{"id":4458,"date":"2014-11-03T19:42:05","date_gmt":"2014-11-03T19:42:05","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/11\/03\/how-to-structure-the-documents-for-iso-27001-annex-a-controls\/"},"modified":"2025-07-10T08:55:46","modified_gmt":"2025-07-10T08:55:46","slug":"how-to-structure-the-documents-for-iso-27001-annex-a-controls","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/11\/03\/how-to-structure-the-documents-for-iso-27001-annex-a-controls\/","title":{"rendered":"How to structure the documents for ISO 27001 Annex A controls"},"content":{"rendered":"<p><em>Updated: April 19, 2023, according to the ISO 27001 2022 revision. <\/em><\/p>\n<p>Once you\u2019ve finished your risk assessment and treatment, it is time for you to start writing documents that describe your security controls according to <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0Annex A. But, which documents should you write? How do you structure them? Which one do you begin with?<\/p>\n<p>Here\u2019s what I found to be the best way to do it.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">How extensive your ISO 27001 Annex A documentation should be:<\/div>\n<div class=\"post-featured--content\">\n<ul>\n<li>Smaller companies won\u2019t document each control, and they will include several controls in a single document.<\/li>\n<li>Larger companies will tend to have more documents, and the documents will be more detailed.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">How to choose which documents to write<\/h2>\n<p>ISO 27001 says that you cannot simply start to select the controls and\/or write the documents that you like the most \u2013 the point is that selection of controls must be a direct consequence of the risk assessment and risk treatment process. See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 Risk Assessment, Treatment, &amp; Management: The Complete Guide<\/a>.<\/p>\n<p>Secondly, you must know which documents are mandatory and which are not \u2013 see this list here: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/list-of-mandatory-documents-required-by-iso-27001-revision\/\/\" target=\"_blank\" rel=\"noopener\">List of mandatory documents according to the ISO 27001 2022 revision<\/a>.<\/p>\n<p>Finally, once you know which controls must be applied and which documents are mandatory, you must decide how extensive your documentation will be:<\/p>\n<ul>\n<li><strong>Smaller companies<\/strong> will tend to have a smaller number of documents: (1) they won\u2019t document each control, and (2) they will include several controls in a single document.<\/li>\n<li><strong>Larger companies<\/strong> will tend to have more documents, and the documents will be more detailed.<\/li>\n<\/ul>\n<p>However, these are not the only criteria to decide which documents to write \u2013 see also <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/07\/28\/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write\/\" target=\"_blank\" rel=\"noopener noreferrer\">8 criteria to decide which ISO 27001 policies and procedures to write<\/a>.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-92528\" src=\"\/wp-content\/uploads\/\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be.png\" alt=\"-\" width=\"2500\" height=\"1406\" srcset=\"\/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be.png 2500w, \/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be-300x169.png 300w, \/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be-768x432.png 768w, \/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be-1024x576.png 1024w, \/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be-1536x864.png 1536w, \/wp-content\/uploads\/sites\/5\/2014\/11\/how-extensive-your-iso27001-annex-a-documentation-should-be-2048x1152.png 2048w\" sizes=\"(max-width: 2500px) 100vw, 2500px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Which documents should cover which controls?<\/h2>\n<p>Since Annex A has 93 controls, the truth is that it is not very easy to decide how to group policies and procedures to cover them (see also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-controls\/\" target=\"_blank\" rel=\"noopener\">Understanding the ISO 27001 controls from Annex A<\/a>). And the fact that ISO 27001 does not prescribe which controls must be allocated to which policies and\/or procedures might initially seem like a problem, but once you realize that such an approach gives you big freedom to adapt the documentation to your real company needs, you will actually become grateful that ISO 27001 is so flexible.<\/p>\n<p>Again, there are two approaches to group the documents:<\/p>\n<p><strong>Smaller companies<\/strong> will normally have policies and\/or procedures that cover several controls with one document only \u2013 for instance, you might use:<\/p>\n<ul>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=access-control-policy\" target=\"_blank\" rel=\"noopener noreferrer\">Access Control Policy<\/a> to cover four controls from section A.5 and two controls from section A.8 (without writing detailed procedures)<\/li>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=bring-your-own-device-byod-policy\" target=\"_blank\" rel=\"noopener noreferrer\">BYOD (Bring Your Own Device) Policy<\/a> to cover organizational (A.5.14 &#8211; Information transfer), human (A.6.7 &#8211; Remote working), and technological (A.8.1 &#8211; User endpoint devices) controls<\/li>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=it-security-policy\" target=\"_blank\" rel=\"noopener\">IT Security Policy<\/a>, where you might get even more ambitious and cover controls from various sections of Annex A, since this document could serve as a security baseline for all employees: A.5.9, A.5.10, A.5.11, A.5.14, A.5.17, A.5.32, A.6.7, A.7.7, A.7.9, A.7.10, A.8.1, A.8.7, A.8.10, A.8.12, A.8.13, A.8.19, and A.8.23<\/li>\n<\/ul>\n<p><strong>Bigger companies<\/strong> usually structure the documentation in a different way:<\/p>\n<ul>\n<li>Major security areas will be covered with a policy \u2013 e.g., Human Resources Security Policy, Physical Security Policy, Asset Management Policy, etc.<\/li>\n<li>Each policy will have detailed procedures and\/or working instructions that cover individual controls \u2013 for example, <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/12\/information-classification-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener\">Information classification<\/a> procedure (for control A.5.12), Information labeling procedure (control A.5.13), Information handling procedure (control A.5.10), etc.<\/li>\n<\/ul>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">The sequence of writing the documents<\/h2>\n<p>Once you have an idea of how to structure the documents, how do you decide where to start, and where to end?<\/p>\n<p>For <strong>smaller companies<\/strong>, you can use a couple of criteria to decide which documents to start with:<\/p>\n<ul>\n<li>Areas where you can get quick wins \u2013 this means you can select an area where you know you will finish your document quickly, and this way you show your management, your peers (and yourself) that you are capable of doing this job effectively.<\/li>\n<li>Areas where you have largest risks \u2013 this way you start resolving the biggest problems first \u2013you may not finish this quickly, but sometimes this approach is necessary if your risk assessment has shown you have some very big gaps to fill in.<\/li>\n<li>Areas that are compatible with other running projects in your company \u2013 for example, if your company is currently implementing help desk software, you might want to start writing an <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=incident-management-procedure\" target=\"_blank\" rel=\"noopener noreferrer\">incident management procedure<\/a>, because this will regulate how that software will be used in the context of ISO 27001.<\/li>\n<\/ul>\n<p>For documents that are to be written at the end, my personal preference is documents that cover larger number of controls (for example, the Acceptable Use Policy). This way you will know which controls you covered with other documents, and those that haven\u2019t been described in other policies and procedures can be described in an all-inclusive document at the very end.<\/p>\n<p>Again, <strong>bigger companies<\/strong> will have a different approach \u2013 they will write the policies first, and related procedures\/working instructions second, while for the decision on which policies to start first they can use the same criteria as described above.<\/p>\n<p>So, to conclude, make sure you use this flexibility that ISO 27001 offers you to adapt the documentation to your specific needs \u2013 because the idea is that the documentation serves you, not the other way around.<\/p>\n<p><em>To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses,\u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated: April 19, 2023, according to the ISO 27001 2022 revision. Once you\u2019ve finished your risk assessment and treatment, it is time for you to start writing documents that describe your security controls according to ISO 27001\u00a0Annex A. But, which documents should you write? How do you structure them? Which one do you begin with? &#8230;<\/p>\n","protected":false},"author":26,"featured_media":85457,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,402,405,424,504,507,511],"class_list":["post-4458","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-iso-27002","tag-isms","tag-controls","tag-document-management","tag-mandatory-procedures","tag-annex-a"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4458"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4458\/revisions"}],"predecessor-version":[{"id":104343,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4458\/revisions\/104343"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/85457"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}