Last Updated on October 22, 2014
Clients often ask me whether they can make their lives easier by using information security policy templates to document compliance with the ISO 27001 standard for certification purposes. My answer is uniformly “No.” Here’s why.
The ISO 27001 standard has over 50 requirements in clauses 4 through 10, and 114 controls in Annex A. None of those requirements mandates or even recommends the use of templates for security policies and procedures. So why do organizations seeking certification often want to use templates to document compliance with ISO 27001? Usually it’s because they’re either not sure what they need to document, and/or they believe that templates will save them time in documentation.
But if you don’t have the expertise to document your own existing security policies and procedures for compliance purposes, you probably also don’t have the expertise to comply with or modify the policies and procedures documented in your chosen template.
Likewise, templates don’t save time because the disparity between your chosen template and your real-world policies and procedures is too great. The time you might save compared with documenting your procedures from scratch ends up being outweighed by the time you spend either changing your real-life procedures to comply with what’s described in the template, or changing what’s described in the template to reflect what your organization is actually doing.
If templates aren’t useful, why are there so many of them out there? Consultants and others who help organizations achieve ISO 27001 certification create templates for one reason: because their clients ask for them. Templates describe “best practices,” so clients often assumes that a template will include whatever the auditor is looking for. But that might not be what’s appropriate for your organization, and it’s also probably not what your organization is currently doing.
ISO 27001 certification is like an open-book test—and using templates to document information security policies and procedures is like studying the wrong book. For example, say you download a Backup Policy template that’s outdated and talks about best practices for offsite rotation of tapes and periodically performing restores to test backup tapes. But these days your organization doesn’t even use tapes for backups anymore. Instead, you rely on disk-to-disk backups to NAS devices plus SAN replication to a colocation facility for business continuity and disaster recovery. Now you’ve got a nonconformity to correct before you can be granted ISO 27001 certification because your modern IT organization doesn’t comply with that outdated backup policy template. Think that would never happen? I recently witnessed it firsthand.
Another good example I recently saw relates to password policies. You can download a password policy template that addresses all the best practices for password management. But it’s unlikely you can enforce those best practices in the legacy applications your business may rely on to generate most of its revenue or provide critical services. Now you’ve got a nonconformity for failure to comply with your password policy. The time spent on documenting a corrective action plan for that nonconformity would’ve been better spent identifying the risks of weak passwords in legacy applications and making a risk treatment decision driven by a business justification, instead of a change driven by the need to match your business process to a template.
Keep in mind also that the purpose of documenting your policies and procedures is to clarify and optimize the rules for running your business—not to pass an audit. All the best practices that templates provide are already provided in the standard’s implementation guidance. That’s the only “template” you really need.
Here’s the quickest, cleanest and most useful way to document your security policies for ISO 27001 compliance purposes: Compare the best practices the standard describes to what you do now, and document the ones that you currently use, plan to implement or would like to eventually implement.
Can you achieve ISO 27001 certification using templates? Sure. But most likely you can do it better and faster without them.