The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Is the ISO 27001 Manual really necessary?

Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a document and that we do not recommend it. Even worse, I heard some registrars require such a document during the certification audits.

So, let’s clarify all this…

What is the ISO 27001 Manual?

blogpost-banner-consultants-en

There are basically two approaches for ISO 27001/Information Security Management System (ISMS) Manual:

a) The ISO 27001 Manual (very similar to Quality Manual in ISO 9001 could be a document that explains how an organization will comply with the ISO 27001 requirements and which procedures will be used in the ISMS, or

b) The ISO 27001 Manual could be a bundle of all the documents that are produced for the ISMS – basically, the idea here would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that they would be easier to read.

Why this makes no sense…

I must say I don’t see much sense in any of these approaches. Here’s why:

The approach under (a) doesn’t make sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security – it is called Statement of Applicability. It must list all the controls from Annex A, and define whether they are applicable and how they will be implemented (or make a reference to documents that describe the details). Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense. Learn more here: The importance of Statement of Applicability for ISO 27001.

Having all the ISMS policies and procedures stuffed into a single handbook (approach b) makes even less sense – first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the smaller the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly – since individual ISMS documents change rather often, it would be a nightmare to update such handbook so frequently.

And finally… ISO 27001 has no mention of an ISMS Manual or anything similar. Most of the confusion here usually comes from companies that implemented ISO 9001 because Quality Manual is mandatory for implementing QMS, but such requirement does not exist in ISO 27001.

Don’t waste your time

So, the conclusion would be – don’t waste your time creating something that isn’t required, and that doesn’t give you any added value. Instead, focus on creating a good Statement of Applicability that will be a main document against which you get audited, and such document will also give you a clear picture on how security is managed in your company.

Click here to download a free preview of   Statement of Applicability.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.