Last Updated on October 5, 2021
If your organization is preparing for an ISO 27001 certification audit, you’re probably documenting everything but the steps for cleaning the coffee maker in your break room. Who cares if nobody ever looks at it again or uses it to maintain your ISO 27001 information security management system (ISMS) after your initial audit? More is better when it comes to documentation, right?
To talk SMBs out of this and other common misconceptions about the ISO 27001 certification process, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast in response to frequent client requests.
ISO 27001 isn’t about documenting every control
As John points out, ISO 27001 isn’t about documenting every control ad nauseum. Instead, it has specific documentation requirements that relate to building and running your ISMS.
“It’s a common thing; we’ll jump on the phone, and someone will say, ‘Hey, we just need you to come in do an internal audit,’” John relates. “And I’ll say, ‘Oh, so you’re ready for ISO 27001?’ ‘Yep.’ ‘Okay. What have you done?’ ‘Well, we went out and bought a policy set and we’ve got every control documented.’ And my answer is always, ‘What about your ISMS? What about your scope statement? What about your risk assessment, statement of applicability, security metrics…? What are your control objectives?’”
“Because ISO 27001 is really not about documentation,” emphasizes John. “People have this misconception that, ‘I need to document everything.’ You don’t need to document nearly as much as you think you need to document. Because an auditor can come in and he can find that there are certain controls that are observable, right? You didn’t need to document them because the systems or processes you follow actually enforce those controls.”
Examples of “self-documenting” controls
“As an example, in our environment we no longer have a separate document that’s our employee off-boarding and onboarding procedures,” John notes. “And why is that? Because we actually control that through our help desk ticketing system. So, when the auditor comes in and says, ‘Hey, have you hired any new people this year?’ We say, ‘Yeah, we hired six new people this year.’ They say, ‘Great. Where can we find evidence of that process being followed?’ ‘Hey, here’s the help desk tickets that actually align with that.’”
A couple other examples John shares include:
- Meetings of your ISMS committee meetings could be documented in your project management system.
- If people only access systems through your Microsoft 365, your password policy is probably documented within Active Directory, so there’s no need for separate (and effectively redundant) documentation.
“So be aware—documentation is good, and you will definitely need a fair amount of documentation to get ISO 27001 certified. But ISO 27001 is not about documenting everything,” reiterates John.
If you want to keep your business on the fast path to ISO 27001 certification, be sure to catch this invaluable podcast with ISO 27001 expert John Verry. EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more guidance about managing you ISO 27001 documentation process? Check out this blog post: Information Security Policy Documentation: Simple is Better – Pivot Point Security