1. Context
2. Leadership
3. Planning
4. Support

5. Operation
6. Evaluation
7. Improvement

1. Identify risks and put controls in place to manage or eliminate them
2. Flexibility to adapt controls to all or selected areas of your business
3. Gain stakeholder and customer trust that their data is protected as Keeps confidential information secure
4. Demonstrate compliance and gain status as preferred supplier
5. Meet more tender expectations by demonstrating compliance
6. Provides customers and stakeholders with confidence in how you manage risk
7. Allows for secure exchange of information

8. Allows you to ensure you are meeting your legal obligations
9. Helps you to comply with other regulations (e.g. SOX)
10. Provide you with a competitive advantage
11. Enhanced customer satisfaction that improves client retention
12. Consistency in the delivery of your service or product
13. Manages and minimizes risk exposure
14. Builds a culture of security
15. Protects the company, assets, shareholders and directors

Mandatory documents and records required by ISO 27001:2013

Here are the documents you need to check ,if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)

Scope of the ISMS (clause 4.3)

Information security policy and objectives (clauses 5.2 and 6.2)

Risk assessment and risk treatment methodology (clause 6.1.2)

Statement of Applicability (clause 6.1.3 d)

Risk treatment plan (clauses 6.1.3 e and 6.2)

Risk assessment report (clause 8.2)

Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)

Inventory of assets (clause A.8.1.1)

Acceptable use of assets (clause A.8.1.3)

Access control policy (clause A.9.1.1)

Operating procedures for IT management (clause A.12.1.1)

Secure system engineering principles (clause A.14.2.5)

Supplier security policy (clause A.15.1.1)

Incident management procedure (clause A.16.1.5)

Business continuity procedures (clause A.17.1.2)

Statutory, regulatory, and contractual requirements (clause A.18.1.1) And here are the mandatory records:

Records of training, skills, experience and qualifications (clause 7.2)

Monitoring and measurement results (clause 9.1)

Internal audit program (clause 9.2)

Results of internal audits (clause 9.2)

Results of the management review (clause 9.3)

Results of corrective actions (clause 10.1)

Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

Non-mandatory documents

There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:

Procedure for document control (clause 7.5)

Controls for managing records (clause 7.5)

Procedure for internal audit (clause 9.2)

Procedure for corrective action (clause 10.1)

Bring your own device (BYOD) policy (clause A.6.2.1)

Mobile device and teleworking policy (clause A.6.2.1)

Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)

Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)

Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)

Procedures for working in secure areas (clause A.11.1.5)

Clear desk and clear screen policy (clause A.11.2.9)

Change management policy (clauses A.12.1.2 and A.14.2.4)

Backup policy (clause A.12.3.1)

Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)

Business impact analysis (clause A.17.1.1)

Exercising and testing plan (clause A.17.1.3)

Maintenance and review plan (clause A.17.1.3)

Business continuity strategy (clause A.17.2.1)

Please geel free to write to us at certify@qsv.org.in for inquiring the quote.