The most important worldwide standard for information security is ISO 27001. It was released by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). Both are renowned international organizations that create international standard. The ISO framework is a collection of standards that businesses can employ. By implementing an Information Security Management System (ISMS), enterprises of any size and in any sector may protect their information methodically and affordably with the aid of ISO 27001. Several of the guidelines that follow will be useful to you:
- Risks: To determine whether a control of this kind is even necessary, you must first evaluate the risks. If there is no danger, then you won't need a document for it; if there is risk, then you still don't need to make a document, but at least you have settled the question of whether the control is necessary or not.
- Compliance: Occasionally, you might be required by law or a contract to develop a certain document. For instance, a rule might ask you to create the Classification Policy, or a client might want you to sign NDAs with your staff.
- Size of your company: Smaller businesses typically have fewer ISO 27001 documents, thus in this situation you should attempt to avoid developing a procedure for every minor task. For instance, if you have 20 employees, you don't need 50 documents for your ISMS. Of course, this technique makes sense if you are a multinational corporation with 10,000 employees and are developing rules where each would have a couple of linked processes, and then a few useful instructions for each procedure.
- Importance: The more crucial a process or activity is, the more likely it is that you will want to establish a policy or procedure to define it. This is because you'll want to ensure that everyone knows how to carry out such a process or activity to prevent failures in your operations. For that proper ISO 27001 ISMS awareness training is also beneficial.
- Number of people involved: It is more likely that you will want to document a process or activity as more people participate in it. For instance, if 100 people are involved, it will be very difficult to verbally instruct them all on how to perform a specific process; it is much simpler to write a procedure that would explicitly explain everything. The necessity for a formal method is not necessary, however, if there are five persons participating because it is likely possible to describe the entire process in a single meeting. However, there is one exception: if only one person is working on a process, you might wish to document it because no one else knows how to do it, ensuring that operations can continue even if this person isn't present.
- Complexity: The likelihood that you will need a written record for a process increases with its complexity because it is hard to retain by memory. At the very least, you will need an ISO 27001 audit checklist for a complex process.
- Maturity: There is probably no need to document a process or action that has been in place for a long time, is well-tuned, and everyone understands exactly how to carry it out.
- Frequency: If you undertake some tasks infrequently, you can choose to write them down so you don't forget how to accomplish them.
The more ISO 27001 ISMS documents you have and the more in-depth they are, the harder it will be to keep them updated and enforce compliance with them among your staff. On the other side, fewer documents that are likewise brief might not spell out your requirements precisely.
Source: https://27001securitycertification.wordpress.com/2023/09/09/consider-the-elements-while-choosing-which-iso-27001-policies-and-procedures-to-write/
