The update from ISO27001:2005 to ISO27001:2013 changed the requirements in two key areas: Documents required and in the Security Management process. I will deal with the management process in a later posting.

The original six documents still apply and are absolutely needed for any ISMS. An Auditor will expect to see these before the audit, and will normally enquire about them during an audit.

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)

However, ISP27001:2013 has tightened up its expectations of the documentation needed to support the security control implementations. As these are within the Security Controls Annex (Annex A), and thus subject to the Statement of Applicability, it may be the case that these are not implemented as there is no identified risk requiring them. Again, an Auditor may ask for them prior to an audit, either expressly, or more commonly as “Can you send me all your security documents please?”. These expected Documents in Annex A are:

• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)

Additionally, specific security records are required to be kept:

• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3) – again depending on the Statement of Applicability requiring these controls.

There is no mandated expectation of how long these records should be kept, however there should be a policy defining what that is, and the period should be long enough to make record keeping useful. For example, two or three review cycles would be a reasonable period to keep audit reports for.