Key Takeaways
- The Foundation of Proof: Documentation serves as the “source of truth” for licensed practitioners during an evaluation; if a process isn’t documented, it effectively doesn’t exist in the eyes of the standard.
- Lean vs. Bloated: Mandatory documentation should be “right-sized”—it must satisfy the 10 core requirements without creating unnecessary administrative friction that slows down your team.
- Dynamic Records: Beyond static policies, ISO 27001 requires “records of results,” meaning you must show evidence that your processes (like risk assessments and internal reviews) occurred.
One of the most common questions we hear is: “What exactly do I need to include in my documentation?”
While ISO 27001 is not just a “paperwork exercise,” documentation is the primary way you prove that your Information Security Management System (ISMS) is functioning as intended. Without the right records, you cannot demonstrate compliance to partners or stakeholders.
To help you clear the fog, we’ve outlined the ISO 27001 mandatory documents that every organization must have in place to achieve and maintain certification.
Speak to a Compliance Specialist.
The 10 Mandatory Documents Required for ISO 27001 Certification
1. Scope of the ISMS
You cannot protect “everything” all at once. This document defines exactly what your security program covers, which offices, departments, and digital assets are included. It is the “fence” around your security efforts.
2. Information Security Policy
This is your high-level “constitution.” It outlines your organization’s goals for security and is signed off by senior leadership to show top-down commitment.
3. Information Risk Assessment Process
You must document your methodology for identifying and evaluating risks. This ensures that your risk management is consistent, repeatable, and not just based on a “gut feeling.”
4. Information Risk Treatment Process
Once risks are identified, how do you handle them? This document describes the steps for selecting controls and ensuring that high-priority risks are mitigated.
5. Statement of Applicability (SoA)
The SoA is perhaps the most important document in your ISMS. it lists all 93 controls from Annex A of the 2022 standard, identifies which ones you have implemented, and provides a justification for any you have excluded.
6. Information Security Objectives
What are you trying to achieve this year? These must be measurable goals (e.g., “Achieve 99.9% uptime” or “Ensure 100% of staff complete security training”).
7. Evidence of Competence
You must prove that the people managing your security have the right skills. This includes training records, certifications, or even specialized job descriptions.
8. Results of the Risk Assessment
Beyond the process (Document #3), you must keep the actual results. This is usually your Risk Register, showing exactly what threats you found and how you scored them.
9. Results of the Risk Treatment
This is the record of the actions you took to address those risks. It proves that you didn’t just find problems but worked to fix them.
10. Evidence of Internal Reviews
ISO 27001 requires you to “check your own work.” You must keep documented evidence that you have performed internal reviews and that your leadership team has met to discuss the results.
Beyond the "Mandatory 10": Essential Supporting Policies
To satisfy the Annex A requirements of ISO 27001:2022, most organizations will also need to document the following:
- Access Control Policy: Defines who gets access to what, how passwords are managed, and the process for revoking access when an employee leaves.
- Physical Security Policy: Outlines how you protect the office, data centers, and clean-desk expectations.
- Asset Management Policy: A clear list of who is responsible for laptops, servers, and sensitive data sets.
- Incident Management Procedure: The “break glass” plan for what happens when a breach or system failure occurs.
- Supplier Security Policy: How you ensure your vendors (SaaS tools, cloud providers) aren’t the weak link in your security chain.
- Secure Development Policy: (For SaaS companies) The rules for how code is written, tested, and deployed to ensure no vulnerabilities are introduced.
How Auditwerx Can Help
Navigating the ISO 27001 mandatory documents can be overwhelming, but you don’t have to do it alone. Our team specializes in helping you build a “lean” documentation library—one that meets every requirement without creating unnecessary bureaucracy. We help you move from a pile of scattered files to a cohesive, professional ISMS. If you are ready to start your ISO 27001 journey, contact Auditwerx today.
Managing the Documentation Burden
FAQs
Can we use templates to create these mandatory documents?
Templates are a great starting point, but they must be customized. A licensed practitioner will quickly identify if you are using “off-the-shelf” policies that don’t match your actual operations. Documentation must reflect your real-world workflows to be valid.
How often do these documents need to be updated?
At a minimum, your ISMS documentation should be reviewed annually. However, significant changes to your business—such as a merger, a move to a new cloud provider, or a shift to fully remote work—should trigger an immediate update to relevant policies like the Scope or SoA.
Does the "Evidence of Competence" include every employee?
Generally, yes, in the form of security awareness training records. For those with specific security roles (like a CISO or IT Manager), the assessment firm will look for deeper evidence, such as specialized certifications or records of past experience in similar roles.
What happens if a mandatory document is missing during an evaluation?
Missing mandatory documentation is typically classified as a “Major Non-Conformity.” This will likely stall your certification until the document is created and the associated process is proven to be in place. Performing a readiness evaluation beforehand is the best way to catch these gaps early.
About the Author
