Organisation & Context
ISO 27001 consists of chapters and an annex (Annex A).
In chapters 4 – 10, a number of topics are addressed with requirements.
In general, the requirement is that all of the topics must be documented.
‘Documented’ means that you need to:
- describe how you address (organise) this topic.
- review the content on a (minimum) yearly basis.
“ISO 27001 standard – Chapter 4.1: The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. “
The external audit is organised in 2 phases:
- phase 1: how you have organised and documented your ISMS
- phase 2: how you have implemented and how you maintain your ISMS
To address phase 1, we make use of this section – where we define what your products/services are (the context) and a template “ISO27001 Mandatory Topics document” where we describe how you have (when finalised) organised the security around it.
Start by describing your products/services in this section.
Add New = add a product/service. Don’t make your life or that of the external auditor more difficult; only add products/services that you are currently selling to clients.
Per product:
- Name & Short description
- Customers & third parties involved
- Internal Issues – describe security requirements (e.g. ensure privacy of customer data)
- External Issues – describe third party compliance challenges (e.g., comply with GDPR)
- Company description – you can refer to your sales or investor deck and add that as a document (by making use of +add new field.)
Keep it short and simple. The section is closely related to ‘Interested Parties & Legal Requirements’ because we need to describe the expectations from all stakeholders in that section.
Once you’ve described your products, continue with the organisation of your ISMS. Our Compleye Online Platform is the tool that you will use to organise and we’ll need to document how that’s linked to your activities.
Make use of the template “ISO27001 Mandatory Topics documentation”. This is a template (in PPT) addressing all mandatory topics in an informal way – by making use of short statements . The template is created and validated for start-up use, has a 95% content fit and describes the relation with sections that you will use in Compleye Online.
TIP: The template addresses a number of topics that are related to other sections of Compleye Online. We advise that you read the template. If you can’t check all the topics, that’s ok – the final version will need to be ready when you are almost ready for certification. For now, the template will give you an idea of what you will be working on during the DIY flow.
Once you have your first concept of this document completed, add it to the ‘Policies & Procedure’ section as your first document. Create an Improvement with a deadline close to your suggested external audit, to review this document again so you’ll be well prepared for stage 1 of your external audit.
This will probably be your first experience of the complexity of documenting compliance, and more than likely not your last. Don’t be discouraged – if you follow our tips and start documenting something, you’ve taken the first big step.
Field | Value / description | Example |
Product name | Free text field | Web and app platform for end-user information |
Product description | Free text field | Data analytics on end-user feedback |
Customers | Free text field on who the customers are | Retail Company |
Third Parties | Free text field | Investors, Suppliers, Regulators |
Internal Issues | Free text field | Ensure the privacy of data and security of data servers |
External Issues | Free text field | Ensure the privacy of data and security of data servers |
Company description | Free text | Short description of the history or add a sales/pitch deck by making use of +add field or upload in Procedure/Info |
