Doxonomy ISO 27001:2013 Documentation Toolkit

Implementation Guide

1 Introduction
Thank you for purchasing the Doxonomy ISO 27001:2013 Documentation Toolkit.
Whether you are updating your documentation, moving on from 27001:2004 to 27001:2013
or Implementing ISO 27001 for the first time, using our document toolkit will make it far less
painful than you might expect!
While our 27001 Step-by-Step implementation guide (you can find this is the “Guidance”
folder) provides step-by-step guidance on the overall steps you will need to take to
implement ISO 27001:2013 in your organisation, this guide focuses on how to tailor the
documents we have provided to the specific needs of your organisation.
Implementing ISO 27001:2013 is of course far more than great documentation, but
documentation is a key element as it is the ‘glue’ which binds the whole together, so these
two guides are complimentary and should be used side-by-side.

2 Accessing Your Documents

You have been supplied with a ZIP file containing the Doxonomy 27001:2013
Documentation Toolkit and you should keep this safely on your hard drive.
Unzip the files, making sure that you maintain the directory structure.
Keep the ZIP file safe, in case you need it again.
We will advise you via our newsletter of any changes and additions we make in the future
and provide you with link to download the updated SIP file.

3 Content
The documents provided include these Instructions, an over-arching Information security
Manual, a series of supporting Procedures, a range of related Forms, Templates and
Checklists, comprehensive Guidance and more:
 Instructions - Doxonomy ISO 27001 2013 Toolkit
27001 Documentation:

 Information Security Manual

Core1 Management System Procedures (file prefix CMS):

 Control of Calibration, Verification and Validation

 Control of Competency

1
These core procedures are common to each of our management system toolkits, 9001, 14001 etc.
Doxonomy ISO 27001:2013 Toolkit Page 1 of 11
  Control of Corrective and Preventative Action Reporting (CPAR)

 Control of Internal Auditing

 Control of Management System Documentation

 Control of Management System Records

Information Security System Policies and Procedures (file prefix ISMS):

 Control of Management Reviews

 Control of Monitoring Measuring Analysis and Evaluation

 Control of Outsourced Processes

 Control of Risks and Opportunities

 Control of Software and Systems Development

 Identification of Information Security Context

 Supplier Security Policy

Annex A Control Objectives and Controls (file prefix ISMS):
 Organisation of Information Security
- Mobile Device Policy
- Teleworking Policy

 Human Resource Security

 Asset Management
- Information Classification Policy
- Information Handling Policy
 Access Control
- Access Control Policy
 Cryptography

 Physical and Information Security

 Operations Security
- Backup and Restore Policy
 Communications Security

 Acquisition Development and Maintenance of Information Systems

 Information Security in Supplier Relationships

 Information Security Incident Management

 Business Continuity Management
 Compliance With Legal and Contractual Requirements Procedure
Doxonomy ISO 27001:2013 Toolkit Page 2 of 11
  Intellectual Property Rights Policy

 Information Security Reviews

Management Instructions (file prefix ISMS)

 Acceptable Use Policy

 Bring Your Own Device Policy

 Cloud Computing Policy

 Network Connection Policy

 Password Policy

 Social Networking Policy

 Wireless Network Policy

Forms, Templates, Logs and Registers:

 Authorities and Specialist Group Contacts Register

 Contractual Compliance Register
 Calibration Monitoring and Production Software Validation Register
 Controlled Documents Register
 Controlled Records Register
 Corrective and Preventative Action Report (CPAR) Form

 Corrective and Preventative Action Report (CPAR) Log

 Document Change Request Form
 Information Asset Inventory
 Information Handling Risk Assessment
 Information Security Context Log
 Incident Register

 Incident Report Form

 Information Security Monitoring Plan

 Information Security Objectives Realisation Plan

 Risk Assessment Worksheet

 Risk Register
 Risk Treatment Plan

 Routine Maintenance Register

 Management Review Agenda Template

Doxonomy ISO 27001:2013 Toolkit Page 3 of 11

  Management Review Meeting Minutes Template

 Outsourced Process Register

 PESTLE Template

 Role Profile Form

 Role Profile Register

 Statement of Applicability
 Statutory and Regulatory Compliance Register

 SWOT Template
 Training Evaluation Form
Internal Audit:
 Auditor Code of Conduct

 Internal Audit Checklist Questions - ISMS

 Internal Audit Checklist Questions - ISMS Controls
 Internal Audit Feedback Form
 Internal Audit Report Template

 ISMS Auditing Step-by-Step

 Knowledge Requirements for ISMS Auditors
27001 Training (PowerPoint Presentations)
 ISO 27001 Training Module 1 - An Introduction to ISO 27001
 ISO 27001 Training Module 2 - Information Security Terminology
 ISO 27001 Training Module 3 - Cl1 to Cl6 in Detail
 ISO 27001 Training Module 4 - Cl7 to Cl10 in Detail
 ISO 27001 Training Module 5 - Annex A - Control Objectives and Controls
Auditor Training (To ISO19011:2011) (PowerPoint Presentations)

 Auditor Training Module 1 - Auditing Concepts

 Auditor Training Module 2 - Audit Management

 Auditor Training Module 3 - Conducting the Audit

 Auditor Training Module 4 - Competence and Training of Auditors

27001 Guidance

 27001 Step-by-Step

 Annex A Information Security Control Checklist

 Gap Analysis ISO 27001-2013
Doxonomy ISO 27001:2013 Toolkit Page 4 of 11
  Glossary of Terms ISO 27001-2013

 Mandatory Documents and Records ISO 27001-2013

 Threats and Vulnerabilities Checklist
Abacre

 Instructions – Replacing Placeholders

 Placeholders
We have worked hard to create a “generic” document set that requires the minimum of
tailoring to individual organisations. However, all businesses are different and you will
inevitably, as described below, need to make changes to the documents we have provided
and to fill in some “gaps”.

4 Toolkit Scope
The documentation we provide covers businesses of all types.
As they cover all businesses, many businesses will be able to remove some of the
requirements. For example, if you don’t “develop” software, then control objectives and
controls for software development can be left out of your ISMS.

5 Doxonomy’s Approach
ISO 27001 is a high level international standard that utilises language which can sometimes
confuse as it tries to find terms and concepts which span multiple cultures and versions of
English.
While we could strictly follow the terms used in the standard, we have decided to improve
clarity and ease of use by sometimes using more ‘common’ language. The standard itself
explicitly states that other terminological approaches may be used, and we are confident that
our documentation remains compliant with ISO 27001.
Some authors create an entirely different structure (in terms of clause numbering) to that
used in the standard, presumably because they think their approach is superior. However,
we consider it best to adopt the numbering scheme of ISO 27001, so that linking the
information security management system content to the standard remains straightforward
and does not require the complex cross-reference table which is otherwise necessary. If you
are going for third party certification in due course, this approach makes it easy for auditors,
and anything that makes it easier for them makes it easier for you!
Other points of note include:
 We have not utilised document numbers or reference systems, which in our view are
unnecessary and just add another level of confusion and complexity. We recommend
clear and meaningful document titles which aid use-ability.
 ISO 27001 uses the term “Documented Information” to refer to both “Documents” and
“Records”. We find this confusing, given that different controls are required for each
in the standard, and so have kept the more common split between “Documents” and
“Records”. As noted above, ISO does not require you to adopt the standard’s built in
terminology to be compliant with the standard.

Doxonomy ISO 27001:2013 Toolkit Page 5 of 11

  While we have worded procedures on the basis that documents are all distributed
and controlled via an intranet or similar, and thereby all documents referred to on-line
by operatives are automatically up-to-date and thus “controlled”, we have also
included in each controlled document the facility for it to be printed.

 If printed, controlled documents can either remain controlled, that is distributed

formally to named targets by the “Documentation Controller”, or they become
‘uncontrolled’. How you manage document distribution and control is ultimately your
decision, so long as you do not permit the circumvention of ISO 27001’s document
control requirements.

6 Documentation Overview
Our ISO 27001:2013 documentation adopts the following hierarchy:

6.1 ISMS Manual

The Information security Manual is a high‐level document that includes:
a) a statement explaining the scope of the Information Security Management System
(ISMS)
b) the organisation’s Information security Policy and Information security Objectives
c) a clause -by-clause overview of the system level procedures
d) an Organisation Chart showing the relationships and responsibilities of persons
whose work affects Information security
The Information Security Manual we provide is mostly complete, with only limited (but
nevertheless important!) additions required which are specific to your organisation.

6.2 ISMS Policies and Procedures

The ISMS policies and procedures are the core “high‐level” documents that detail how the
organisation’s ISMS processes are designed and controlled and the checks that are carried
out. All of these procedures are referenced in the manual.
Doxonomy has provided you with drafts of all of the system level policies and procedures
necessary to meet the requirements of 27001. Most organisations will only need to make
modest changes/additions to finalise these drafts.

6.3 ISMS Control Objectives and Controls

ISMS Control Objectives and Controls are “high‐level” documents that set out the principles
adopted by the organisation for meeting information security control objectives through the
application of information security controls.
Doxonomy has provided you with a drafts corresponding to each section of Annex A.
It would be possible, and we have seen it done, to have no such documents by just
embedding the necessary controls in each management instruction (see below) but the
result, in our view, would be somewhat unmanageable and opaque. Better to make clear
your generic approach to each class of control, and then follow that approach through into all
policies and procedures which employ such controls.
Most organisations will only need to make modest changes/additions to finalise these drafts.

Doxonomy ISO 27001:2013 Toolkit Page 6 of 11

You may not need all of these controls, but you may also need to define additional control
objectives and control descriptions according to any specific control requirements you
identify, that are not covered by Annex A.

6.4 ISMS Management Instructions

ISMS management Instructions (commonly called “management instructions”, “operating
procedures” or “work instructions”) include both policies (this is what you must comply with)
and procedures (this is what you must do), to be followed by personnel, to ensure workplace
compliance with the ISMS, and minimise the information security risks associated with the
various activities of the organisation.
Because they reflect local conditions, and are often written by the people who perform the
actual work, our toolkit generally doesn’t generally include ISM instructions. However, some
management instructions are common to most organisations and we have provided drafts of
sever of these.
Sometimes you need to provide ISM instructions where, for example, the system level
documentation states “We have implemented policies and procedures to …” or similar, and
no specific policies and procedures have been referenced.
Similarly, you may also want to target specific groups of staff, or users of particular
technologies (such as mobile devices), with specific instructions to ensure they understand
their responsibilities under the ISMS, and how to undertake particular tasks to ensure
compliance with the ISMS.
All such management instructions become a defacto part of your ISMS and auditors will
request to see them and seek evidence that you have complied with them.
It is, however, a common misconception that every information security related task in the
company needs to be documented in an instruction. Management instructions are only
required where there is not enough information at the system policy / procedure level to
ensure the information system is effective or where training is not sufficient to ensure the
member of staff has enough knowledge to do their job consistently and correctly.
However, where you do add management instructions to your ISMS, they become part of the
ISMS and are controlled documents which must be maintained and managed as such!
Management instructions can come in many forms; flowcharts, checklists, text procedures,
diagrams etc.
Here are some criteria that might help you decide if/when/where management instructions
are necessary:
 infrequent tasks – if a job is performed very infrequently, it is possible that staff will
require management instructions
 important tasks – if a job is very important or high risk, it may need to be defined in
an operational procedure

 complicated tasks – if a job requires many or complicated steps it may require an

operational procedure
 tasks where any of the following characteristics are present would probably benefit
from an operational procedure:
- staff are unsure

Doxonomy ISO 27001:2013 Toolkit Page 7 of 11

 - errors are frequent
- regular inspection is required
- novices could not do the work
- consistency is important
- supervision is required
- mistakes are time consuming and difficult to fix
- specialised training is required
However, complexity of itself is not an indicator of the need for an operational procedure,
bear in mind that:
 low complexity - baking a cake where every box of cake mix has the recipe
(operational procedure) printed on it
 medium complexity - driving a car where there are no management instructions, but
instead rules and training
 high complexity - brain surgery where you would not want to hear your doctor ask for
management instructions as you were going under anaesthetic, but instead want a
highly trained individual who can think through any problems rather than looking to a
manual
6.5 Forms & Records
Forms capture records for data/information required to support or confirm processes. Forms
can be separately controlled documents and/or included within the appropriate procedure.

7 ISO Documentation Requirements

ISO provide the following guidance as to the need to document your ISMS and retain
records so as to comply with ISO 27001:
1. ISMS scope (as per clause 4.3)
2. Information security policy (clause 5.2)
3. Information risk assessment process (clause 6.1.2)
4. Information risk treatment process (clause 6.1.3)
5. Information security objectives (clause 6.2)
6. Evidence of the competence of the people working in information security (clause
7.2)
7. Other ISMS-related documents deemed necessary by the organization (clause
7.5.1b)
8. Operational planning and control documents (clause 8.1)
9. The results of the risk assessments (clause 8.2)
10. The decisions regarding risk treatment (clause 8.3)
11. Evidence of the monitoring and measurement of information security (clause 9.1)
Doxonomy ISO 27001:2013 Toolkit Page 8 of 11
 12. The ISMS internal audit program and the results of audits conducted (clause 9.2)
13. Evidence of top management reviews of the ISMS (clause 9.3)
14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)
15. Annex A, which is normative, mentions but does not fully specify further
documentation including the rules for acceptable use of assets, access control policy,
operating procedures, confidentiality or non-disclosure agreements, secure system
engineering principles, information security policy for supplier relationships,
information security incident response procedures, relevant laws, regulations and
contractual obligations plus the associated compliance procedures and information
security continuity procedures.
Certification auditors will almost certainly check that these fifteen types of documentation are
(a) present, and (b) fit for purpose. The standard does not specify precisely what form the
documentation should take, but section 7.5.2 talks about aspects such as the titles, authors,
formats, media, review and approval, while 7.5.3 concerns document control, implying a
fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are
just as good as paper documents, in fact better in the sense that they are easier to control.

8 Document Customisation
While we strive to make our documents suitable for most organisations, all organisations are
different and you will inevitably need to do some customisation.
There are many consultancies who provide services to help you obtain ISO 27001 but they
are of differing quality and can be expensive. In our experience, if you are committed to
understanding how ISO 27001 works and put in the time and effort required, their
involvement need only be limited (and often they are not required). In many ways it is best
done by you, as you will need to understand how ISO 27001 works, and explaining your
business to a consultant can take just as long!
If you do get stuck remember that Google is your friend and that it is often sufficient to halt
work on a tricky issue and come back to it later!
We recommend that, having downloaded your document set from the internet, you
customise them in two phases.

8.1 Phase 1 – Replace the ‘text placeholders’ with specific titles

Scattered throughout the documents are generic textural “placeholders” (separated from
normal text like this “<placeholder>”) where titles and other items specific to your
organisation need to be inserted.
For example, we don’t know what title you are going to give the manager with overall
responsibility for managing ISO 27001 and achieving information security outcomes. So we
have used a placeholder, “<ISMS Manager>”, throughout the templates.
You may want to give this person the title “27001 Manager” or “Information Security
Director”, or, if you are a small office based business, 27001 may become a responsibility of
the “Office Manager” or then again you may have some entirely different title in mind.
There are multiple titles and many substitutions to be made, so, to make this step easy, we
have set up a conversion process for you which allows all of these placeholder substitutions
to be made in a single step.

Doxonomy ISO 27001:2013 Toolkit Page 9 of 11

In the folder “Abacre” you will find detailed instructions that lead you step-by-step through
competing this important first phase of tailoring the template documents to your organisation.

8.2 Phase 2 – Customise the detail

Assuming you have replaced the placeholders with actual titles you are now ready to get into
the detail.
Four types of customisation may be required in this phase:
1. Your organisation may not develop software, or use mobile devices and so on. Read
carefully through the documents and decide, on the basis of what your actual
activities are, and what scope you propose for your ISMS, which parts of the
documentation you need and which parts you don’t.
2. Your organisation may not ‘fit’ our generic documents and you may need to re-draft
various parts of them until they do. You will only know what changes of this type you
need to make by carefully reading through the documents and noting where such
changes are required. In general, we find that changes of this type tend to be
relatively limited.
3. There are some areas where we know that you will definitely need to add or amend
to the text because the wording that is required will be specific to your organisation.
Where this is the case we have indicated that in bright blue text, and bright blue italic
text also explains what you need to do. Don’t forget to remove all of the italic blue
text once you have made the required inputs!
4. Add any operational policies or procedures (see above) as required
We recommend that you work systematically, starting with the Information Security Manual,
Policies and Procedures.
The most difficult new concept that you are likely to encounter is “information security
context of the organisation”. This is where you need to think in depth about your
organisation/operations and how they relate either directly or indirectly to both your internal
and external stakeholders. We provide an “Identification of Information security Operational
Context” procedure and its related tools to guide you through undertaking this important
task.
Once the system is approaching full definition, move on to the forms, templates, logs and
registers etc. We have hopefully provided the majority of such documents that you will need.
However, it is usual that you will need to create more and adjust some to realise a fully
working system which meets all of the requirements of ISO 27001 as applied to your
particular circumstances.

Remember, wherever you see hypertext (underlined blue text) or a symbol in a document
it is a hyperlink to our on-line knowledge base or to third party advice, where you can find
help and guidance.

9 Working with Word

Microsoft Word
Doxonomy H&S is designed to be used with Microsoft ‘Word’ or any ‘Word’ compatible word
processor / viewer. If your staff don’t have Word they can download a free copy for Windows
here:

Doxonomy ISO 27001:2013 Toolkit Page 10 of 11

Download Word 2016 for Free
Creating Hyperlinks in Microsoft Word
Doxonomy relies on hyperlinks for navigation between documents and web pages.
Here is a short introduction on creating hyperlinks in word.
How to follow hyperlinks in Word without holding down the Ctrl key
By default, live hyperlinks in Word are opened in the default browser by pressing and holding
the “Ctrl” button and clicking the link. If you would rather just single click to follow a hyperlink,
you can easily disable the “Ctrl+Click” by following these instructions.
Viewing Word Files on an Apple device, such as an iPad
By default an iPad downloads a word file into its own ‘Pages’ software which makes a
complete mess of the formatting! To view a properly formatted Word document first add the
free Word App to your device. Then when the document downloads into ‘Pages’ tap the top
left of the document and choose to view it in the Word App.
If you want to edit a Word file on the iPad then this is best achieved by subscribing to Word
365.
Viewing Word Files on an ‘Android’ device
You can use the free ‘Google Docs’ App or the free Microsoft Word App to view word files on
an ‘Android’ device.

Doxonomy ISO 27001:2013 Toolkit Page 11 of 11