ISO 27001 Clause 4 Clause 4.4

ISO 27001 clause 4.4 Information security management system

The basics

ISO 27001 clause 4.4 Information security management system is not explicitly described in the course because this clause requires the establishment, implementation, maintenance, and continual improvement of an information security management system. Since this is a very broad topic, it is explained in modules 1 to 6 throughout the course.

Documentation

ISO 27001 clause 4.4 Information security management system does not require writing any document.

The following documents are not mandatory, companies can decide whether to write them:

  • documents that describe various security processes

Implementation

ISO 27001 clause 4.4 called “Information Security Management System” is basically implemented by complying with all other clauses in the standard. To see the steps in the implementation, you can ask “What are ISO 27001 implementation steps?”

Among other things, clause 4.4 requires to define processes that are needed and their interactions – you can implement this using the following steps:

  1. Once you complete the Statement of Applicability, define which security processes are needed, and which of them you want to document.
  2. Define each process – what are the inputs, activities, and outputs.
  3. Once you have an overall picture of all processes and their inputs and outputs, you can understand how they interact – in most cases, outputs from one process will be inputs to another process.
  4. Documenting those interactions is not mandatory – if you decide to document them, you can do it in two ways: (a) to draw up a process map, or (b) to write a procedure for a process, and include the definition of inputs and outputs in this procedure.

Audit evidence

During the certification audit, the auditor will check the following regarding clause 4 Context of the organization:

  • If the company has identified internal and external issues that are relevant to the context.
  • To show the List of legal, regulatory, and contractual requirements.
  • If you implemented all those security requirements.
  • Show mandatory document – ISMS Scope document.
  • If your ISMS is properly implemented in your whole scope.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.