Beruflich Dokumente
Kultur Dokumente
Implementation Guide
1 Introduction
Thank you for purchasing the Doxonomy ISO 27001:2013 Documentation Toolkit.
Whether you are updating your documentation, moving on from 27001:2004 to 27001:2013
or Implementing ISO 27001 for the first time, using our document toolkit will make it far less
painful than you might expect!
While our 27001 Step-by-Step implementation guide (you can find this is the “Guidance”
folder) provides step-by-step guidance on the overall steps you will need to take to
implement ISO 27001:2013 in your organisation, this guide focuses on how to tailor the
documents we have provided to the specific needs of your organisation.
Implementing ISO 27001:2013 is of course far more than great documentation, but
documentation is a key element as it is the ‘glue’ which binds the whole together, so these
two guides are complimentary and should be used side-by-side.
3 Content
The documents provided include these Instructions, an over-arching Information security
Manual, a series of supporting Procedures, a range of related Forms, Templates and
Checklists, comprehensive Guidance and more:
Instructions - Doxonomy ISO 27001 2013 Toolkit
27001 Documentation:
1
These core procedures are common to each of our management system toolkits, 9001, 14001 etc.
Doxonomy ISO 27001:2013 Toolkit Page 1 of 11
Control of Corrective and Preventative Action Reporting (CPAR)
Risk Register
Risk Treatment Plan
Statement of Applicability
Statutory and Regulatory Compliance Register
SWOT Template
Training Evaluation Form
Internal Audit:
Auditor Code of Conduct
27001 Step-by-Step
4 Toolkit Scope
The documentation we provide covers businesses of all types.
As they cover all businesses, many businesses will be able to remove some of the
requirements. For example, if you don’t “develop” software, then control objectives and
controls for software development can be left out of your ISMS.
5 Doxonomy’s Approach
ISO 27001 is a high level international standard that utilises language which can sometimes
confuse as it tries to find terms and concepts which span multiple cultures and versions of
English.
While we could strictly follow the terms used in the standard, we have decided to improve
clarity and ease of use by sometimes using more ‘common’ language. The standard itself
explicitly states that other terminological approaches may be used, and we are confident that
our documentation remains compliant with ISO 27001.
Some authors create an entirely different structure (in terms of clause numbering) to that
used in the standard, presumably because they think their approach is superior. However,
we consider it best to adopt the numbering scheme of ISO 27001, so that linking the
information security management system content to the standard remains straightforward
and does not require the complex cross-reference table which is otherwise necessary. If you
are going for third party certification in due course, this approach makes it easy for auditors,
and anything that makes it easier for them makes it easier for you!
Other points of note include:
We have not utilised document numbers or reference systems, which in our view are
unnecessary and just add another level of confusion and complexity. We recommend
clear and meaningful document titles which aid use-ability.
ISO 27001 uses the term “Documented Information” to refer to both “Documents” and
“Records”. We find this confusing, given that different controls are required for each
in the standard, and so have kept the more common split between “Documents” and
“Records”. As noted above, ISO does not require you to adopt the standard’s built in
terminology to be compliant with the standard.
6 Documentation Overview
Our ISO 27001:2013 documentation adopts the following hierarchy:
8 Document Customisation
While we strive to make our documents suitable for most organisations, all organisations are
different and you will inevitably need to do some customisation.
There are many consultancies who provide services to help you obtain ISO 27001 but they
are of differing quality and can be expensive. In our experience, if you are committed to
understanding how ISO 27001 works and put in the time and effort required, their
involvement need only be limited (and often they are not required). In many ways it is best
done by you, as you will need to understand how ISO 27001 works, and explaining your
business to a consultant can take just as long!
If you do get stuck remember that Google is your friend and that it is often sufficient to halt
work on a tricky issue and come back to it later!
We recommend that, having downloaded your document set from the internet, you
customise them in two phases.
Remember, wherever you see hypertext (underlined blue text) or a symbol in a document
it is a hyperlink to our on-line knowledge base or to third party advice, where you can find
help and guidance.