Kick that Canned Documentation!

Documentation templates for management systems are more hype than substance. There is no substitute for doing your own work and here’s why.

Patrick F. Sullivan Ph.D. shares his thoughts ...

In my email recently I received notice of a new website for ISO 20000, touting free policy and procedure templates. Similar sites (including from the owners of the new one) are out there for ISO 27001. And, of course, there are firms out there who are more than willing to sell templates or canned management system policies and procedures to organizations.

Buying templates or canned policies is tempting, especially if your organization is in the midst of an ISO 27001 or ISO 20000 implementation and overwhelmed by the requirements, or needs to meet a tight deadline for completion and is not familiar with the documentation expectations and requirements.  And free templates are really hard to pass up. But passing up the canned policies and procedures is exactly what you should do.

  1. You probably already have policies and procedures that will be applicable within the scope of your management system. You don’t create a set of ISO 27001 controls that duplicates what you have just because it’s a set of ISO 27001 controls and you’re implementing the standard. So start with what you have. Construct an inventory of existing policies and procedures, and hold on to it. When you’ve identified the controls to be implemented, then check your inventory for completeness, and review the content for adequacy against guidance (such as ISO 27002). And remember, the content of your policies and procedures needs to be directed towards achieving the risk management or service delivery objectives you’ve identified for the management system. Need a template? See what your documents look like now. That, and the requirements of the standard will tell you how to build a template.
  2. The policies and procedures must be specific to the scope and objectives of the management system. Yes, a lot of policies and procedures at the operational level look pretty similar, but that won’t be true of management system documentation, such as the scope description, overall security policy, or risk management methodology. All of these documents are expected to reflect the strategic objectives of the organization and the objectives of the management system. Operational level documentation also must be specific to the risk management or service management objectives of the organization, and the environment in which the management system operates. For ISO 27001:2013, for example, the content of the policies and procedures must follow from your documentation of the internal and external context of the organization (clause 4.1), and identified needs and expectations of interested parties (clause 4.2). That information can’t be provided in a canned document purchased or downloaded from a vendor; a canned scope document can’t possibly provide an accurate description of your management system’s scope. What can a consultant who has never seen your organization know about what should be in your policies and procedures?
  3. They’re not your policies and procedures. They’re canned, and don’t actually relate to your organization and management system. Or they’re templates with minimal and very generic content to which you’ll need to add tailoring details. You’ll be tempted to pay a consultant to add the details (which is probably why the templates are free); you’ll want to check the document properties before you accept the work to ensure your company’s information is listed. Often, we’ve seen canned policies put in place as written, with CLIENT simply replaced with the organization’s name. In those cases it wasn’t unusual to find that the personnel responsible for actually implementing and executing the policies or procedures didn’t know about them. Often as not, the canned policies and procedures weren’t subject to regular review and updates; they were just a ticket-punch to satisfy an auditor. But that’s not how ISO management systems and their certifications work. Implementing a management system that is conformant to ISO requirements isn’t just a documentation exercise. You don’t have a management system just because you have a document library full of policies and procedures.

You get what you pay for, and sometimes you don’t. Free policy and procedure templates are free for a reason. Nothing you actually need is being given away. Canned policies and procedures you pay for aren’t going to fit the actual requirements of your management system because they won’t accurately reflect your practices, processes, and operational activities; the non-conformities will quickly stack up in a registration audit.  If you are correctly implementing the management standard, you’ll have to extensively rebuild what you downloaded or bought. And as I said above, you probably already have most of what you need anyway, and if you don’t, we need to have a different conversation.

It’s your management system, not the purveyor of canned policies and procedures system. And not the consultant’s. There are no shortcuts. It needs to be built for (and to) your objectives and environment, or it will not achieve its purposes or yours. Start with what you have and go from there, revising your documents or creating new ones to your specifications as needed. In the end, canned policies, procedures, or templates will cost you more than you bargained for.

Patrick F. Sullivan Ph.D. is a principal consultant with JBW Group International with over 20 years experience in dismissing simplistic solutions to complex problems with haughty derision.