ISO 27001 Mandatory Documents [Free Template]

Payal Wadhwa

Payal Wadhwa

Feb 16, 2024

ISO 27001 Mandatory Documents

Identifying documents for ISO 27001 demands meticulous attention to detail. Overlooking critical documents or including unnecessary ones are common scenarios with far-reaching consequences.

Adding a layer of complexity to the process are the various formats—digital files, physical records, screenshots, emails, time stamps, evidence catalogue, etc.

The stakes are high, as gaps in documentation could lead to non-compliance or involve a lot of back and forth with the auditor to get things done.

Especially if an organization has a complex structure, document identification across departments can be challenging. So, we’ve curated the ultimate ISO 27001 mandatory documents checklist for you to be on top of your compliance game.

Read on to ace the ISO 27001 documentation for your next audit.

What are ISO 27001 mandatory documents?

ISO 27001 mandatory documents are a collection of documents that organizations must create, adapt and maintain to comply with ISO 27001. Some of these documents include ISMS Scope statement, information security policy, risk treatment plan, etc.

Note: As part of the process of implementing ISO 27001 within an organization, conducting a gap analysis is a crucial step. A gap analysis helps identify the current state of your organization’s information security practices compared to the requirements outlined in the ISO 27001 standard.

Here is a free template for you:

List of ISO 27001 mandatory documents

The decision about implementing ISO 27001 Annex A controls should be based on your risk profile, compliance obligations, and stakeholder’s demands. In such a scenario, the definition of ‘necessary information’ becomes discretionary.

However, the following documents are considered mandatory ISO 27001 documentation and considered during the audit:

Mandatory documentsISO 27001 Clause/AnnexRequired RecordsISO 27001 Clause/Annex
Scope of the ISMSClause 4.3Records of training, skills, experience, and qualificationsClause 7.2
Information security policyClause 5.2Monitoring and measurement resultsClause 9.1
Risk assessment and risk treatment processClause 6.1.2Internal audit programClause 9.2
Statement of ApplicabilityClause 6.1.3Results of internal auditsClause 9.2
Risk treatment planClauses 6.1.3, 6.2, 8.3Results of the management reviewClause 9.3
Information security objectivesClause 6.2Results of corrective actionsClause 10.2
Risk assessment and treatment reportClauses 8.2 and 8.3Logs of user activities, exceptions, and security eventsAnnex A 8.15
Inventory of assetsAnnex A 5.9  
Acceptable use of assetsAnnex A 5.10  
Incident response procedureAnnex A 5.26  
Statutory, regulatory, and contractual requirementsAnnex A 5.31  
Security operating procedures for IT managementAnnex A 5.37  
Definition of security roles and responsibilitiesAnnex A 6.2, A 6.6  
Definition of security configurationsAnnex A 8.9  
Secure system engineering principlesAnnex A 8.27  

Note: This update is as per ISO 27001: 2022 version. This version mandates fewer documents when compared with the ISO 27001: 2013 version. No additional documents are required for the 11 new controls specified in the latest update.

Meet our compliance experts

Join our Compliance Q&A

Fastrack your audit with on demand guidance.

The ISO 27001 mandatory documents are central to achieving the comprehensive set of requirements laid down in the standard. Let’s delve into each of these documents understanding the purpose: 

1. Scope of the ISMS

Specifies the boundaries and extent to which ISMS applies and the areas, processes, assets etc. that are included.

2. Information security policy and objectives

Outlines the information security goals of the organization and the security protocols for achieving those protection commitments.

3. Risk assessment and risk treatment methodology

Presents the approach, tools, methods and criteria for identifying and scoring risks as well the plan of action for risk treatment as per the severity.

4. Statement of Applicability

Provides a description of selected and implemented controls along with the justifications for any exclusions.

5. Risk treatment plan

Details the risk treatment options chosen i.e. mitigation, transfer, acceptance and avoidance for each of the identified risks along with timelines, resources etc.

6. Risk assessment report

Includes information about methodology, information assets covered, identified risks, probability of occurrence and findings to give insights about the risk profile.

7. Definition of security roles and responsibilities

Clarifies the roles and responsibilities of various individuals and teams in control implementation, system administration, monitoring etc.

8. Inventory of assets

Consists of a record of hardware, software, networks, databases, human assets and other resources that are crucial for protecting sensitive information.

9. Acceptable use of assets

Sets guidelines for fair and responsible use of assets like IT resources, systems, networks, physical assets etc. and defines acceptable behavior.

10. Access control policy

Covers the rules and guidelines related to control of access to information assets for protecting their confidentiality, integrity and availability.

11. Operating procedures for IT management

Serves as a reference document for IT staff to manage operations like incident response, system monitoring, backups, vulnerability detection and communication etc.

12. Secure system engineering principles

Comprises basic principles related to designing, deploying and implementing secure systems and practices for an effective ISMS. This can include guidelines on design frameworks, coding practices, testing mechanisms etc.

13. Supplier security policy

Encompasses a range of requirements and security controls that third-party suppliers must adhere to for mitigating risks to organization’s information assets.

14. Incident management procedure

Describes the sequential procedure for incident management from identifying to escalating, containing or treating, documentation and post-incident steps.

15. Business continuity procedures 

Addresses the plan of action that must be initiated to restore normal business operations in case of an emergency/crisis/disruption.

16. Statutory, regulatory, and contractual requirements

Gives details about the applicable laws, regulations, standards and contractual agreements that are adhered to by the organisation

17. List of Records

The following records are required to be created, updated and maintained:

18. Records of training, skills, experience, and qualifications

Helps assess competency, identify skill gaps or training needs and take future decisions for workforce development.

19. Monitoring and measurement results

Serves as a track record of surveillance activities as well as qualitative and quantitative metrics for identifying improvement areas.

20. Internal audit program

Demonstrates conformance of ISMS with ISO 27001 requirements and the commitment of organisation to maintain compliance.

21. Results of internal audits

Showcases audit findings, documentation reviews, interview summaries with staff, follow-up actions, etc.

22. Results of the management review

Ensures a formal review of ISMS performance by the top management and provides a tangible proof of decisions, recommendations and actions, enhancing progress visibility.

23. Results of corrective actions

Act as an evidence of improvement measures implemented over a course of time for enhancing security processes.

24. Logs of user activities, exceptions, and security events

Become a valuable source of investigation and root cause analysis in case of events.

Non-mandatory documents

The non-mandatory documents are not critical but are demand-driven and good-to-have. These may be required as per specific nature and risk-profile of an organization.

Non-Mandatory documentsISO 27001 Clause/Annex
Procedure for document controlClause 7.5, Annex A 5.33
Controls for managing recordsClause 7.5, Annex A 5.33
Procedure for internal auditClause 9.2
Procedure for corrective actionClause 10.2
Bring your own device (BYOD) policyAnnex A 7.8, 8.1
Mobile device and teleworking policyAnnex A 6.7, 7.8, 7.9, 8.1
Information classification policyAnnex A 5.10, 5.12, 5.13
Password policyAnnex A 5.16, 5.17, 8.5
Disposal and destruction policyAnnex A 7.10, 7.14, 8.10
Procedures for working in secure areasAnnex A 7.4, 7.6
Clear desk and clear screen policyAnnex A 7.7
Change management policyAnnex A 8.32
Backup policyAnnex A 8.13
Information transfer policyAnnex A 5.14
Access control policyAnnex A 5.15
Supplier security policyAnnex A.5.19, A.5.21, A.5.22, A.5.23
Disaster recovery planAnnex A.5.29, A.5.30, A.8.14
Encryption policyAnnex A 8.24

Some implementation tips for maintaining documents for ISO 27001

  • Establish protocols for managing documents throughout their lifecycle
  • Clearly communicate ownership and access controls
  • Have a document audit when running internal audits and update as per requirements
  • Define document retention and disposal procedures
  • Make use of standardized templates for keeping things easy and consistent
  • Present information in a clear and understandable manner. Use process flowcharts, organization structure diagrams etc. and other visual aids for promoting clarity.

How many mandatory clauses are there in ISO 27001?

ISO 27001 comprises two sections: clauses and annexure. The first part includes 11 clauses from 0-10 with clauses 4-10 being mandatory.

The second section lists controls in Annex A. While the 2013 version had 114 controls, the latest version ISO 27001:2022 has 93 controls.

Consequences of missing ISO 27001 mandatory documents

In an  ISO 27001 certification audit, the auditor records any major non-conformities, minor non-conformities, and opportunities for improvement. Not having ISO 27001 mandatory documents is a major non-conformity.

A major non-conformity is a non-fulfilment of critical mandatory documents. Usually Non-conformities hinder the certification process and will require you to revisit the exact documentation obligations and submit the missing pieces to the auditor. This can extend your timelines by 1-4 weeks depending on the time you take to gather/recreate the evidence and catalogue it before submitting it to the auditor for review.

Get ISO 27001 ready with Sprinto

Use these lists to ensure you have all documents prepared in a structured fashion for an effortless access by the auditor. The auditor may choose to see some or all of these. But it is always advisable to have all mandatory documents compiled and neatly indexed for a breezy audit.

Having all the mandatory documents in place is just one piece of the ISO 27001 puzzle. Implementing controls and processes mentioned in the guidelines can be daunting without expert help.

When done manually, it involves stakeholders from different functions of the org to implement and monitor compliance efficiency.

These stakeholders, often, leadership members or functional managers end up spending their time on compliance activities that are repeatable and menial, instead of doing what they do best; business development!

Forward-thinking businesses therefore rely on automation for their compliance needs. Enter Sprinto.

Sprinto becomes your single powerful tool to track all activities at a granular level for risk assessment and remediation.

It has an integrated solution for policy management, security training, endpoint protection, infrastructure inventory management and managing vulnerabilities.

Multiple teams can collaboratively work on the Sprinto dashboard for ensuring compliant processes.

Read why Axslogic loved 30% faster evidence collection and single view compliance management provided by Sprinto. Talk to our experts today and get ISO 27001 compliant 10x faster.

Payal Wadhwa

Payal Wadhwa

Payal is your friendly neighborhood compliance whiz! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!

How useful was this post?

5/5 - (1 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.