{"id":4482,"date":"2014-09-22T18:25:28","date_gmt":"2014-09-22T18:25:28","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/09\/22\/detailed-iso-27001-documents\/"},"modified":"2025-07-10T08:45:20","modified_gmt":"2025-07-10T08:45:20","slug":"detailed-iso-27001-documents","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/09\/22\/detailed-iso-27001-documents\/","title":{"rendered":"How detailed should the ISO 27001 documents be?"},"content":{"rendered":"<p><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><br \/>\nWhen starting to write a policy or a procedure, you\u2019re probably puzzled as to how lengthy it should be. And the truth is, <a title=\"ISo 27001\" href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0(as well as other ISO standards like <a title=\"ISO 20000\" href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a>, <a title=\"ISO 9001\" href=\"https:\/\/staging.advisera.com\/9001academy\/what-is-iso-9001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 9001<\/a>,\u00a0<a title=\"ISO 14001\" href=\"https:\/\/staging.advisera.com\/14001academy\/what-is-iso-14001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 14001<\/a>\u00a0and others) are very flexible in this respect. They basically allow you the freedom to decide for yourself what level of detail you are going to write in your documents.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<h2>Criteria for deciding on the level of detail<\/h2>\n<p>So, before you start writing your documentation, you should go through these criteria to decide how detailed your policies and procedures should be:<\/p>\n<p><strong>Level of complexity.<\/strong> The more complex the process or activity is, the more details you will have to write. Of course, if your process has 5 very simple steps you will write your whole procedure in a single page, but if the process has 100 steps \u2013 some of which are really difficult \u2013 you may come up with a document that is a few dozen pages long.<\/p>\n<p><strong>Maturity.<\/strong> If a process or activity is complex, but practice has proved there are few problems with it because employees have been performing it the same way for years and know exactly how it is done, you don\u2019t have to write a very lengthy document.<\/p>\n<p><strong>How often they are performed.<\/strong> If the process or activity is performed rarely, then you will probably have to explain it in more detail \u2013 this is because your employees will tend to forget how the process or activity is done; if it is performed very regularly, the document will be much shorter.<\/p>\n<p><strong>Importance\/risks.<\/strong> The more important the activity or process is, the more detailed the documents tend to be, because you\u2019ll want to make sure everyone understands exactly how to perform it. For example, if you have many risks that are related to information systems access control, you should describe those rules in more detail; on the other hand, if your physical security is not really an issue, you will describe it only generally (or avoid writing a document at all).<\/p>\n<p><strong>Compliance.<\/strong> In some cases, you will have auditors coming to your company from regulatory bodies and\/or from your important clients \u2013 if they expect to see a very detailed, e.g., <a title=\"BYOD policy\" href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=bring-your-own-device-byod-policy\" target=\"_blank\" rel=\"noopener\">BYOD policy<\/a>, then make your life easier and give them that nice-looking, detailed policy.<\/p>\n<p>The decision on how many documents you want to have and how detailed they should be is a strategic one \u2013 you should make such a decision even before starting your ISO 27001 project. See also: <a title=\"8 criteria to decide which ISO 27001 policies and procedures to write\" href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/07\/28\/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write\/\" target=\"_blank\" rel=\"noopener noreferrer\">8 criteria to decide which ISO 27001 policies and procedures to write<\/a>.<\/p>\n<p>Once you start writing the documents, use this article: <a title=\"Seven steps for implementing policies and procedures\" href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seven steps for implementing policies and procedures<\/a>.<\/p>\n<h2>Problems with complex documentation<\/h2>\n<p>Many information security professionals fall into the trap of thinking \u201cwe\u2019ll describe all the security rules in detail \u2192 everyone will know exactly what to do \u2192 we will have higher level of security,\u201d but it doesn\u2019t work this way. Complex documents require a lot of effort to maintain, and even worse: employees dislike reading lengthy policies and procedures.<\/p>\n<p>So remember, the fewer documents you have and the less complex they are, the greater the chances your employees will comply with them. Therefore, don\u2019t get too ambitious when writing your documents; but do get ambitious in asking the security rules to be implemented.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get the templates for all mandatory documents and the most common non-mandatory documents, along with a wizard that helps you fill out those templates,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"3\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 569122f2-05b5-413c-aee3-bdc0e7bc5d4b --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When starting to write a policy or a procedure, you\u2019re probably puzzled as to how lengthy it should be. And the truth is, ISO 27001\u00a0(as well as other ISO standards like ISO 20000, ISO 9001,\u00a0ISO 14001\u00a0and others) are very flexible in this respect. They basically allow you the freedom to decide for yourself what level &#8230;<\/p>\n","protected":false},"author":26,"featured_media":4483,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[133,292,381,472,504,522],"class_list":["post-4482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-9001","tag-iso-14001","tag-iso-27001","tag-iso-20000","tag-document-management","tag-information-security-policy"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4482"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4482\/revisions"}],"predecessor-version":[{"id":104340,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4482\/revisions\/104340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/4483"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}