Come at Me Bro (Auditor)!… Why You Should Have an ISMS Manual

Last Updated on January 12, 2024

One of the mainstays of an ISO 27001 Information Security Management System (ISMS) is document, document, document. To do that, we develop auditable artifacts; and let’s face it, there are many. So why create another artifact that isn’t required? I’m talking about an information security management system (ISMS) Manual. The ISO 27001 framework doesn’t require an ISMS Manual or even specify exactly what an ISMS Manual needs to look like…

So why would you ever create one?

While not every ISO 27001 consultant/adviser recommends creating an ISMS Manual, it is a proven part of our ISO 27001 certification methodology at Pivot Point Security.
I view the ISMS Manual as a valuable “one-stop shop” to encompass or replace other documentation on your risk management methodology, ISMS scope, interfaces, various policies and more. Instead of looking in multiple places for key information, it’s all centralized in one place for easy reference. Why create separate documents, such as your ISMS objectives, just because guidance is not provided as to where to park them?
The ISMS Manual could also potentially include your Information Security Policy, Communication Plan, Risk Methodology, Document Management Policy and other key documents that would normally stand alone. Or you can simply reference other documents for details if you want to keep the ISMS Manual “high-level.”
Your ISMS Manual can really be “what you make it”—though it’s important that it not repeat or duplicate information found elsewhere. Duplication makes your document system more cumbersome and opens you up to audit findings, or the dreaded nonconformity if repetitious content gets out of sync.

Making it easier for stakeholders to find information is a great reason to create an ISMS Manual. But probably the best thing about an ISMS Manual is that it effectively creates a roadmap for an audit. Come audit time, your team or an auditor can just refer to the ISMS Manual for much of the needed information. Having a centralized view also makes it easier for auditors or other stakeholders to efficiently wrap their minds around your ISMS overall.
This saves time and effort for third-party auditors and registrars, who frequently face significant time pressure. Anything that makes that person’s life easier will also be a bonus for you, because you’ll end up investing less time in the audit as well. Also, part of any audit is what I call “showmanship.” The more gracefully you can produce information, the more an auditor is going to see that you live and breathe your ISMS, and that it’s not just another check box.
I like to think of this as taking an offensive position “against” your auditor where you usually feel on the defensive. The ISMS manual isn’t inviting the auditor to ‘take a step outside’ but it certainly takes the heat off all the “show me evidence of XYZ”.
More than once an external auditor, knowing Pivot Point Security was involved in the project, has basically said: “Let me see your ISMS Manual, Scope and Statement of Applicability and I can do most of the audit without even talking to you.” That’s because we have a reputation for building ISMS Manuals that include the information auditors want (and need) to see, in a format that makes it simple for them to access it.
It’s also handy to share the ISMS Manual (along with your Charter and Information Security Policy) with a new member of the ISMS Steering Committee. He or she probably won’t read the whole thing, but it’s always a handy reference that helps keep your business on track to maintain its certification over time.
It could be argued that having one large document versus multiple smaller documents is somewhat more of a pain when you need to get a change approved. But in my experience the size of the document isn’t a major factor in how smooth or bumpy that process is. If anything, it’s easier to fold multiple changes into one approval cycle with a single, centralized document.
Pivot Point Security has a 100% success rate bringing clients to ISO 27001 certification. Our unique “certification-as-a-service” model lets you achieve certification at your own pace and save time and money while staying on-target and delivering verifiable results. Contact us to speak with an expert about your business needs and how we can help.