November 5, 2019

Last Updated on January 15, 2024

Organizations seeking ISO 27001 certification sometimes choose to “err on the side of caution” and document “everything.” Usually this is because they don’t have a solid understanding of what ISO 27001 actually requires them to document.
Last week I conducted an internal audit for a client that is looking to renew its ISO 27001 certification. This business had recently merged with another company and marrying the two organizations’ respective policies was a significant effort.
It didn’t help matters that our client seemed to have gone a little “policy crazy.” They had a policy for everything, including a lot of things that ISO 27001’s policy guidelines don’t ask for. They also covered the same policies in multiple policy documents.
Does this sound familiar? This complex and confusing state of affairs was not ideal from the standpoint of referencing or updating the policies, let alone communicating them.

“…focus on what you’re actually doing, rather than what you’re requiring people to do.”


In fact, ineffective policies can have a negative impact on the information security management system (ISMS) as a whole. This is because there is frequently a disconnect between what a policy document says, what people are actually doing, and what ISO 27001 specifies the policy document should cover. As a result, the policy does not effectively communicate what actions employees should take, or why.
Rather than issue various “Opportunities for Improvement” (OFIs), I offered our client this advice: Focus more on what the ISO 27001 standard asks for from a control activity perspective, rather than from a policy requirement perspective.
In other words: Think about your control environment and what you actually need to do to comply with ISO 27001. Then focus on what you’re actually doing, rather than what you’re requiring people to do.
This will help align your documentation with your actual controls and business practices—and hopefully reduce the size of your policy documents as well.
If you’re seeking to align your information security posture with ISO 27001 and are unsure what your information security policy, procedures and related documents should include, contact Pivot Point Security. We can help you create effective ISO 27001 documentation that both supports your ISMS and helps prepare you for certification.
For more information: