- 4. 4 The term (ISO 27000:2018) Documented information: information required to be controlled and maintained by an organization and the medium on which it is contained Documented information can be in any format and media and from any source. Documented information can refer to: • the management system, including related processes • information created in order for the organization to operate (documentation) • evidence of results achieved (records)
- 5. 5 The term (ISO 27000:2018) Documented information: information required to be controlled and maintained by an organization and the medium on which it is contained Documented information can be in any format and media and from any source. Documented information can refer to: • the management system, including related processes • information created in order for the organization to operate (documentation) • evidence of results achieved (records) ISO 27007: The phrase “documented information as evidence of ...” implies the former term “record”.
- 6. 6 Documented Information. General (ISO 27001:2022) 7.5.1 General The organization’s ISMS shall include: a) documented information required by this document; and b) documented information determined by the organization as being necessary for the effectiveness of the ISMS. NOTE The extent of documented information for an information security management system can differ from one organization to another due to: • the size of organization and its type of activities, processes, products and services; • the complexity of processes and their interactions; and • the competence of persons.
- 7. 7 Required (mandatory) documented information Requirements ISO 27001:2022 My comments 1. Scope of the ISMS 4.3 Stand-alone document or appendix of the ISMS framework 2. Information security policy 5.2 Public document. Usually short, one-page 3. Information security risk assessment process 6.1.2 Information security risk management procedure and methodology, Risk Register and Reports, Risk treatment plan (RTP), MoMs 4. Information security risk treatment process 6.1.3 5. Statement of Applicability (SoA) 6.1.3 d) Usually Excel file / Data base 6. Information security objectives 6.2 Part of the ISMS framework / ISMS Policy + related metrics and KPIs 7. Evidence of competence 7.2 d) Set of documents Job descriptions, CVs, Certifications, Education plan and other records 8. Documented information determined by the organization as being necessary for the effectiveness of the ISMS 7.5.1 b) List of ISMS documents, Document management procedure Set of ISMS documents 9. Operational planning and control 8.1 Set of documents Plans, reports and MoMs, SLAs/OLAs, RACI chart and a list of ISMS processes 10. Results of the information security risk assessments 8.2 Risk Register and Reports, Risk treatment plan (RTP), KRIs, Orders, MoMs and other records 11. Results of the information security risk treatment 8.3 12. Evidence of the monitoring and measurement results 9.1 List of metrics and KPIs, reports and MoMs 13. Evidence of the audit programme(s) and the audit results 9.2 Documented procedure, Audit Programme, Plans and Reports 14. Evidence of the results of management reviews 9.3.3 Management review Reports and MoMs 15. Evidence of the nature of the nonconformities and any subsequent actions taken 10.2 f) Documented procedure, List of NCs, NC Reports and other records 16. Evidence of the results of any corrective action 10.2 g) Orders, Plans, Reports and other records
- 8. 8 ISMS Documentation Pyramid IS Policy / ISMS Policy ISMS Framework Topic-specific Policies and Technical Standards Procedures Guidelines Records (Reports, Plans, MoMs, etc)
- 9. • Policy: A document that communicates required and prohibited activities and behaviors • Framework: Structure of processes and specifications designed to support the accomplishment of a specific task • Procedure: A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes • Process: Generally, a collection of activities influenced by the enterprise’s policies and procedures that takes inputs from a number of sources, (including other processes), manipulates the inputs and produces outputs. • Guideline: A description of a particular way of accomplishing something that is less prescriptive than a procedure • Record: Document stating results achieved or providing evidence of activities performed 9 IS Policy / ISMS Policy ISMS Framework Topic-specific Policies and Technical Standards Procedures Guidelines Records (Reports, Plans, MoMs, etc)
- 10. 10 IS Policy. General Requirements (ISO 27001:2022) 5.2 Policy Top management shall establish an information security policy that: a) is appropriate to the purpose of the organization b) includes information security objectives or provides the framework for setting information security objectives c) includes a commitment to satisfy applicable requirements related to information security d) includes a commitment to continual improvement of the information security management system (ISMS) The information security policy shall: e) be available as documented information f) be communicated within the organization g) be available to interested parties, as appropriate
- 11. 11 Topics mentioned in ISO 27002: A.5.1 Policies for information security At a lower level, the information security policy should be supported by topic-specific policies as needed, to further mandate the implementation of information security controls. Topic-specific policies are typically structured to address the needs of certain target groups within an organization or to cover certain security areas. Examples of such topics include: a) Access control b) Physical and environmental security c) Asset management d) Information transfer e) Secure configuration and handling of user endpoint devices f) Networking security g) Information security incident management h) Backup i) Cryptography and key management j) Information classification and handling k) Management of technical vulnerabilities l) Secure development
- 12. 12
- 13. 13 Some comments: 1. The list of documents and their titles depend on the overall approach of the organisation, its size, and the expectations of interested parties (internal and external) 2. Some of the topic-specific policies might be combined in one document (e.g. ISMS Framework, IT Security Policy, Physical Security Policy, Acceptable Use Policy…) 3. Mandatory documents must be provided in order to certify an ISMS 4. ISMS Documented Information Policy is valuable if you don’t have a General Document Management Policy / Procedure 5. Document and regularly update the list of ISMS documents
- 14. 14 Documented Information. Creating and updating (ISO 27001:2022) 7.5.2 Creating and updating When creating and updating documented information the organization shall ensure appropriate: a) Identification and description (e.g. a title, date, author, or reference number); b) Format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and c) Review and approval for suitability and adequacy.
- 15. 15 Documented Information. Creating and updating (ISO 27001:2022) 7.5.2 Creating and updating When creating and updating documented information the organization shall ensure appropriate: a) Identification and description (e.g. a title, date, author, or reference number); b) Format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and c) Review and approval for suitability and adequacy. My comment. Auditors also review: • history of changes • identity of reviewer and approver
- 16. 16 Title page: 1.Title of Document 2.Document ID 3.Status 4.Date of approval 5.Version 6.Confidentiality 7.Prepared by (Author) 8.Verified by 9.Approved by 10.Introduction 11.Target audience 12.Change history The main body: 1.Acronyms and abbreviations 2.Terms and definitions 3.Introduction • Purpose and objectives • Scope • Roles and Responsibilities 4.General Provisions 5.Main points of the document / Policy requirements 6.Document revision (Provisions for document revision) 7.References / Related Policies 8.Annexes (if applicable)
- 17. 17 Content of policies (ISO 27003) The content of policies is based on the context in which an organization operates. Specifically, the following should be considered when developing any policy within the policy framework: 1. The aims and objectives of the organization 2. Strategies adopted to achieve the organization’s objectives 3. The structure and processes adopted by the organization 4. Aims and objectives associated with the topic of the policy 5. The requirements of related higher level policies 6. The target group to be directed by the policy
- 18. Statements and writing style should be tailored to the audience and scope of the documentation 18
- 19. • “Shall” indicates a requirement • “Should” indicates a recommendation • “May” indicates a permission • “Can” indicates a possibility or a capability 19 Verbal Forms
- 20. 20 Where to find inspiration? 1. Copy-paste from standards and good practices or retell them. I prefer ISO 27001/27002/27003, ISF SoGP, COBIT and CIS Controls 2. Use ISO 27001 Toolkits 3. Ask ChatGPT, Notion AI or other AI 4. Google it (“filetype:pdf policy name”)
- 21. 21 TOP 5 ISMS Toolkits (ISO 27001) 1. ISO27k Toolkit by ISO27k Forum (Free) - https://lnkd.in/eC5Kh5d6 2. ISMS Implementation Toolkit by Andrey Prozorov - https://lnkd.in/enzZdZ9 3. ISO 27001 Documentation Toolkit by Advisera - https://lnkd.in/euYBc-SW 4. ISO 27001 Toolkit by CertiKit -https://lnkd.in/ePxZUjHe 5. ISO 27001 Toolkit by IT Governance - https://lnkd.in/eAwTcuE6
- 22. Information Classification and Labelling 22 A. 5.12 Classification of information A. 5.13 Labelling of information Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. Owners of information should be accountable for their classification...
- 23. 23 Classification of confidential information (simple approach) Examples of labelling techniques include: a) physical labels b) headers and footers c) metadata d) watermarking e) rubber-stamps
- 24. 24
- 25. 25 Documented Information. Control (ISO 27001:2022) 7.5.3 Control of documented information Documented information required by the ISMS and by this a) it is available and suitable for use, where and when it is needed; and b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable: c) distribution, access, retrieval and use; d) storage and preservation, including the preservation of legibility; e) control of changes (e.g. version control); and f) retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
- 26. Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 26
- 27. 27 ISMS Implementation Toolkit by Andrey Prozorov www.patreon.com/posts/47806655
- 28. My ISMS-related presentations - www.patreon.com/posts/quick-links-75788060