Building an ISMS tracker for ISO 27001

Find out how to create an efficient ISMS tracker to track your items and relevant evidence for ISO 27001

In this article, you’ll learn everything you need to know about creating and operating an ISMS tracker. From understanding the items you need to track and the evidence they need, to choosing the correct system to operate your ISMS:

  1. Items you need to track
  2. Evidence you need to have for each item
  3. What system to use

Reading time: 3 minutes

Items you need to track

Managing an ISO 27001 ISMS certification process is like managing a big project.  In certain organisations, it might even involve managing a programme of several projects.

Even when you have obtained certification, the activities, and tasks to manage do not go away.  It’s an ongoing process, and you need to be well-organised to ensure ISO 27001 becomes “the way we work around here” and have all the evidence you need for your next audit. 

Below are the items you need to track, manage and update over time that you will need to show as evidence to an internal and external auditor.

To keep things simple and make it easy to manage lots of tasks, we like to track things in as few places as possible.

These are the Risk Register, the ISMS Tracker and the KPIs (covered in the ISMS Manual).

Evidence you need to have for each item type

For each of the item types we like to track using the ISMS Tracker, the standard has some requirements, i.e. evidence you will be asked for.

  • You have done a root cause analysis;
  • You have determined if similar nonconformities exist – determine if there are trends
  • You have determined which action(s) needed to be taken to address the nonconformity;
  • You have dealt with the nonconformity and “closed” it, i.e. implemented the action(s) to correct it;
  • You have reviewed the effectiveness of what you put in place to correct the nonconformity.
  • You have documented the incident and followed your own procedure for managing incidents;
  • You have investigated the cause, done a root cause analysis and collected evidence;
  • You have learned from the incident to reduce the likelihood of it happening again or to reduce to impact when it does happen.
  • You have documented them;
  • You have identified and assessed any related risks;
  • You have implemented action(s) where you’ve decided to implement them.
  • You have documented them and followed your own procedure for managing change;
  • You have identified and assessed any related risks;
  • You have communicated with and considered the impact on internal/external interested parties;
  • You have considered a roll-back position where possible;
  • Changes have been approved by the right person;
  • You have indeed implemented the action(s) you decided upon.

In some cases, some of these items to track will be related, also be related to risks and perhaps to some objectives.  It is almost certain that during the stage 2 audit the assessor will randomly pick an item and ask you to show the related items.  

When selecting a system for your ISMS Tracker, it is important to make sure each item is uniquely identified, you can easily link to other items, and you can easily “follow the trail” between related items. 

What system to use

While there are dedicated ISMS products available on the market that provide functionality for this, it’s not necessary to invest in one of those at this stage.  

Especially if your organisation is very small and you will not be generating many items to track.  A spreadsheet is not ideal and will definitely become cumbersome as your system grows, but in the short term it will do the job and get you certified. 

Another option is to use a system you already have.  We have helped clients build ISMS Trackers, Risk Registers and KPI trackers in SharePoint 365, Azure DevOps, Jira and GitLab. 

If you decide to use a DevOps product, you could also transfer all documentation to their respective wiki pages (or Confluence in the case of Jira) and amend the issue/work item format to fit the forms (e.g. change requests, incidents).

Picture of Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.