Exploring The Mandatory & Supporting Documents of ISO 27001
To comply with ISO 27001:2022, organisations must provide evidence of a number of mandatory documents, but the standard isn’t very helpful in pointing these out succinctly, which is where the list below can help. The documents are named in the various clauses and controls must be in place. You will need to be able to put your hands on copies of any of these documents as part of an audit and evidence that they are up to date and communicated.
However, the Statement of Applicability lays out so many controls that you need to ask yourself how you will address them, if not by creating additional supporting documentation.
Contents
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
The clauses are very open to interpretation. Therefore, one ISO consultant might have a different view on what the standard mandates. Some clauses, for example, don’t say you must have a policy, just ‘rules’. That means they could be procedure-based, system-based or policy-based.
Mandatory ISO 27001 Documents
| Document / Record | Clause Reference | Description |
|---|---|---|
| Scope of the ISMS | Clause 4.3 | Defines the boundaries and applicability of the information security management system, including interested parties and the context of the organisation. |
| Information Security Policy | Clause 5.2 | Sets the organisation’s approach to information security and provides a framework for setting objectives. |
| ISMS Roles & Responsibilities | Clause 5.3 | Supports Clause 5.3. ISMS Roles and Responsibilities |
| Risk Assessment Process and Results | Clause 6.1.2 | Documents the criteria, process, and results of risk assessments. |
| Risk Treatment Process and Plan | Clause 6.1.3 | Outlines selected risk treatment options and actions. |
| Statement of Applicability (SoA) | Clause 6.1.3 d) | Lists selected controls, justifications, implementation status, and exclusions with reasons. |
| ISMS Objectives | Clause 6.2 | The objectives summarise the goals for the forthcoming period and must be documented and communicated |
| Evidence of Competence | Clause 7.2 | Records of training, etc, demonstrating personnel competency in roles affecting information security. |
| Evidence of Monitoring and Measurement | Clause 9.1 | Demonstrates how performance and effectiveness of ISMS controls are monitored and evaluated. |
| Internal Audit Plan and Reports | Clause 9.2 | Contains internal audit processes, schedules, and results. |
| Management Review Minutes | Clause 9.3 | Records outcomes of management review meetings, including key decisions and actions. |
| Nonconformity and Corrective Action Logs | Clause 10.2 | Tracks nonconformities, corrective actions taken, and their effectiveness. |
| Control of Documented Information | Clause 7.5 | Documented Information |
It’s important to note that these are the minimum requirements. Organisations may need additional documents based on their specific context, risks, and control implementation. These documents typically come out of implementation of the controls of Annex A (aka The Statement of Applicability). Implementation of these controls is detailed in the guidance to be found in ISO 27002, the sister standard to ISO 27001.
Non-Mandatory ISO 27001 Documents
| Document / Record | Relevance |
|---|---|
| Asset Inventory | Control A.5.9 – Inventory of Information Assets |
| Access Control Policy | Supports Control A.5.15 (Access Control) and related controls in Annex A. |
| Incident Management Procedures | Supports Controls A.5.24 – A.5.27 (Incident Management). |
| Backup Policy | Supports Control A.8.13 (Information Backup). |
| Cryptographic Key Management Policy | Relevant for Control A.8.24 (Use of Cryptography). |
| Supplier Management | Supports Controls A.5.19 – A.5.22 (Supplier Relationships and ICT Supply Chain Security). |
| Physical Security Policy | Addresses Controls in Annex A, Controls A.7.1 – A7.14 (Physical Security Controls). |
| Asset Management Records | Covers Controls A.5.9 – A.5.11 (Inventory and Acceptable Use of Information and Other Associated Assets). |
| Business Continuity Plan (BCP) | Linked to Controls A.5.30 – A.5.31 (ICT Readiness for Business Continuity and Legal & Contractual Requirements). |
| Secure Configuration Guidelines | Aligns with Controls A.8.9 – A.8.12 (Secure Configuration, Information Deletion, and Data Leakage Prevention). |
| Training and Awareness Records | Supports Controls A.6.3 (Information Security Awareness, Education, and Training) and A.7.2 (Competence). |
| Secure Development Guidelines | Supports Control A.8.25 (Secure Development Life Cycle). |
| Communications Plans | Supports Controls A.7.3 (Awareness) and A.7.4 (Communication). |
| Special Interest Groups | Supports Control A.5.6 (Contact with Special Interest Groups). |
| Senior Management Support | Supports Control A.5.1 (Leadership and Commitment). |
| Statutory, Regulatory & Contractual Requirements | Supports Control A.5.31 (Legal, Statutory, Regulatory & Contractual Requirements). |
| Cloud Services Policy | Supports Control A.5.23 (Information Security for Use of Cloud Services). |
| Acceptable Use Policy | Supports Control A.5.10 (Acceptable Use of Information and Other Associated Assets). |
| Data Retention Policy | Supports Control A.5.33 (Protection of Records). |
| HR Policy | Supports Controls in Clause 6 (People Controls, including Screening, Awareness, and Responsibilities). |
| Vulnerability & Patching Policy | Supports Control A.8.8 (Management of Technical Vulnerabilities). |
| Password Policy | Supports Control A.5.17 (Authentication Information). |
Documents Often Considered
The distinction between mandatory and non-explicitly mandatory documents is based on the standard’s requirements for specific documents versus requirements for processes or outcomes that may be documented in various ways at the organisation’s discretion.
The ISMS Manual
One document often used is the “Information Security Manual” or “ISMS Handbook.” A manual is a helpful overview document for people getting to know your ISMS and how it applies the 27001 standard. They can benefit audits, new starters, or anyone just trying to get to grips with your ISMS. Again, it’s not mandatory, but it is helpful.
There’s an ISMS manual template in my full Information Security Toolkit which can be purchased below.
Purchase My Full ISO 27001 Toolkit
Every document needed for ISO 27001
Combining Documentation/Policies
Consolidating documentation where you think it naturally lends itself to doing so is fine. For example,
A.8.24 : Use of Cryptography – This control stipulates you need to have ‘rules’ around the handling of cryptographic keys (SSL certificates, etc). This may be a very complex area for your organisation, demanding separate procedures and policies, or it might be something that isn’t crucial to your organisation, and you just put a section into your Information Security Policy saying all crypto keys need to be stored in a particular location.
The point is that you adapt the 27001 framework to your needs. You may need to explain why you’ve chosen a certain approach to an auditor, but if it’s justified to you and documented clearly, then I’m sure they will see it that way, too.
Standard Operating Procedures
Other documents are at the organisation’s discretion.
For example, Operating Procedures for Information Processing Facilities: According to ISO 27002:2022, which provides guidance for ISO 27001, organisations should document procedures for secure operations. This applies when:
- The procedure needs to be consistently performed by multiple people.
- The procedure is infrequent and could be forgotten.
- The procedure is new and presents a security risk if not executed correctly.
- The activity is being transitioned to new personnel.
General Documentation Advice & Guidance for ISO 27001
In ISO 27001, there is no exact, fixed depth specified (but there are a few mandatory documents) for how detailed your procedures, policies, or documentation must be. The standard takes a risk-based and context-based approach — meaning the level of documentation depends on your organization’s needs, risks, and complexity.
However, Clause 7.5 (“Documented information”) gives some general requirements:
- You must document information necessary for the effectiveness of the Information Security Management System (ISMS).
- You need to control that documentation (approve it, update it, make sure it’s available where needed).
- The documented information must be sufficiently detailed to be effective and usable for the people who need it.
ISO 2022, which is the guidance for implementing the Annex A controls, hints at something similar:
Each control usually recommends that you define and document certain activities, but how detailed they should be is again based on your organization’s size, complexity, and risk profile.
You don’t have to write 50-page procedures unless that’s what your risks or audience require. If a short, clear document gets the job done and meets your ISMS’s needs, that’s fine!
I’m also going to suggest you take a look at tools like Scribe, which can make documentation a lot easier to conduct and maintain.
FAQs
Do I have to create all the non-mandatory documents listed?
No. Non-mandatory documents are helpful tools but aren’t required for certification. However, many organisations find that having them supports smoother implementation, better security practices, and easier audits.
Can one document cover multiple controls?
Yes! ISO 27001 allows flexibility. If one policy or document logically covers several controls, that’s perfectly acceptable — as long as the coverage is clear and auditable.
How often do I need to update my ISO 27001 documents?
The standard expects documents to be maintained and kept up to date. Best practice is to review core ISMS documents annually or whenever major changes occur (e.g., after a big risk assessment or organisational change).
What happens if an auditor finds my documentation lacking?
Auditors look for effectiveness, not just presence. If documentation is missing, incomplete, or unclear, it could lead to a nonconformity. This doesn’t mean instant failure, but you’ll need to correct it before certification is granted (or maintained).
Is an ISMS Manual required for ISO 27001 certification?
No. It’s not a mandatory requirement, but many organisations create one to help structure their ISMS clearly for both internal understanding and external auditors.
How detailed should my policies and procedures be?
They should be detailed enough for someone to reliably follow the process or understand the rule — but not so bloated that they’re impractical. Think clarity and usability, not page counts.
Can software tools really help with ISO 27001 documentation?
Definitely. Tools like Scribe or dedicated ISMS software can simplify creating, updating, and managing required documents, making your system more efficient and audit-ready. However, it’s important to note that ISO 27001 does not require specific software or tools.
Additional Articles
How To Write an ISO 27001 Project Plan
How To Perform an ISO 27001 Gap Analysis
