Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

List of ISO 27001 Mandatory Documents (2022 Standard)

When putting an information security management system (ISMS) in place and preparing for certification it’s often useful to know what documentation an auditor will want to see. The term used in ISO management system standards is “documented information” which covers what used to be referred to in previous versions as “documents and records”. In general, the trend is away from explicitly specifying policies and other types of documents, but there are still a few places in the 2022 version of the standard where such items are either named, or strongly implied, so let’s have a look at these first.

iso 27001 mandatory documents image

The Management System

A detailed read of the management system part of the standard shows up the following required documented information:

  • 4.3 – Scope of the ISMS
  • 5.2 – Information security policy
  • 6.1.2 – Information security risk assessment process
  • 6.1.3 – Statement of applicability
  • 6.1.3 – Information security risk treatment process
  • 6.2 – Information security objectives
  • 7.2 – Evidence of competence
  • 7.5.1 – Documented information necessary for the effectiveness of the ISMS
  • 8.1 – Documented information necessary for the processes of the ISMS
  • 8.2 – Results of information security risk assessments
  • 8.3 – Results of information security risk treatment
  • 9.1 – Evidence of results of monitoring and measurement
  • 9.2.2 – Evidence of the implementation of the audit programme(s) and the audit results
  • 9.3.3 – Results of management reviews
  • 10.2 – Evidence of the nature of the nonconformities and any subsequent actions taken
  • 10.2 – Evidence of the results of any corrective action

The Annex A Controls

A similar look through the Annex A controls reveals the following explicit or strongly implied requirements for documented information (remember that not all of these controls will necessarily apply to your organization):

  • A.5.1 – Information security policy and topic-specific policies
  • A.5.9 – Inventory of information and other associated assets
  • A.5.10 – Rules for the acceptable use and procedures for handling information and other associated assets
  • A.5.13 – An appropriate set of procedures for information labelling
  • A.5.14 – Information transfer rules, procedures, or agreements
  • A.5.18 – Topic-specific policy on and rules for access control
  • A.5.19 – Processes and procedures to manage the information security risks associated with the use of supplier’s products or services
  • A.5.21 – Processes and procedures to manage the information security risks associated with the ICT products and services supply chain
  • A.5.23 – Processes for acquisition, use, management and exit from cloud services
  • A.5.24 – Information security incident management processes, roles and responsibilities
  • A.5.28 – Procedures for the identification, collection, acquisition and preservation of evidence
  • A.5.31 – Legal, statutory, regulatory and contractual requirements relevant to information security
  • A.5.32 – Procedures to protect intellectual property rights
  • A.5.37 – Operating procedures for information processing facilities
  • A.6.2 – Employment contractual agreements
  • A.6.4 – Disciplinary process
  • A.6.6 – Confidentiality or non-disclosure agreements
  • A.8.3 – Topic-specific policy on access control
  • A.8.5 – Topic-specific policy on access control
  • A.8.9 – Configurations, including security configurations, of hardware, software, services and networks
  • A.8.11 – Topic-specific policy on access control
  • A.8.13 – Topic-specific policy on backup
  • A.8.15 – Logs that record activities, exceptions, faults and other relevant events
  • A.8.21 – Security mechanisms, service levels and service requirements of network services
  • A.8.24 – Rules for the effective use of cryptography
  • A.8.25 – Rules for the secure development of software and systems
  • A.8.26 – Information security requirements
  • A.8.27 – Principles for engineering secure systems
  • A.8.29 – Security testing processes

Other typical needs for documented information

So we already have quite a list of ISO 27001 mandatory documents, even before we start to consider those requirements and controls where documented information is not mentioned, but would come in handy when defining and communicating how your ISMS works.

Taking a simple example, although Clause 7.3 Awareness doesn’t mention documented information explicitly, an auditor would want to see some kind of evidence that an awareness programme is in place. This could be a list of attendees along with the slides from a presentation, or perhaps information on a portal that tracks who has received video training on information security.

The key point is to always think “evidence” and ensure that all the useful actions you are taking as part of your ISMS are recorded somewhere, in some form.

As an organization grows, there is also the realisation that documentation, such as procedures, is necessary in order to ensure that things get done the right way each time, especially when done by different people. So, for example, although Control 5.11 Return of assets doesn’t explicitly state that a procedure or form is required, you would probably want to put such items in place so that it happens correctly, and nothing is missed.

Creating the documents

There are a number of options organizations use when creating their documents for ISO/IEC 27001:2022 and this can depend on budgets, timelines and knowledge within the business. Writing documents internally, using a document toolkit or hiring a consultant are the three common ways organizations create their mandatory documentation. Using a document toolkit (such as the ISO27001 toolkit from CertiKit) can save you time and money whilst still making use of your internal resources. The document toolkit includes over 180 pre-written templates and guides, effectively covering the mandatory information required, and also provides additional documents to assist your ISO27001 implementation, so you can get the best out of your information security management system.


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The example documents provided were of high quality, so the decision to purchase the document pack in full was made easy. I looked around, but couldn't find anything that had the same level of quality.

SMG Health
Australia

View all Testimonials