The information security management system manual represents the document that describes, to interested parties, the way in which the organization ensures the confidentiality, integrity and availability of information.
Divided into 10 sections, each dedicated to the single point of the ISO / IEC 27001:2017 Standard, the manual illustrates the way in which the organization has designed and implemented the information security management system together with the controls provided for in Annex A .
The division into sections, each corresponding to a specific point of the ISO 27001: 2017 standard, was made in order to favor the correlation of the information security management system with pre-existing management systems that report the manual according to the division into ” sections “and to facilitate, if necessary, the implementation work.
The manual of the information security management system in the single format “MAN-Manual for the management of information security” must be used, in its entirety, on occasions such as:
- Participation in tenders
- Presentation of the security system to potential clients
- The request for funding and / or participation in projects that require its exhibition
- Internal communication within the organization
- Training activities related to the application of the standard
- Internal or second party audits (performed by the client)
Those who have the greatest interest in information security, i.e. owners, business partners, parent companies, customers and suppliers, joint venture partners, public administration offices, are the natural recipients of the information security management system manual.
These are the main interested parties in knowing and verifying whether the way in which the organization manages information (organization, assets, procedures, controls) is able, or not, to ensure the confidentiality, integrity and availability of information that if compromised, they could cause significant damage to their respective organizations.
With the manual, the organization describes to the staff how the entire system must works and also documents, to the ISO certification bodies, how it incorporates and fulfills all the requirements of ISO / IEC 27001:2017 for the purpose of obtaining and maintenance of the relative certification.
With the intention of providing customers and interested parties with a clear and easily understandable manual, even by people who are not experts in the field of information security, the Word document has a schematic graphic layout, colored and sometimes equipped with tables and graphs that illustrate the contents in a synoptic manner.