Customizing ISO 27001 ISMS Templates

ISO 27001 certification requires a collection of documents. There are a number of templates available for purchase online. We use our own ISO 27001 templates so that we can create an individual IS management concept faster and cheaper. The ISO/IEC 27001 standard has an extensive catalogue of mandatory and optional documents that must be presented during the audit. The ISO 27001 standard is modernized every few years. Documents are eliminated, others are expanded or supplemented with additional documents. Watch our short video on the topic of the ISO 27001 template here:

 

What must an ISO27001 template contain in 2023?

As you could already see from the video, an ISO27001 template requires a wealth of documents. With the switch from the ISO27001:2013 standard to the ISO27001:2022, a few significant changes have occurred:

What needs to be documented? ISO 27001 Chapters Included in following documents
Scope of ISMS Section 4.3 ISMS Project Document
IT Security Policies Section 5.2 Information security policies and objectives
Methods for risk evaluation and treatment Section 6.1.2 Methods for risk evaluation and treatment
Statement of Applicability Section 6.1.3 d) Statement of Applicability
Risk Treatment Plan Section 6.1.3 e, 6.2, and 8.3 Risk Management Plan
Security objectives Section 6.2 List of security objectives
Risk assessment and treatment Section 8.2 and 8.3 Risk assessment and treatment report
Inventory of Assets Control A.5.9* Inventory of Assets
Permitted usage of Assets Control A.5.10* IT Security Policy
Handling security incidents Control A.5.26* Incident Management Vorgehensweise
Legal, regulatory and contractual requirements Control A.5.31* List of legal, regulatory and contractual requirements
Security policies in  IT Management Control A.5.37* Security policies in  IT Management
Definition of security roles and responsibilities Control A.6.2 and A.6.6* Contracts, Agreements, NDS and other responsibilities
Definition of Security guidelines Control A.8.9* Security policies in the IT department
Security policies in R&D Control A.8.27* Security policies in R&D
Where is this regulated in the GDPR or the ISO 27001 standard? Legal texts can be confusing

The list must be continually updated and adapted to the respective industry. We therefore regularly update our industry-specific templates of the ISMS management system to the ISO27001 standard. Consequently, it does not make sense to have to go through another expensive round of certification because of outdated or incomplete templates because the auditor has rejected all documentsWe want to provide our customers with a high-quality set of rules in a time-saving manner at affordable costs by continuously improving the templates and checklists.

How do you customize the ISO27001 ISMS?​

In addition to the general documents, the ISO27001:2022 standard requires that certain company-specific documents also provide evidence of the active implementation of the ISMS requirements in everyday operations. A thick folder full of documents is not enough to prove that information security is actually being implemented. The following documents are often requested or expected as active evidence:

Required documentation ISO 27001 Sections here to be included
competence certificates Section 7.2 CV, Training and education certificates
Monitoring results Section 9.1 Monitoring report
Internes Audit Programm Section 9.2 Internal Audit Program
Results of internal audits Section 9.2 Internal Audit Report
Results of management review Section9.3 Protocol of management review
Results of corrective actions Section10.2 Document on corrective actions
Log on events and user behaviour Control A.8.15* Automatic System Protocols
The documents given here as examples do not always apply to every company. A car dealer has to expect different requirements than, for example, an educational institution or IT infrastructure provider. In some companies, employees use their employer’s mobile devices to provide their customers with the best possible advice during external appointments. The personal data collected there must be protected by appropriate security guidelines (BYOD).

Do free ISO 27001 sample templates help?

You are probably asking whether you can create an ISMS using “ISO 27001 free sample templates”. These sample templates represent only a small fraction of all relevant documents. They will certainly help to get a better idea of what the ISO IEC 27001 standard expects from certified companies.

Without a truly functioning information security management system (ISMS), a certification will not comply with the compliance guidelines of the accreditation bodies. What most business owners and managers overlook is that 80% represents a standardized set of policies. However, the remaining 20% require explicit IT specialist knowledge. Based on the lack of IT expertise in the regulations, an auditor can recognize that the organization being certified has not met the necessary requirementsIEC ISO IEC 27001 does not expect small companies (SMEs) to employ IT experts. Many companies have specific IT topics looked after by a trusted IT system house. Simple tasks are usually carried out by an employee with computer skills. To ensure that the documentation for the company audit costs as little as possible, we also work together with a trusted IT system house.

Due to our expertise in SMEs, holding companies and corporate landscapes, we can also help service providers meet regulatory requirements for more complex issues. This also creates new potential for new business for IT service providers. The operational IT landscape is increasingly changing due to the digital transformation in retail and authorities. As part of our partner program, we are already helping IT system houses to implement the ISO27001 standard in their customers’ companies.

In this way, we relieve the companies being certified of a lot of the workload that would otherwise have to be done by reformulating free sample templates, which usually do not fully correspond to the current standard. We do not expect our business customers to undergo ISO27001 basic training for 6 months in order to adapt the ISMS documentation. Our experts will take care of the adjustment for you at a significantly lower cost. This means you can even acquire an ISO 27001 certificate within 4 weeks. A free template will only waste your time and budget.