ISO2k FAQ updated

Ever since migrating this website to Wix a month ago, I've been systematically checking and refining the content, updating broken links, correcting typos, reconsidering and refreshing the text.

Last few days I've been giving our ISO27k FAQ the once-over, and today wrote-up a new FAQ on ISMS documentation. It was triggered by my reading naive advice elsewhere to "Document everything": I appreciate it's not meant literally but the emphasis is clear. Since the ISO/IEC 27001 conformity assessors (certification auditors) are likely to expect or demand various bits of ISMS documentation, but we can't tell for sure what they may want, then we might as well "document everything", stash it all safely away and make it available to the auditors. That reduces the risk of our being unable to produce some important document on demand, earning ourselves a nonconformity as a result.

The trouble is that, from a business perspective, documentation is costly. Not only does it take time and effort to produce, but the costs accumulate during its lifecycle, offset (we hope!) by the benefits arising ... except those benefits are rarely even examined, let alone valued and compared against the costs.

Some ISMS-related documents are highly valuable or invaluable because, for instance, they explain and support the organisation's strategies, policies and procedures in this area. A few (just 16 types!) comprise the bare minimum set required for conformity with ISO/IEC 27001. Rather more than that are typically generated, circulated and stored ... but why? The value spectrum probably falls into negative territory for some things - reports that nobody reads and no-one would miss if they stopped, similar to spam. Some items of documentation may be detrimental, spreading incomplete, inaccurate, misleading and out of date misinformation, perhaps even deliberate disinformation (e.g. biased progress reports or metrics that ignore or downplay bad news, hoping to bury it under something more positive).

"Document everything" isn't such a bright idea when - or rather if - you think about it ... and that's what the new documentation FAQ addresses. Determing what to document begs a bunch of insightful questions.