ISO 27001:2013 Mandatory & non-Mandatory Policies

A short list of all mandatory and non-mandatory ISO 27001:2013 policies.

NOTE: Prodigy 13 encourages all of its clients to implement as many of these policies as possible since they are beneficial to your organization, and reduce any possible friction with the auditing team.

ISMS Management Policies

00-ISMS Master List of Documents
01-ISMS Scope of the ISMS
02-ISMS Information Security Management System (“ISMS”) Policy
03-ISMS Roles, Responsibilities, and Authorities
04-ISMS Risk Assessment and Risk Treatment Process
05-ISMS Procedure for the Control of Documented Information
06-ISMS Information Security Communication Plan
07-ISMS Procedure for Internal Audits
08-ISMS Procedure for Management Review
09-ISMS Procedure for Corrective Action and Continual Improvement
10-ISMS Information Security Objectives Plan
11-ISMS Statement of Applicability (“SoA”)
12-ISMS Relevant Laws, Regulations, and Contractual Requirements

Information Security Policies

Access Control Policy
Asset Management Policy
Business Continuity and Disaster Recovery Plan
Code of Conduct
Cryptography Policy
Data Management Policy
Human Resource Security Policy
Incident Response Plan
Information Security Policy
Information Security Roles and Responsibilities
Operations Security Policy
Physical Security Policy
Risk Management Policy
Secure Development Policy
Third-Party Management Policy

Pre-Audit Checklist

  1. Define scope of the organization’s ISMS
  2. Establish an ISMS governing body (team):

    Incorporate key members of top management, e.g. senior leadership and executive management with responsibility for strategy and resource allocation)
  3. Establish ISMS policies, including:
    1. Risk Assessment Policy
    2. Information Security Policy
    3. Internal Audit Policy
    4. Information Security Objectives
    5. Management Review Meetings
  4. Conduct and document risk assessment
    1. Risk methodology and risk treatment plans must be documented
  5. Define in-scope Annex A controls in the Statement of Applicability
    1. Descope sections 11.1 and 11.2 if the company is fully cloud/remote and does not host data
  6. Install automatic evidence agent (such as Vanta) on company devices and assets
    1. Track completion of security awareness training, background checks, policy acceptances, etc.
  7. Verify automated tests are passing (Engineering, Policy, Risks sections)
  8. Perform and document management review meetings
  9. Conduct internal audit prior to scheduling of external audit
    1. Can be performed by a company employee that is impartial to the ISMS and competent enough or can be completed by a third-party (consultant)
    2. Document results of internal audit in GRC management system ( like Vanta, Tugboat, etc)

Another useful checklist is provided by one of our GRC partners, Vanta at: https://www.vanta.com/infographics/your-iso-27001-compliance-checklist

Mandatory Documents / Policies (Clauses):

  • 4. Context of the organization
    • 4.1 Understanding the organizations and its context
    • 4.2 Understanding the needs and expectations of interested parties
    • 4.3 Determining the scope of the ISMS
  • 5. Leadership
    • 5.1 Leadership and commitment
    • 5.2 Policies
    • 5.3 Organizational roles, responsibilities, and authorities
  • 6. Planning
    • 6.1 Actions to address risks and opportunities
    • 6.1.1 General; 6.1.2 / 8.2 Information security risk assessment
    • 6.1.3 / 8.3 Information security risk treatment
    • 6.1.3 Statement of Applicability
    • 6.2 Information security objectives and planning to achieve them
  • 7. Support
    • 7.1 Resources
    • 7.2 Competence
    • 7.3 Awareness
    • 7.4 Communication
    • 7.5 Documented Information
      • 7.5.1 General
      • 7.5.2 Creating and updating
      • 7.5.3 Control of documented information
  • 9. Performance Evaluation
    • 9.1 Monitoring, measurement, analysis, and evaluation
    • 9.2 Internal audit
    • 9.3 Management review
  • 10. Improvement
    • 10.1. Nonconformity and corrective action
    • 10.2. Continual improvement

Non-mandatory Documents

  • Procedure for document control (clause 7.5)
  • Controls for managing records (clause 7.5)
  • Procedure for internal audit (clause 9.2)
  • Procedure for corrective action (clause 10.1)
  • Bring your own device (BYOD) policy (clause A.6.2.1)
  • Mobile device and teleworking policy (clause A.6.2.1)
  • Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
  • Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
  • Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
  • Procedures for working in secure areas (clause A.11.1.5)
  • Clear desk and clear screen policy (clause A.11.2.9)
  • Change management policy (clauses A.12.1.2 and A.14.2.4)
  • Backup policy (clause A.12.3.1)
  • Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
  • Business impact analysis (clause A.17.1.1)
  • Exercising and testing plan (clause A.17.1.3)
  • Maintenance and review plan (clause A.17.1.3)
  • Business continuity strategy (clause A.17.2.1

Other related ISO 27001 blog articles:

ISO 27001 Standard Overview

ISO 27001 Implementation Plan and Certification Process explained

Annex A Controls List

Zero Trust Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

Web and API Penetration Testing

Modern web applications continue to be a challenge for organizations to secure as developers build increasingly complex business applications faster than ever. Many organizations are

Read More
Cloud Security

AWS HIPAA

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information.

Read More