{"id":4602,"date":"2014-02-03T20:14:28","date_gmt":"2014-02-03T20:14:28","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/02\/03\/is-the-iso-27001-manual-really-necessary\/"},"modified":"2025-07-09T14:45:01","modified_gmt":"2025-07-09T14:45:01","slug":"is-the-iso-27001-manual-really-necessary","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2014\/02\/03\/is-the-iso-27001-manual-really-necessary\/","title":{"rendered":"Is the ISO 27001 Manual really necessary?"},"content":{"rendered":"<p><i data-stringify-type=\"italic\">Updated: January 20, 2025, according to the ISO 27001:2022 revision.<\/i><\/p>\n<p>Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a document and that we do not recommend it. Even worse, I heard some registrars require such a document during the certification audits.<\/p>\n<p>So, let\u2019s clarify all this&#8230;<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What is the ISO 27001 Manual?<\/h2>\n<p>There are basically two approaches for an <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\/Information Security Management System (ISMS) Manual:<\/p>\n<p style=\"padding-left: 10px;\">a) The ISO 27001 Manual (very similar to <a href=\"https:\/\/advisera.com\/9001academy\/knowledgebase\/writing-a-short-quality-manual\/\" target=\"_blank\" rel=\"noopener noreferrer\">Quality Manual in ISO 9001<\/a>) could be a document that explains how an organization will comply with the ISO 27001 requirements and which procedures will be used in the ISMS, or<\/p>\n<p style=\"padding-left: 10px;\">b) The ISO 27001 Manual could be a bundle of all the documents that are produced for the ISMS \u2014 basically, the idea here would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that they would be easier to read.<\/p>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2><b>Why this makes no sense&#8230;<\/b><\/h2>\n<p>I must say I don\u2019t see much sense in either of these approaches. Here\u2019s why:<\/p>\n<p>The approach under (a) doesn\u2019t make sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security \u2014 it is called the <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener\">Statement of Applicability<\/a>. It must list all the controls from Annex A, and define whether they are applicable and how they will be implemented (or make a reference to documents that describe the details). Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense. Learn more here: <a title=\"The importance of Statement of Applicability for ISO 27001\" href=\"https:\/\/advisera.com\/27001academy\/knowledgebase\/the-importance-of-statement-of-applicability-for-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">The importance of Statement of Applicability for ISO 27001<\/a>.<\/p>\n<p>Having all the ISMS policies and procedures stuffed into a single handbook (approach b) makes even less sense \u2014 first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the lower the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly \u2014 since individual ISMS documents change rather often, it would be a nightmare to update such a handbook so frequently.<\/p>\n<p>And finally&#8230; ISO 27001 has no mention of an ISMS Manual or anything similar. Most of the confusion here usually comes from companies that implemented <a href=\"https:\/\/advisera.com\/9001academy\/what-is-iso-9001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 9001<\/a> before 2015, when the Quality Manual was mandatory for implementing a Quality Management System; however, no such requirement has existed since ISO 9001:2015.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Don\u2019t waste your time<\/h2>\n<p>So, the conclusion would be \u2014 don\u2019t waste your time creating something that isn\u2019t required, and that doesn\u2019t give you any added value. Instead, focus on creating a good <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener\">Statement of Applicability<\/a> that will be a main document against which you get audited, and such document will also give you a clear picture on how security is managed in your company.<\/p>\n<p><em><span class=\"notion-enable-hover\" data-token-index=\"0\">To automate your compliance with ISO 27001 security controls,<\/span><\/em>\u00a0<a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"2\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"4\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 1eba187d-9924-4dfd-8fe9-e5018627a601 --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated: January 20, 2025, according to the ISO 27001:2022 revision. Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a document and that we do not recommend it. &#8230;<\/p>\n","protected":false},"author":26,"featured_media":103455,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[133,381,577],"class_list":["post-4602","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-9001","tag-iso-27001","tag-statement-of-applicability"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4602"}],"version-history":[{"count":4,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4602\/revisions"}],"predecessor-version":[{"id":104325,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4602\/revisions\/104325"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/103455"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}