What is an Activity?

An Activity is an area within a Project where work is done. In the context of ISO 27001, Activities are used to store policies, controls, procedures, evidential documents, and communications around the various clauses and requirements for the standard.


You can allocate Activity owners and timelines to drive your implementation. 


Policies, controls, procedures and related documentation can be captured in Notes, Documents, To-Dos and Discussions – at whatever level makes sense for your organisation. The Activity area keeps everything in one place and provides rich detail of your actions and decision making to show you are in control. 


We recommend you choose the right tool for the communicating job – for example:


Notes

Ideal for documenting your policies and procedures, and recording evidence of whether something has been considered but not required (ISO needs to know you have considered all areas of Annex A controls in ISO 27001)


Documents

Some policies might be longer than basic Notes or may need diagrams or pictures alongside them. Other documents uploaded to the documents section under the Notes can help demonstrate your working or evidence your compliance, e.g. a copy of your Risk methodology


Discussions

By holding a discussion in ISMS.online with colleagues you retain that knowledge in one place and demonstrate your decision making or logic around a requirement to an auditor


To-do’s

Set simple tasks for yourself and other team members, perhaps to break down work even further or address specific issues in a more structured fashion


At the top of the project area, the tabs show all the Notes, Documents, To-do’s or Discussions from within each policy Activity area in their aggregated format. 

Each item also has a link back to its parent Activity where relevant. 


You can edit and amend Notes, upload and version documents, add and edit tasks etc while your Activity is open and you are working on it.  

Once you are finished, we recommend you submit it for approval and show the auditor it has had independent/peer review.