{"id":4430,"date":"2015-01-12T19:19:52","date_gmt":"2015-01-12T19:19:52","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/015\/01\/12\/explanation-of-the-basic-terminology-in-iso-standards\/"},"modified":"2025-07-10T09:40:30","modified_gmt":"2025-07-10T09:40:30","slug":"explanation-of-the-basic-terminology-in-iso-standards","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/01\/12\/explanation-of-the-basic-terminology-in-iso-standards\/","title":{"rendered":"Explanation of the basic terminology in ISO standards"},"content":{"rendered":"<p><em>Updated 2015-12-11: Number of mandatory clauses<\/em><\/p>\n<p>When I deliver various trainings for <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a>, it always turns out that one of the hottest topics is about which policies and procedures need to be documented, and which do not.<\/p>\n<p>Of course, there are some other heated discussions as well, but many of those happen because for someone new in the ISO world (not only in ISO 27001 and ISO 22301, but also in <a href=\"https:\/\/staging.advisera.com\/9001academy\/what-is-iso-9001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 9001<\/a>, <a href=\"https:\/\/staging.advisera.com\/14001academy\/what-is-iso-14001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 14001<\/a>, <a href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a>, etc.) it is not easy to understand some specific wording in those standards \u2013 here is the explanation of the terms that cause the most common doubts.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Which policies and procedures need to be documented?<\/h2>\n<p>When you see the words <em>policy<\/em> or <em>procedure<\/em> in an ISO standard, this does not mean that such a document needs to be written. A policy or a procedure needs to be written only if the word <em>documented<\/em> stands next to it.<\/p>\n<p>For example, <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=access-control-policy\" target=\"_blank\" rel=\"noopener noreferrer\">Access control policy<\/a>\u00a0from ISO 27001 control A.9.1.1 needs to be written down because the control says \u201c\u2026 policy shall be established, <em>documented<\/em>, and \u2026.\u201d As opposed to that,\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" target=\"_blank\" rel=\"noopener noreferrer\">Backup policy<\/a>\u00a0does not to be written down because in control A.12.3.1 of ISO 27001 there is no mention of the word <em>documented<\/em>.<\/p>\n<p>Why do ISO standards mention the words <em>policy<\/em> or a <em>procedure<\/em> if they don\u2019t need to be documented? Because a policy or a procedure could also be expressed verbally, without writing it down. For example, you can define a simple procedure (like answering the phone) quite precisely by verbally agreeing with all participants on how it needs to be done \u2013 you don\u2019t need to write a document for it. Also, some policies can be a part of the information systems configuration (e.g., the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=password-policy\" target=\"_blank\" rel=\"noopener\">password policy<\/a>) without having a separate document for it.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">The difference between <em>shall<\/em> and <em>should<\/em><\/h2>\n<p>You need to implement certain requirement of the standard only if you see the word <em>shall<\/em> \u2013 when you see <em>should<\/em> this is not mandatory. This difference is the most obvious between the standards that specify requirements (i.e., ISO 27001) and the standards that are only guidelines (i.e., ISO 27002) \u2013 in ISO 27001 you will repeatedly see the word <em>shall<\/em>, whereas ISO 27002 primarily uses <em>should<\/em>.<\/p>\n<p>This is because ISO 27001 is a standard against which your company can get certified, so it specifies what you must do to comply with it; ISO 27002 are only the guidelines for the implementation, so this is something you may or may not use.\u00a0 See this article for detailed explanation: <a href=\"\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 vs. ISO 27002<\/a>.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Which parts of the standard are mandatory?<\/h2>\n<p>Basically, only the main part of the standard (clauses 1 to 10) is mandatory however in most standards only clauses 4 to 10 are mandatory for the certification; the annexes must be implemented only if they have the word <em>normative<\/em> next to them.<\/p>\n<p>For example, Annex A of ISO 27001:2013 is called \u201cAnnex A (normative) Reference control objectives and controls,\u201d which means it must be implemented (of course, implementation of each control depends on the result of the risk assessment). As opposed to that, Annexes A and B in ISO 9001:2008 are informative, which means they are not mandatory \u2013 they exist only to give you some additional information.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What can you exclude from the scope?<\/h2>\n<p>Be aware when you see the word <em>scope<\/em>, because it is defined rather differently from one ISO standard to another.<\/p>\n<p>For example, when defining your scope in ISO 27001, you shouldn\u2019t read only clause 1 called \u201cScope,\u201d but also clause 4.3 called \u201cDetermining the scope of the information security management system.\u201d When the word <em>scope<\/em> is mentioned in ISO 27001, it does not mean you can exclude some controls because you don\u2019t like them or because you think they are too expensive; the exclusion of controls is allowed only after you assess the risks \u2013 once you realize there are no risks that would require certain controls. See also <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/how-to-define-the-isms-scope\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to define the ISMS scope<\/a>.<\/p>\n<p>On the other hand, exclusions from the scope in ISO 9001:2008 are much better explained (clause 1.2 \u201cApplication\u201d) since these exclusions are more straightforward \u2013 you can decide to exclude certain requirements from clause 7 without having to perform some kind of analysis first.<\/p>\n<p>In ISO 22301, scope is defined in clauses 1 \u201cScope\u201d and 4.3.2 \u201cScope of the BCMS.\u201d As opposed to ISO 27001, the exclusions from the scope are not based on risk assessment \u2013 to define ISO 22301 exclusions, you have to make sure that they won\u2019t affect the organizational resilience; therefore, some smaller prior analysis will be required.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Make your implementation easier<\/h2>\n<p>What\u2019s the point of all this? If you understand how the ISO standards are written, you will have a much easier job in implementing them. For example, you don\u2019t need a document each time a <em>policy<\/em> or a <em>procedure<\/em> is mentioned; you don\u2019t need to implement something unless is says <em>shall<\/em>; you don\u2019t need to implement all the annexes, only the ones that are normative; and finally, if you set your scope correctly at the very beginning you will have a much easier job throughout your whole implementation.<\/p>\n<p>So make sure you read the standards correctly.<\/p>\n<p><em>To acquire ISO knowledge beneficial for your auditor or implementer career, find a range of\u00a0<\/em><a href=\"https:\/\/advisera.com\/training\/\" target=\"_blank\" rel=\"noopener\">ISO online courses<\/a>\u00a0<em>available to you anytime.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated 2015-12-11: Number of mandatory clauses When I deliver various trainings for ISO 27001\u00a0and ISO 22301, it always turns out that one of the hottest topics is about which policies and procedures need to be documented, and which do not. Of course, there are some other heated discussions as well, but many of those happen &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[133,292,380,381,472],"class_list":["post-4430","post","type-post","status-publish","format-standard","hentry","category-blog","tag-iso-9001","tag-iso-14001","tag-iso-22301","tag-iso-27001","tag-iso-20000"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4430"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4430\/revisions"}],"predecessor-version":[{"id":104346,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4430\/revisions\/104346"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}