ISMS DOCUMENTATION

Wan Noor Asiah Bt Wan Mohamad Nawi

INTAN Bukit Kiara
Kuala Lumpur
 Clause 4 Organizational Context

Clause 5 Leadership

Clause 6 Planning
ISO/IEC 27001:2013 Clause 7 Support
INFORMATION SECURITY
MANAGEMENT SYSTEM Clause 8 Operation

Clause 9 Performance Evaluation (9.1)

Clause 10 Improvement
Mandatory Documents for ISO27001:2013

Scope of the Information Statement of

Security Management Information security Information security Risk assessment process Risk treatment process - Applicability for controls
System (ISMS)- Clause policy - clause 5.2 objectives - clause 6.2 - clause 6.12 clause 6.13 in Annex A - - clause
4.3 6,13,d

Definition of security
roles and responsibilities
Risk treatment plan - Risk assessment report- Inventory of assets - Acceptable use of assets Access control policy -
(should be in
clause 6.13.e clause 8.2 clause A8.1.1 - clause A8.1.3 clause A9.1.1
employment agreement)
- clause A7.1.2

Statutory, regulatory,
Operating procedures for Incident management Business continuity
and contractual
Information Security - procedure - clause strategy & procedures -
requirements - clause
clause A12.1.1 A16.1.5 clause A17.1
A18.1.1
Mandatory Documents from Annex A if there are risks found which would
require their implementation

Confidentiality or Non-Disclosure agreements- Clause A.13.2.4

Secure system engineering principles- Clause A.14.2.5

Supplier security policy Clause A.15.1.1

Non-Mandatory Documents (but commonly used)

Bring your own

Procedure for Controls for Procedure for Procedure for Mobile device and
device (BYOD)
document control - managing records - internal audit - corrective action - teleworking policy -
policy - clause
clause 7.5 clause 7.5 clause 9.2 clause 10.1 clause A6.2.1
A6.2.1

User Access Rights Disposal and Procedures for Organisational

Information Clear desk and
Policies including destruction policy - working in secure Change
classification policy clear screen policy
Password control - clause A.8.3.2 and areas - clause management policy
- clause A8.2 - clause A.11.2.9
clause A9.2 clause A.11.2.7 A.11.1.5 - clause A.12.1.2

ISMS Continuity
Software Change Information Business impact
Backup policy - controls testing
management policy transfer policy - analysis - clause
clause A.12.3.1 plan - clause
- clause A.14.2.4 clause A.13.2 A.17.1.1
A.17.1.3
Mandatory Records

List of Interested Parties,

Competence (e.g. Skills Evidence of Monitoring and
Legal and Other Internal Audit Program &
Matrix & associated proof communication - clause measurement results -
Requirements - clause Results - clause 9.2
of skills) - clause 7.2 7.4 clause 9.1.1
4.2 & - clause 6.1

Logs of System
Nonconformities,
Logs of user activities, Administrator & System
Results of Management corrective actions &
exceptions, faults and user activities,
Reviews of ISMS - clause improvement suggestions
security events - clause exceptions, faults and
9.3 - clause 10.1 & - clause
A.12.4.1 security events - clause
10.2
A.12.4.3
Documented Information (Clause 7.5)
• General (Clause 7.5.1) Procedure for
• Creating and updating (Clause 7.5.2) document
• Control of documented information (Clause
7.5.3) control - clause
7.5
 Documentation Control

• Documented information should be controlled to ensure it is available and

suitable for use, where and when it is needed; and it is adequately
protected (e.g. from loss of confidentiality, integrity or availability).
• One of the mechanisms that can be implemented is in the form of a procedure.
(e.g: Prosedur Kawalan Dokumen/Rekod)
• Documented information should be controlled in terms of :

Distribution,
Retention
Creation And Access, Storage And Control Of
And
Update Retrieval Preservation Changes
Disposition
And Use
Documentation Control

• a) Creation and update

When documented information needs to be created and updated, the following

should be considered:

• identification and description (e.g. a title, date, author, version or reference

number);
• format (e.g. language, software version, graphics) and media
(e.g. paper, electronic);
• review and approval for suitability and adequacy;
Documentation Control

• b) Distribution, access, retrieval and use

• Distribution, access, retrieval and usage of documented information is crucial to ensure that
confidentiality is preserved where information is accessible only to those authorised to have
access.

• It should also address the availability of the documented information where only authorised users can
have access to information and associated assets when required.

• This can be achieved by having the following:

• Distribution details (e.g. recipient name, number of copies, location, receipt date);
• Access, retrieval and usage control (e.g. level of access, what to be accessed/ retrieved,
access/retrieval time, duration of access/retrieval, method to be used and validity period, number
of retrieval);
• If access, retrieval of usage is via system or online, audit trails or access logs need to be
produced and kept;
• Regular review of given access rights (includes new request for access/ retrieval, termination or
revoking an access).
Documentation Control

c) Storage and preservation

• In terms of storage and preservation of documented information, the

following needs to be considered:

• Medium of storage (e.g. online, hardcopy or softcopy);

• Capacity of storage (e.g. how long data are able to be kept or archived to);
• Access rights for person to store documented information
Documentation Control

d) Control of changes

• Modification of documented information should be controlled in terms of the

following:

• Modification details (e.g. name of person, date of changes, history logs, version
numbers);
• Reason for the changes.
Documentation Control

e) Retention and Disposition

• Retention and disposition of documented information should be controlled
in terms of the following:

• Retention period (e.g. how long data should be kept). The retention period is
subject to organisation’s regulatory and/or security requirement;

• Reasons for retention (e.g. why the need to keep the documented information.
For some organisations, the reasons may be due to legal obligations;

• Disposition details (e.g. responsible person, date of disposal, which and why
documented information need to be disposed)
Document vs Record
 Documented
Document Record
Information

27000: 2.23 Documented Information-

information required to be controlled and maintained by an organization and the medium on which it
is contained
Contoh:-

• Manual ISMS
• Dasar Keselamatan ICT
• Prosedur ISMS
• Standard Operating Procedure (SOP)
• Dokumen Sokongan (Pekeliling, Garis
Panduan, Kontrak)
• DKICT
• Panduan Pengguna
• Standard 27001 (clause and annex)
• Legal
• Regulatory
Contoh:-

• Buku keluar masuk Pusat Data (A.11.1.2)

Physical entry controls
• Borang pelupusan aset (A.8.3.2) Disposal
of media
• Borang kawalan perubahan (A.12.1.2)
Change Management
• Contract Agreements ( A.7.1.2) Terms and
conditions of employment
• Rekod ISMS
• Minit Mesyuarat
Difference Between Policies & Procedures Vs. SOPs

Policies and Procedures Standard Operating Procedures

1. Generalized view 1. ways to get work done
2. often remain the same within a 2. specifics of how a task is to be accomplished
department or across the company as a
whole 3. while standard operating procedures are drawn
up after a company determines its policies and
3. In general, policies and procedures come procedures
first
4. SOPs insure that a product or service comes
4. policies and procedures create more out the same way every time
likelihood of a standardized product or
service 5. A department or shift manager oversees and
5. Policies and procedures generally come enforces most standard operating procedures
from upper management
Senarai Semak Audit Dalam
Security Matrix
ISO 27001 Clause 9.1 Performance
evaluation Monitoring, measurement,
analysis & evaluation

For monitoring and measurement, the

organization establishes:

• What to watch and measure

• Who monitors and measures
• Methods to be used to produce valid results
ISO 27001 Clause 9.1 Performance
evaluation Monitoring, measurement,
analysis & evaluation

For analysis and evaluation, the organization

establishes:

• Who analyses and evaluates the results

from monitoring and measurement, and
when
• Methods to be used to produce valid
results.
ISO 27001 Clause 9.1 Performance
evaluation Monitoring, measurement,
analysis & evaluation

There are two aspects of evaluation:

• Evaluating the knowledge security
performance ;- how well the processes within
the ISMS meet their specifications;

• Evaluating the effectiveness of the ISMS:-

determining the extent to which information
security objectives are achieved.