Customizing ISO 27001 ISMS Templates
ISO 27001 certification requires a collection of documents. There are a number of templates available for purchase online. We use our own ISO 27001 templates so that we can create an individual IS management concept faster and cheaper. The ISO/IEC 27001 standard has an extensive catalogue of mandatory and optional documents that must be presented during the audit. The ISO 27001 standard is modernized every few years. Documents are eliminated, others are expanded or supplemented with additional documents. Watch our short video on the topic of the ISO 27001 template here:
What must an ISO27001 template contain in 2023?
As you could already see from the video, an ISO27001 template requires a wealth of documents. With the switch from the ISO27001:2013 standard to the ISO27001:2022, a few significant changes have occurred:
What needs to be documented? | ISO 27001 Chapters | Included in following documents |
Scope of ISMS | Section 4.3 | ISMS Project Document |
IT Security Policies | Section 5.2 | Information security policies and objectives |
Methods for risk evaluation and treatment | Section 6.1.2 | Methods for risk evaluation and treatment |
Statement of Applicability | Section 6.1.3 d) | Statement of Applicability |
Risk Treatment Plan | Section 6.1.3 e, 6.2, and 8.3 | Risk Management Plan |
Security objectives | Section 6.2 | List of security objectives |
Risk assessment and treatment | Section 8.2 and 8.3 | Risk assessment and treatment report |
Inventory of Assets | Control A.5.9* | Inventory of Assets |
Permitted usage of Assets | Control A.5.10* | IT Security Policy |
Handling security incidents | Control A.5.26* | Incident Management Vorgehensweise |
Legal, regulatory and contractual requirements | Control A.5.31* | List of legal, regulatory and contractual requirements |
Security policies in IT Management | Control A.5.37* | Security policies in IT Management |
Definition of security roles and responsibilities | Control A.6.2 and A.6.6* | Contracts, Agreements, NDS and other responsibilities |
Definition of Security guidelines | Control A.8.9* | Security policies in the IT department |
Security policies in R&D | Control A.8.27* | Security policies in R&D |
The list must be continually updated and adapted to the respective industry. We therefore regularly update our industry-specific templates of the ISMS management system to the ISO27001 standard. Consequently, it does not make sense to have to go through another expensive round of certification because of outdated or incomplete templates because the auditor has rejected all documents. We want to provide our customers with a high-quality set of rules in a time-saving manner at affordable costs by continuously improving the templates and checklists.
How do you customize the ISO27001 ISMS?
In addition to the general documents, the ISO27001:2022 standard requires that certain company-specific documents also provide evidence of the active implementation of the ISMS requirements in everyday operations. A thick folder full of documents is not enough to prove that information security is actually being implemented. The following documents are often requested or expected as active evidence:
Required documentation | ISO 27001 Sections | here to be included |
competence certificates | Section 7.2 | CV, Training and education certificates |
Monitoring results | Section 9.1 | Monitoring report |
Internes Audit Programm | Section 9.2 | Internal Audit Program |
Results of internal audits | Section 9.2 | Internal Audit Report |
Results of management review | Section9.3 | Protocol of management review |
Results of corrective actions | Section10.2 | Document on corrective actions |
Log on events and user behaviour | Control A.8.15* | Automatic System Protocols |
Do free ISO 27001 sample templates help?
You are probably asking whether you can create an ISMS using “ISO 27001 free sample templates”. These sample templates represent only a small fraction of all relevant documents. They will certainly help to get a better idea of what the ISO IEC 27001 standard expects from certified companies.
Without a truly functioning information security management system (ISMS), a certification will not comply with the compliance guidelines of the accreditation bodies. What most business owners and managers overlook is that 80% represents a standardized set of policies. However, the remaining 20% require explicit IT specialist knowledge. Based on the lack of IT expertise in the regulations, an auditor can recognize that the organization being certified has not met the necessary requirements. IEC ISO IEC 27001 does not expect small companies (SMEs) to employ IT experts. Many companies have specific IT topics looked after by a trusted IT system house. Simple tasks are usually carried out by an employee with computer skills. To ensure that the documentation for the company audit costs as little as possible, we also work together with a trusted IT system house.
Due to our expertise in SMEs, holding companies and corporate landscapes, we can also help service providers meet regulatory requirements for more complex issues. This also creates new potential for new business for IT service providers. The operational IT landscape is increasingly changing due to the digital transformation in retail and authorities. As part of our partner program, we are already helping IT system houses to implement the ISO27001 standard in their customers’ companies.
In this way, we relieve the companies being certified of a lot of the workload that would otherwise have to be done by reformulating free sample templates, which usually do not fully correspond to the current standard. We do not expect our business customers to undergo ISO27001 basic training for 6 months in order to adapt the ISMS documentation. Our experts will take care of the adjustment for you at a significantly lower cost. This means you can even acquire an ISO 27001 certificate within 4 weeks. A free template will only waste your time and budget.