The ISO 27001:2013 Policies and Controls Project is where you will describe your organisations approach to meeting the core requirements of ISO 27001 as well as the Annex A controls from ISO 27002.


The project comes with our Adopt, Adapt, Add content already populated. This allows you to quickly approve or customise each area to your needs.


When you're happy with a Policy or Control, submit it for approval and have another member of your ISMS Board sign it off. This helps you demonstrate quality control and management buy-in to the ISMS.


You can set reminders to alert you when a policy or control is due for review helping you ensure your ISMS remains current and effective.


See here for more information about ISMS Policy Management.



How do I access the Policies and Controls Project?

  1. Hover over 'Work' in the navigation bar
  2. Click on 'All Work'
  3. Search for the 'ISO 27001:2013 Policies and Controls' Project within the 'All Work' search field
  4. Click on the 'ISO 27001:2013 Policies and Controls' link to navigate to the Project


The 'Headlines' page for the Policies and Controls Project will display.



Using the Policies and Controls Project

The Policies and Controls Project functions much the same as any other Project on the platform. See here for a full list of our Project guides.


You will notice there are 17 Pre-configured Phases in the Project. These can be accessed from the 'Structure' tab.


We have developed the content within the ISO 27001:2013 Policies and Controls around an Adopt, Adapt, Add Philosophy.


Adopt - Some of the Activities within this Project can be Adopted out-of-the-box, saving you an immense amount of time, money, and enable you to achieve your goals far more quickly. An example of a policy that you can Adopt is Phase: A.16. Information Security Incident Management.


Adapt - There may be other policies may choose to Adapt and then customise. For example, you may want to Adapt your approach to the policy we have given you on Information Security Incident Management, and then customise the incident management tool linked with the policy or use your own tracking tools.


Add - Then there are areas on the platform where we are leaving it to you to Add your own policies or controls. These typically are for your own unique technical controls, such as your encryption or access control policies. In these cases we have given you some tips to consider and, if you have subscribed to our ISO 27001 Virtual Coach package, you will also have expert guidance on how to meet the requirement.




You can add or remove Phases, Activities and Deliverables within the Policies and Controls Project. For further information on how to do this, click here.




Further guidance


If you have purchased the Virtual Coach package, you will also find lots of useful content to accelerate your implementation of ISO 27001 within your ISO 27001:2013 Policies and Controls Project.





Implementing ISO 27001 and need a little extra help?


Virtual Coach provides extended guidance on the ISO 27001:2013 Policies and Controls Project, and all other areas of ISMS.online.



Implementing a successful (and sustainable) information security management system can be challenging, especially if you or members of the implementation team are not experienced on the topic of ISO 27001.


To integrate seamlessly with the pre-configured workspaces and technology at the heart of ISMS.online, we have developed our Virtual Coach package.


Virtual Coach provides time-saving features, tools, actionable policies and controls and other content, you are now also equipped with the confidence and capability to achieve your ISO 27001:2103/17 certification goals faster, and at a tiny fraction of the cost of alternatives. 


If you think this is something that your organisation might benefit from, click here to learn more.