Exploring what's a must have and what's nice to have.
To comply with ISO 27001:2022, organisations must provide evidence of a number of mandatory documents, but the standard isn't very helpful in pointing these out succinctly, which is where the list below can help. The documents are named in the various clauses and controls must be in place. You will need to be able to put your hands on copies of any of these documents as part of an audit and evidence that they are up to date and communicated.
However, the Statement of Applicability lays out so many controls that you need to ask yourself how you will address them, if not by creating additional supporting documentation.
The clauses are very open to interpretation. Therefore, one ISO consultant might have a different view on what the standard mandates. Some clauses, for example, don’t say you must have a policy, just ‘rules’. That means they could be procedure-based, system-based or policy-based.
Check out the documents I've created for you here.
Mandatory Documents
Document/Record | Clause Reference | Description |
Scope of the ISMS | Clause 4.3 | Defines the boundaries and applicability of the information security management system, including interested parties and the context of the organisation. |
Information Security Policy | Clause 5.2 | Sets the organisation's approach to information security and provides a framework for setting objectives. |
ISMS Roles & Responsibilities | Clause 5.3 | Supports Clause 5.3. ISMS Roles and Responsibilities |
Risk Assessment Process and Results | Clause 6.1.2 | Documents the criteria, process, and results of risk assessments. |
Risk Treatment Process and Plan | Clause 6.1.3 | Outlines selected risk treatment options and actions. |
Statement of Applicability (SoA) | Clause 6.1.3 d) | Lists selected controls, justifications, implementation status, and exclusions with reasons. |
ISMS Objectives | Clause 6.2 | The objectives summarise the goals for the forthcoming period and must be documented and communicated |
Evidence of Competence | Clause 7.2 | Records of training, etc, demonstrating personnel competency in roles affecting information security. |
Evidence of Monitoring and Measurement | Clause 9.1 | Demonstrates how performance and effectiveness of ISMS controls are monitored and evaluated. |
Internal Audit Plan and Reports | Clause 9.2 | Contains internal audit processes, schedules, and results. |
Management Review Minutes | Clause 9.3 | Records outcomes of management review meetings, including key decisions and actions. |
Nonconformity and Corrective Action Logs | Clause 10.2 | Tracks nonconformities, corrective actions taken, and their effectiveness. |
Control of Documented Information | Clause 7.5 | Documented Information |
It's important to note that these are the minimum requirements. Organisations may need additional documents based on their specific context, risks, and control implementation.
Non-Mandatory Documents
Document/Record | Relevance |
Asset Inventory | Control A.5.9 - Inventory of Information Assets |
Access Control Policy | Supports Control A.5.15 (Access Control) and related controls in Annex A. |
Incident Management Procedures | Supports Controls A.5.24 - A.5.27 (Incident Management). |
Backup Policy | Supports Control A.8.13 (Information Backup). |
Cryptographic Key Management Policy | Relevant for Control A.8.24 (Use of Cryptography). |
Supplier Management | Supports Controls A.5.19 - A.5.22 (Supplier Relationships and ICT Supply Chain Security). |
Physical Security Policy | Addresses Controls in Annex A, Controls A.7.1 – A7.14 (Physical Security Controls). |
Asset Management Records | Covers Controls A.5.9 - A.5.11 (Inventory and Acceptable Use of Information and Other Associated Assets). |
Business Continuity Plan (BCP) | Linked to Controls A.5.30 - A.5.31 (ICT Readiness for Business Continuity and Legal & Contractual Requirements). |
Secure Configuration Guidelines | Aligns with Controls A.8.9 - A.8.12 (Secure Configuration, Information Deletion, and Data Leakage Prevention). |
Training and Awareness Records | Supports Controls A.6.3 (Information Security Awareness, Education, and Training) and A.7.2 (Competence). |
Secure Development Guidelines | Supports Control A.8.25 (Secure Development Life Cycle). |
Communications Plans | Supports Controls A.7.3 (Awareness) and A.7.4 (Communication). |
Special Interest Groups | Supports Control A.5.6 (Contact with Special Interest Groups). |
Senior Management Support | Supports Control A.5.1 (Leadership and Commitment). |
Statutory, Regulatory & Contractual Requirements | Supports Control A.5.31 (Legal, Statutory, Regulatory & Contractual Requirements). |
Cloud Services Policy | Supports Control A.5.23 (Information Security for Use of Cloud Services). |
Acceptable Use Policy | Supports Control A.5.10 (Acceptable Use of Information and Other Associated Assets). |
Data Retention Policy | Supports Control A.5.33 (Protection of Records). |
HR Policy | Supports Controls in Clause 6 (People Controls, including Screening, Awareness, and Responsibilities). |
Vulnerability & Patching Policy | Supports Control A.8.8 (Management of Technical Vulnerabilities). |
Password Policy | Supports Control A.5.17 (Authentication Information). |
Documents Often Considered
The distinction between mandatory and non-explicitly mandatory documents is based on the standard's requirements for specific documents versus requirements for processes or outcomes that may be documented in various ways at the organisation's discretion.
The ISMS Manual
One document often used is the "Information Security Manual" or "ISMS Handbook." A manual is a helpful overview document for people getting to know your ISMS and how it applies the 27001 standard. They can benefit audits, new starters, or anyone just trying to get to grips with your ISMS. Again, it's not mandatory, but it is helpful.
Here's a ISMS Manual template you can download.
Combining Documentation/Policies
Consolidating documentation where you think it naturally lends itself to doing so is fine. For example,
A.8.24 : Use of Cryptography – This control stipulates you need to have ‘rules’ around the handling of cryptographic keys (SSL certificates, etc). This may be a very complex area for your organisation, demanding separate procedures and policies, or it might be something that isn’t crucial to your organisation, and you just put a section into your Information Security Policy saying all crypto keys need to be stored in a particular location.
The point is that you adapt the 27001 framework to your needs. You may need to explain why you’ve chosen a certain approach to an auditor, but if it’s justified to you and documented clearly, then I’m sure they will see it that way, too.
Standard Operating Procedures
Other documents are at the organisation's discretion.
For example, Operating Procedures for Information Processing Facilities: According to ISO 27002:2022, which provides guidance for ISO 27001, organisations should document procedures for secure operations. This applies when:
The procedure needs to be consistently performed by multiple people.
The procedure is infrequent and could be forgotten.
The procedure is new and presents a security risk if not executed correctly.
The activity is being transitioned to new personnel.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Fixed & updated this page.
the document is not opening
Thanks for your work! i really would like to see the documents you made for me but it shows 404 message :C