How detailed should the ISO 27001 documents be?

When starting to write a policy or a procedure, you’re probably puzzled as to how lengthy it should be. And the truth is, ISO 27001 (as well as other ISO standards like ISO 20000, ISO 9001ISO 14001 and others) are very flexible in this respect. They basically allow you the freedom to decide for yourself what level of detail you are going to write in your documents.

Criteria for deciding on the level of detail

So, before you start writing your documentation, you should go through these criteria to decide how detailed your policies and procedures should be:

Level of complexity. The more complex the process or activity is, the more details you will have to write. Of course, if your process has 5 very simple steps you will write your whole procedure in a single page, but if the process has 100 steps – some of which are really difficult – you may come up with a document that is a few dozen pages long.

Maturity. If a process or activity is complex, but practice has proved there are few problems with it because employees have been performing it the same way for years and know exactly how it is done, you don’t have to write a very lengthy document.

How often they are performed. If the process or activity is performed rarely, then you will probably have to explain it in more detail – this is because your employees will tend to forget how the process or activity is done; if it is performed very regularly, the document will be much shorter.

Importance/risks. The more important the activity or process is, the more detailed the documents tend to be, because you’ll want to make sure everyone understands exactly how to perform it. For example, if you have many risks that are related to information systems access control, you should describe those rules in more detail; on the other hand, if your physical security is not really an issue, you will describe it only generally (or avoid writing a document at all).

Compliance. In some cases, you will have auditors coming to your company from regulatory bodies and/or from your important clients – if they expect to see a very detailed, e.g., BYOD policy, then make your life easier and give them that nice-looking, detailed policy.

The decision on how many documents you want to have and how detailed they should be is a strategic one – you should make such a decision even before starting your ISO 27001 project. See also: 8 criteria to decide which ISO 27001 policies and procedures to write.

Once you start writing the documents, use this article: Seven steps for implementing policies and procedures.

Problems with complex documentation

Many information security professionals fall into the trap of thinking “we’ll describe all the security rules in detail → everyone will know exactly what to do → we will have higher level of security,” but it doesn’t work this way. Complex documents require a lot of effort to maintain, and even worse: employees dislike reading lengthy policies and procedures.

So remember, the fewer documents you have and the less complex they are, the greater the chances your employees will comply with them. Therefore, don’t get too ambitious when writing your documents; but do get ambitious in asking the security rules to be implemented.

See here free samples of documents that are optimized for smaller and mid-sized companies: Free preview of ISO 27001 Documentation Toolkit.

Here you can learn about the ISO 27001 requirements and structure.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.