Use the index of ISO 27001 as a guide and you'll be right as rain.
But that would make for a shorter article :).
When you get to a certain age, and you've been in the IT industry for enough years, you start to get an idea of what auditors are looking for when they descend on you and ask you pointed questions about your systems. And I don't just mean security auditors: if your company has an annual financial audit the team which comes to …
Nah, I stopped that racket a while back (because it really is a racket), and you're talking to someone who used BS7799 when it was still in draft. The one to watch is ISO 27001, but you can't certify against that because that would actually be *effective*. No, you can only get certified against having a system in place (ISO 27002), which is unaffordable for smaller companies - see where that is going?