What are the Mandatory Documents Needed for ISO 27001?

ISO Documents

The list of documented information for ISO 27001 certification is a lengthy one. However, not all of the documentation is mandatory and your auditor is not necessarily going to want to scrutinise everything you’ve compiled. But, as we always say, better safe, secure and certified than sorry.

We’ve compiled a list of mandatory documents to help you take that first step in your certification journey.

But first, let’s answer some questions about other ISO 27001 mandatory items.

How many mandatory requirements are needed for ISO 27001?

According to Compleye’s at-a-glance list, there are 8 requirements for ISO 27001 certification:

  1. Implement a security management system (ISMS)
  2. Conduct a risk assessment
  3. Develop security policies and procedures
  4. Implement controls to mitigate identified risks
  5. Monitor and review the effectiveness of the ISMS
  6. Maintain records of the ISMS
  7. Communicate the ISMS to all employees
  8. Train employees on the ISMS

How many mandatory clauses are there in ISO 27001?

When it comes to clauses, ISO 27001 consists of two sections. Part 1 (which is the mandatory section) consists of 11 clauses ranging from clause 0 to clause 10

Next up, Part 2 aka Annex A, has 114 (yes, you read that right, one-hundred-and-fourteen!) controls. These controls are what you will structure your Statement of Applicability (SoA) around. 

Is an internal audit mandatory for ISO 27001?

Yes. And, if you think about it (or even if you don’t) this makes absolute sense because an audit also helps you to verify that your ISMS is functioning as it should. 

In our article ‘It’s Internal Audit time’, we expand on the ins-and-outs of the internal audit. 

Is the ISMS manual a mandatory document?

It’s not compulsory to have an ISMS manual, but it’s highly recommended. An ISMS manual is part of a comprehensive risk management strategy. It’s an all-in-one solution to store all of your documents for quick and easy reference.

And speaking of documents, here’s the list we promised you:

Mandatory ISO 27001 documentation

Although there isn’t an official list of mandatory documents for ISO 27001, we wanted to outline which documents you should definitely consider collecting. The list we’ll focus on is the following:

  • Scope of the ISMS
  • Information security policy and objectives
  • Risk assessment and risk treatment methodology
  • Statement of Applicability
  • Risk treatment plan
  • Risk assessment report
  • Definition of security roles and responsibilities
  • Inventory of assets
  • Acceptable use of assets
  • Access control policy
  • Operating procedures for IT management
  • Secure system engineering principles
  • Supplier security policy
  • Incident management procedure
  • Business continuity procedures 
  • Statutory, regulatory, and contractual requirements

Let’s have a closer look at these documents, and provide some context for each one. This way you’ll have a better idea of what to expect.

Scope of the ISMS (Clause 4.3)

This tells your stakeholders exactly which areas of your business are covered by your ISMS. To provide clarity for your stakeholders, you might want to provide a vision statement and/or strategy alongside your ISMS scope. Remember that your documented ISMS Scope is the key ingredient to a successful certification. 

Information security policy and objectives

Top management must establish an information security policy that’s relevant to the purpose of your specific organisation (so no copying from your buddy here people!). The policy shows that senior management is committed to the ISMS objectives and their continuous improvement. 

Risk assessment and risk treatment methodology

You need to show how you identify, analyse, evaluate and prioritise your information risks. Decide what’s appropriate for your organisation and write it into a report, a list, a matrix or any other convincing document that shows how your risks are being controlled. 

Statement of Applicability

An SoA will make your auditor just as happy as a clam. In his article ‘The Benefits of the Statement of Applicability in ISMS Projects’, Jayakumar Sundaram explains that the SoA is “the main link between risk assessment and risk treatment.. The SoA is a continuously updated and controlled document that provides an overview of information security implementation.” We couldn’t have said it better ourselves. 

Risk treatment plan

Clause 6.1.3 will explain what you need to do to create a risk treatment plan. In brief, you will need to provide a process/procedure for treating information risks and show that the process is operating effectively. Easy as that! 

Risk assessment report

When risks have been identified, you should figure out which ones need further assessment and also how assessments are triggered. According to Info-Savvy, “A broad information security risk assessment should be performed a minimum of once a year.”

Definition of security roles and responsibilities

There are various ways in which you can clearly show roles and responsibilities. You might want to have a look at the RASCI chart in the ISO27001 toolkit. 

Inventory of assets

No, you don’t need to list your coffee machine and water cooler; only your IT system assets as well as their managers/owners. 

Acceptable use of assets

It’s vital that you have guidelines (and training) around how to use your company’s IT assets as well as who can use them. Everyone, including contractors and temps, should be able to access the rules around the use of your IT assets. You might also want to pin up some guidelines on how to use the coffee machine and water cooler. 

Access control policy/Access Management Policy

Combining an overall access control policy with specific controlled access guidance related to passwords, firewalls, VPNs etc is an excellent idea. All of these should be regularly reviewed and revised. 

Operating procedures for IT management

High-quality, easy-to-read-and-understand operating procedures should be generated, disseminated, and maintained.

Secure system engineering principles

Control 8.27 is a preventative control. It ensures that you eliminate threats to the CIA. No, not that one! The Confidentially, Integrity and Availability of your information assets. 

Supplier security policy aka Supplier management policy 

While you can control (almost) everything that happens inside the boundaries of your organisation, the security of your suppliers is something beyond your control. So, be sure to check that they have their own security policies. 

Incident management procedure

ISO 27001 defines a security incident as “an unwanted event that could endanger the confidentiality, integrity, or availability of information.” Whether it’s a phishing event or a computer system breach, the procedure for dealing with an incident should include the quick collection of evidence, a forensic analysis, communication about the incident and, as with all things ISO, record-keeping. 

Business continuity procedures 

No matter how seriously your business is hit by a security incident or event, you need to be able to maintain essential functions and continue down the road to certification. An offshoot of crisis management, Business Continuity Management should be documented via strategies, policies, plans, procedures and reports. 

Statutory, regulatory, and contractual requirements

Ah, Annex A.18.1, that tricky clause that trips up so many ISO-hopefuls! Companies don’t realise how much legislation and regulation there is that impacts them. But, your friendly auditor wants to know how you’ve addressed your legal, regulatory and contractual obligations. 

Mandatory ISO 27001 records

Records of training, skills, experience and qualifications

Managing an ISMS isn’t child’s play. You need a team that has the skills and training not only from a security point-of-view, but from an HR, legal ,commercial, IT (the list goes on) point-of-view. To demonstrate compliance here, you can (quite) easily draw up a table showing who’s involved, what they do and their experience. 

Monitoring and measurement results 

This piece by the ICT Institute best explains clause 9.1. “Monitoring is observing data created during a process or by a system. Measuring, on the other hand, requires data to be collected through an action. You can, for example, monitor the availability of your website by checking the uptime percentage of your webserver using a dashboard, or measure the availability by counting how many server crash reports were created in your ticketing system.” Makes sense, right?

Internal audit program 

As mentioned above, you need an internal audit like the desert needs the rain (there’s a song in there somewhere). And you need it regularly to ensure that your ISMS (Information Security Management System) continues to meet ISO 27001 standards and to facilitate continuous improvement.

Results of internal audits 

There’s no point in conducting an internal audit if you don’t record the results. The report should contain:

  • Reviews of documentation 
  • Sampling of evidence
  • Interviews with key ISMS staff 
  • Interviews with other staff and even outside contractors
  • Findings assessments

Results of the management review

It goes without saying (but we’ll say it anyway) that the purpose of a management review is to inform and provide evidence to top management that the implemented ISMS and its objectives continue to show signs of effectiveness, transparency and integrity. 

Results of corrective actions

Once a risk has been identified, corrective action must be taken. The actions (from discovery to correction) should be documented, sometimes through registries, in a way that shows that the remedial actions taken were effective.

Logs of user activities, exceptions, and security events

When logging activities, exceptions and events, remember that private, sensitive and/or personal information might be used in event logs, so privacy measures must be properly implemented. No exceptions! 

Get help with collecting your mandatory ISO 27001 documents 

Be aware that your auditor will pick and choose what they want to see. So, to make your audit as easy as possible, it’s best to prepare by ensuring you have all the right documents and that they are sorted, filed and indexed for easy access. 

The best way to make sure that you’ve got all your bases covered is to use an online platform that provides you with the guidance and tools that you need to get certified. 

Book a demo with Compleye to see how we can help you to collect your ISO 27001 mandatory documents.

Table of Contents

Compliance Platform for Tech Companies


All-in-One DIY Compliance Platform to help tech businesses towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?