{"id":4498,"date":"2014-07-28T20:16:30","date_gmt":"2014-07-28T20:16:30","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/07\/28\/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write\/"},"modified":"2025-09-19T10:12:18","modified_gmt":"2025-09-19T10:12:18","slug":"8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/07\/28\/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write\/","title":{"rendered":"8 criteria to decide which ISO 27001 policies and procedures to write"},"content":{"rendered":"<p>If you\u2019re just starting to implement\u00a0<a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0in your company, you\u2019re probably in a dilemma as to how many documents you need to have, and whether to write certain policies and procedures or not.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Criteria for deciding what to document<\/h2>\n<p>Well, the first step is easy \u2013 you need to check whether a document is required by ISO 27001. For that purpose, see this article:\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/list-of-mandatory-documents-required-by-iso-27001-revision\/\" target=\"_blank\" rel=\"noopener noreferrer\">List of mandatory documents required by ISO 27001 (2013 revision)<\/a>. If the document is mandatory, you have nothing to think about \u2013 you must write it if you want to be compliant with this standard. (See also:\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seven steps for implementing policies and procedures<\/a>.)<\/p>\n<p>However, if the document is not mandatory, you may find yourself puzzled over whether you need to write it or not \u2013 for example, would you need a <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" target=\"_blank\" rel=\"noopener\">Backup Policy<\/a>? Or perhaps a Classification Policy? Or a <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=bring-your-own-device-byod-policy\" target=\"_blank\" rel=\"noopener\">BYOD Policy<\/a>?<\/p>\n<p>Here are a couple of criteria that will help you:<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><br \/>\n<strong>Risks.<\/strong>\u00a0You have to start by assessing the risks to see if there is a need for such a control at all (see also:\u00a0<a href=\"\/27001academy\/knowledgebase\/the-basic-logic-of-iso-27001-how-does-information-security-work\/\" target=\"_blank\" rel=\"noopener noreferrer\">The basic logic of ISO 27001: How does information security work?<\/a>). If there is no risk, then certainly you won\u2019t need a document for it; if there is a risk, this still doesn\u2019t mean you have to write a document, but at least you have resolved the dilemma of whether the control is needed or not.<\/p>\n<p><strong>Compliance.<\/strong>\u00a0Sometimes you may have a regulation or a contractual requirement to write a certain document \u2013 e.g., a regulation may require you to write the Classification Policy, or your client may require you to sign NDAs with your employees.<\/p>\n<p><strong>Size of your company.<\/strong>\u00a0Smaller companies will tend to have fewer documents, so in such a case you should try to avoid writing a procedure for every small process \u2013 for example, if you have 20 employees you don\u2019t need 50 documents for your ISMS. Of course, if you are a multinational organization with 10,000 employees, writing policies where each would have a couple of related procedures, and then for every procedure a couple of working instructions \u2013 this approach does make sense.<\/p>\n<p><strong>Importance.<\/strong>\u00a0The more important a process or activity is, the more likely you will want to write a policy or a procedure to describe it \u2013 this is because you\u2019ll want to make sure everyone understands how to perform such a process or activity in order to avoid breakdowns in your operations.<\/p>\n<p><strong>Number of people involved.<\/strong>\u00a0The more people perform a process or an activity, the more likely you will want to document it; for example, if you have 100 people involved, it will be very difficult to explain verbally to all these people how to perform certain process \u2013 it is much easier to write a procedure that would explain everything in detail. On the other hand, if you have five people involved, you can probably explain how the whole process works in a single meeting, so there is no need for a written procedure. There is one exception, though: if you have only one person working on a process, you might want to document it because no one else knows how to do it \u2013 so if this person becomes unavailable, you\u2019ll be able to continue your operations.<\/p>\n<p><strong>Complexity.<\/strong>\u00a0The more complex the process, the more likely it is that you\u2019ll need a written document for it (at least in the form of a checklist) \u2013 it is simply impossible to remember by heart, e.g., 100 steps that need to be performed in the exact sequence.<\/p>\n<p><strong>Maturity.<\/strong>\u00a0If a process or an activity is clearly established, if it has been running for years and everyone knows exactly how to perform it, if it is finely tuned, then there is probably no need to document it.<\/p>\n<p><strong>Frequency.<\/strong>\u00a0If you perform some activities rather rarely, you might want to write them down because you might forget how they are done.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Find the right balance<\/h2>\n<p>The more documents you have and the more detailed they are, the more difficult it will be to maintain them and to make your employees observe them. On the other hand, a smaller number of documents that are also quite short might not describe exactly what you need to do.<\/p>\n<p>In most cases, I recommend my clients\u00a0not to become too ambitious \u2013 if there is no absolute need to create some new document, don\u2019t do it; if there is no need to describe some process in great detail, make it shorter.<\/p>\n<p>And remember \u2013 unnecessary documents will bring you nothing but trouble.<\/p>\n<p><em>To get the templates for all mandatory documents and the most common non-mandatory documents, along with the wizard that helps you fill out those templates,<\/em>\u00a0<a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019re just starting to implement\u00a0ISO 27001\u00a0in your company, you\u2019re probably in a dilemma as to how many documents you need to have, and whether to write certain policies and procedures or not. Criteria for deciding what to document Well, the first step is easy \u2013 you need to check whether a document is required &#8230;<\/p>\n","protected":false},"author":26,"featured_media":4499,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,504,507],"class_list":["post-4498","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-document-management","tag-mandatory-procedures"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4498"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4498\/revisions"}],"predecessor-version":[{"id":104587,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4498\/revisions\/104587"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/4499"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}