ISO 27001 Mandatory Documents [Free Template]

Payal Wadhwa

Payal Wadhwa

Feb 16, 2024

ISO 27001 Mandatory Documents

Identifying documents for ISO 27001 demands meticulous attention to detail. Overlooking critical documents or including unnecessary ones are common scenarios with far-reaching consequences.


Adding a layer of complexity to the process are the various formats—digital files, physical records, screenshots, emails, time stamps, evidence catalogue, etc.

The stakes are high, as gaps in documentation could lead to non-compliance or involve a lot of back and forth with the auditor to get things done.

Especially if an organization has a complex structure, document identification across departments can be challenging. So, we’ve curated the ultimate ISO 27001 mandatory documents checklist for you to be on top of your compliance game.

Read on to ace the ISO 27001 documentation for your next audit.

What are ISO 27001 mandatory documents?

ISO 27001 Mandatory Docs Checklist

total-documents

With pre-filled policies and templates, Sprinto helps you get ISO 27001 compliant 3X faster.

ISO 27001 mandatory documents are a collection of documents that organizations must create, adapt and maintain to comply with ISO 27001. Some of these documents include ISMS Scope statement, information security policy, risk treatment plan, etc.

Note: As part of the process of implementing ISO 27001 within an organization, conducting a gap analysis is a crucial step. A gap analysis helps identify the current state of your organization’s information security practices compared to the requirements outlined in the ISO 27001 standard.

Here is a free template for you:

Download your ISO 27001
Gap Analysis Template Now!

List of ISO 27001 mandatory documents

The decision about implementing ISO 27001 Annex A controls should be based on your risk profile, compliance obligations, and stakeholder’s demands. In such a scenario, the definition of ‘necessary information’ becomes discretionary.

However, the following documents are considered mandatory ISO 27001 documentation and considered during the audit:

Mandatory documentsISO 27001 Clause/AnnexRequired RecordsISO 27001 Clause/Annex
Scope of the ISMSClause 4.3Records of training, skills, experience, and qualificationsClause 7.2
Information security policyClause 5.2Monitoring and measurement resultsClause 9.1
Risk assessment and risk treatment processClause 6.1.2Internal audit programClause 9.2
Statement of ApplicabilityClause 6.1.3Results of internal auditsClause 9.2
Risk treatment planClauses 6.1.3, 6.2, 8.3Results of the management reviewClause 9.3
Information security objectivesClause 6.2Results of corrective actionsClause 10.2
Risk assessment and treatment reportClauses 8.2 and 8.3Logs of user activities, exceptions, and security eventsAnnex A 8.15
Inventory of assetsAnnex A 5.9  
Acceptable use of assetsAnnex A 5.10  
Incident response procedureAnnex A 5.26  
Statutory, regulatory, and contractual requirementsAnnex A 5.31  
Security operating procedures for IT managementAnnex A 5.37  
Definition of security roles and responsibilitiesAnnex A 6.2, A 6.6  
Definition of security configurationsAnnex A 8.9  
Secure system engineering principlesAnnex A 8.27  

Note: This update is as per ISO 27001: 2022 version. This version mandates fewer documents when compared with the ISO 27001: 2013 version. No additional documents are required for the 11 new controls specified in the latest update.

Meet our compliance experts

Join our Compliance Q&A

Fastrack your audit with on demand guidance.

The ISO 27001 mandatory documents are central to achieving the comprehensive set of requirements laid down in the standard. Let’s delve into each of these documents understanding the purpose: 

1. Scope of the ISMS

Specifies the boundaries and extent to which ISMS applies and the areas, processes, assets etc. that are included.

2. Information security policy and objectives

Outlines the information security goals of the organization and the security protocols for achieving those protection commitments.

3. Risk assessment and risk treatment methodology

Presents the approach, tools, methods and criteria for identifying and scoring risks as well the plan of action for risk treatment as per the severity.

4. Statement of Applicability

Provides a description of selected and implemented controls along with the justifications for any exclusions.

5. Risk treatment plan

Details the risk treatment options chosen i.e. mitigation, transfer, acceptance and avoidance for each of the identified risks along with timelines, resources etc.

6. Risk assessment report

Includes information about methodology, information assets covered, identified risks, probability of occurrence and findings to give insights about the risk profile.

7. Definition of security roles and responsibilities

Clarifies the roles and responsibilities of various individuals and teams in control implementation, system administration, monitoring etc.

Sprinto helped Equalture, a Netherlands-based software company, increase its sales velocity by becoming ISO 27001 compliant — all in under 8 weeks.
Before Sprinto “We saw that if you answered ‘no’ to the question, ‘Are you ISO 27001 certified?’, about 160 more questions came up
After Sprinto Now it’s really convenient for us to say “yes we’re ISO compliant”; Customers now have a lot more comfort in working with us
Jaap Haagmans CTO of Equalture

8. Inventory of assets

Consists of a record of hardware, software, networks, databases, human assets and other resources that are crucial for protecting sensitive information.

9. Acceptable use of assets

Sets guidelines for fair and responsible use of assets like IT resources, systems, networks, physical assets etc. and defines acceptable behavior.

10. Access control policy

Covers the rules and guidelines related to control of access to information assets for protecting their confidentiality, integrity and availability.

11. Operating procedures for IT management

Serves as a reference document for IT staff to manage operations like incident response, system monitoring, backups, vulnerability detection and communication etc.

12. Secure system engineering principles

Comprises basic principles related to designing, deploying and implementing secure systems and practices for an effective ISMS. This can include guidelines on design frameworks, coding practices, testing mechanisms etc.

13. Incident management procedure

Describes the sequential procedure for incident management from identifying to escalating, containing or treating, documentation and post-incident steps.

14. Business continuity procedures 

Addresses the plan of action that must be initiated to restore normal business operations in case of an emergency/crisis/disruption.

Getting ISO 27001
audit-ready?

Sprinto can help you get certified in
4 easy steps.

15. Statutory, regulatory, and contractual requirements

Gives details about the applicable laws, regulations, standards and contractual agreements that are adhered to by the organisation

List of Records

The following records are required to be created, updated and maintained:

16. Records of training, skills, experience, and qualifications

Helps assess competency, identify skill gaps or training needs and take future decisions for workforce development.

17. Monitoring and measurement results

Serves as a track record of surveillance activities as well as qualitative and quantitative metrics for identifying improvement areas.

18. Internal audit program

Demonstrates conformance of ISMS with ISO 27001 requirements and the commitment of organisation to maintain compliance.

19. Results of internal audits

Showcases audit findings, documentation reviews, interview summaries with staff, follow-up actions, etc.

20. Results of the management review

Ensures a formal review of ISMS performance by the top management and provides a tangible proof of decisions, recommendations and actions, enhancing progress visibility.

21. Results of corrective actions

Act as an evidence of improvement measures implemented over a course of time for enhancing security processes.

22. Logs of user activities, exceptions, and security events

Become a valuable source of investigation and root cause analysis in case of events.

Non-mandatory documents

The non-mandatory documents are not critical but are demand-driven and good-to-have. These may be required as per specific nature and risk-profile of an organization.

Non-Mandatory documentsISO 27001 Clause/Annex
Procedure for document controlClause 7.5, Annex A 5.33
Controls for managing recordsClause 7.5, Annex A 5.33
Procedure for internal auditClause 9.2
Procedure for corrective actionClause 10.2
Bring your own device (BYOD) policyAnnex A 7.8, 8.1
Mobile device and teleworking policyAnnex A 6.7, 7.8, 7.9, 8.1
Information classification policyAnnex A 5.10, 5.12, 5.13
Password policyAnnex A 5.16, 5.17, 8.5
Disposal and destruction policyAnnex A 7.10, 7.14, 8.10
Procedures for working in secure areasAnnex A 7.4, 7.6
Clear desk and clear screen policyAnnex A 7.7
Change management policyAnnex A 8.32
Backup policyAnnex A 8.13
Information transfer policyAnnex A 5.14
Access control policyAnnex A 5.15
Supplier security policyAnnex A.5.19, A.5.21, A.5.22, A.5.23
Disaster recovery planAnnex A.5.29, A.5.30, A.8.14
Encryption policyAnnex A 8.24

Some implementation tips for maintaining documents for ISO 27001

  • Establish protocols for managing documents throughout their lifecycle
  • Clearly communicate ownership and access controls
  • Have a document audit when running internal audits and update as per requirements
  • Define document retention and disposal procedures
  • Make use of standardized templates for keeping things easy and consistent
  • Present information in a clear and understandable manner. Use process flowcharts, organization structure diagrams etc. and other visual aids for promoting clarity.
Get a wingman for your
ISO 27001 audit!

See how Sprinto expedites
audit-preparedness to just weeks.

How many mandatory clauses are there in ISO 27001?

ISO 27001 comprises two sections: clauses and annexure. The first part includes 11 clauses from 0 to 10, with clauses 4 to 10 being mandatory. Each clause serves a specific purpose and provides a framework to ensure that the ISMS is effectively established, implemented, and maintained.

  • Clause 4 context of the organization ensures that organizations understand the internal and external environment to define ISMS scope.
  • Clause 5 emphasizes on securing leadership commitment for information security
  • Clause 6 helps plan for risks and objectives and any changes to ISMS
  • Clause 7 aims to ensure support, resources and management for ISMS implementation
  • Clause 8 provides guidance on managing operational controls and processes
  • Clause 9 helps evaluate performance
  • Clause 10 focuses on continuously improving ISMS

The second section lists controls in Annex A. While the 2013 version had 114 controls, the latest version ISO 27001:2022 has 93 controls. Organizations can choose these controls based on the specific risks they wish to address.

Consequences of missing ISO 27001 mandatory documents

In an  ISO 27001 certification audit, the auditor records any major non-conformities, minor non-conformities, and opportunities for improvement. Not having ISO 27001 mandatory documents is a major non-conformity.

Usually non-conformities hinder the certification process and will require you to revisit the exact documentation obligations and submit the missing pieces to the auditor, before the certification can be granted. This can extend your timelines by 1-4 weeks depending on the time you take to gather/recreate the evidence and catalogue it before submitting it to the auditor for review.

Additionally, missing ISO 27001 documentation can lead to ineffective risk management. Although ISO 27001 does not directly impose fines and penalties, non-compliance with ISO 27001 can impact compliance with related frameworks such as GDPR. GDPR requires strict protection of personal information and ineffective risk management due to ISO 27001 non-conformity can lead to data breaches. The fines and penalties for a GDPR breach can go up to €20 million or 4% of annual turnover whichever is higher.

Get ISO 27001 ready with Sprinto

Use these lists to ensure you have all documents prepared in a structured fashion for an effortless access by the auditor. The auditor may choose to see some or all of these. But it is always advisable to have all mandatory documents compiled and neatly indexed for a breezy audit.

Having all the mandatory documents in place is just one piece of the ISO 27001 puzzle. Implementing controls and processes mentioned in the guidelines can be daunting without expert help.


When done manually, it involves stakeholders from different functions of the org to implement and monitor compliance efficiency.

These stakeholders, often, leadership members or functional managers end up spending their time on compliance activities that are repeatable and menial, instead of doing what they do best; business development!

Forward-thinking businesses therefore rely on automation for their compliance needs. Enter Sprinto.

Sprinto becomes your single powerful tool to track all activities at a granular level for risk assessment and remediation.

It has an integrated solution for policy management, security training, endpoint protection, infrastructure inventory management and managing vulnerabilities.


Multiple teams can collaboratively work on the Sprinto dashboard for ensuring compliant processes.

Read why Axslogic loved 30% faster evidence collection and single view compliance management provided by Sprinto. Talk to our experts today and get ISO 27001 compliant 10x faster.

FAQS

Is the statement of applicability not a mandatory document in ISO 27001?

The Statement of Applicability is a mandatory document in ISO 27001. It lays down the controls that are applicable to the organization from Annex A and provides justification for inclusion or exclusion of controls. It helps demonstrate to the auditor that the organization has addressed the information security risks as per the ISO 27001 standard.

Is the ISMS manual a mandatory document?

The ISMS manual is not explicitly required as a mandatory document for ISO 27001. However, many organizations choose to have an ISMS manual as a reference document to guide the creation and implementation of an effective ISMS.

How many mandatory controls are there in ISO 27001?

The ISO 27001:2022 lists 93 controls. However, it is not mandatory to implement all controls. The organizations must conduct a risk assessment to identify the specific information security risks and determine the controls to mitigate these risks.

What policies are required for ISO 27001?

ISO 27001 requires information security policy, access control policy, information classification and handling policy, remote working policy, business continuity policy, supplier security policy, network security policy and physical and environmental security policy.

What information is included in ISO 27001 risk assessment report?

The ISO 27001 risk assessment report  essentially contains information about methodology and approach used for risk assessment, the information assets that were evaluated, the identified risks, risk analysis with likelihood and impact and the risk treatment options along with selected controls.

Payal Wadhwa

Payal Wadhwa

Payal is your friendly neighborhood compliance whiz! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!

How useful was this post?

5/5 - (4 votes)