Required Documentation
Overview of ISO 27001 requirements
There are fifteen mandatory documentation requirements under ISO 27001 to show that your ISMS (Information Security Management System) follows best infosec practices. Here is the list:
Scope of the ISMS – Defines the boundaries and coverage of your ISMS.
Information security policy & objectives – States your security goals and how you’ll achieve them.
Risk assessment & treatment methodology – Outlines how risks are identified, scored, and managed.
Statement of Applicability – Lists selected controls with reasons for inclusion/exclusion.
Risk treatment plan – Details the mitigation plan for each identified risk.
Risk assessment report – Documents your risk findings and evaluation.
Security roles & responsibilities – Clarifies who’s responsible for what in the ISMS.
Inventory of assets – Lists all key information-related assets.
Acceptable use of assets – Defines proper usage guidelines for organizational assets.
Access control policy – Set rules for granting and restricting access.
IT operating procedures – Guides IT staff on day-to-day security operations.
Secure system engineering principles – Lays out secure design and implementation practices.
Incident management procedure – Details how to respond to and recover from incidents.
Business continuity procedures – Describes how to maintain operations during disruptions.
Legal, regulatory & contractual requirements – Lists relevant compliance obligations.
Scope of the ISMS – Defines the boundaries and coverage of your ISMS.
Information security policy & objectives – States your security goals and how you’ll achieve them.
Risk assessment & treatment methodology – Outlines how risks are identified, scored, and managed.
Statement of Applicability – Lists selected controls with reasons for inclusion/exclusion.
Risk treatment plan – Details the mitigation plan for each identified risk.
Risk assessment report – Documents your risk findings and evaluation.
Security roles & responsibilities – Clarifies who’s responsible for what in the ISMS.
Inventory of assets – Lists all key information-related assets.
Acceptable use of assets – Defines proper usage guidelines for organizational assets.
Access control policy – Set rules for granting and restricting access.
IT operating procedures – Guides IT staff on day-to-day security operations.
Secure system engineering principles – Lays out secure design and implementation practices.
Incident management procedure – Details how to respond to and recover from incidents.
Business continuity procedures – Describes how to maintain operations during disruptions.
Legal, regulatory & contractual requirements – Lists relevant compliance obligations.
ISO 27001 Mandatory Documents [Free Template]
ISO 27001 Series
Basics
Certification Process
Policies & Management
Risk Management
Resources & Templates
Sprinto: Your ally for all things compliance, risk, governance
