Is the ISO 27001 Manual really necessary?


Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a document and that we do not recommend it. Even worse, I heard some registrars require such a document during the certification audits.

So, let’s clarify all this…

What is the ISO 27001 Manual?

There are basically two approaches for ISO 27001/Information Security Management System (ISMS) Manual:

a) The ISO 27001 Manual (very similar to Quality Manual in ISO 9001 could be a document that explains how an organization will comply with the ISO 27001 requirements and which procedures will be used in the ISMS, or

b) The ISO 27001 Manual could be a bundle of all the documents that are produced for the ISMS – basically, the idea here would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that they would be easier to read.


Why this makes no sense…

I must say I don’t see much sense in any of these approaches. Here’s why:

The approach under (a) doesn’t make sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security – it is called Statement of Applicability. It must list all the controls from Annex A, and define whether they are applicable and how they will be implemented (or make a reference to documents that describe the details). Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense. Learn more here: The importance of Statement of Applicability for ISO 27001.

Having all the ISMS policies and procedures stuffed into a single handbook (approach b) makes even less sense – first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the smaller the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly – since individual ISMS documents change rather often, it would be a nightmare to update such handbook so frequently.

And finally… ISO 27001 has no mention of an ISMS Manual or anything similar. Most of the confusion here usually comes from companies that implemented ISO 9001 because Quality Manual is mandatory for implementing QMS, but such requirement does not exist in ISO 27001.

Don’t waste your time

So, the conclusion would be – don’t waste your time creating something that isn’t required, and that doesn’t give you any added value. Instead, focus on creating a good Statement of Applicability that will be a main document against which you get audited, and such document will also give you a clear picture on how security is managed in your company.

Click here to download a free preview of Statement of Applicability.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.