Dejan Kosutic Updated: November 28, 2022, according to the changes in ISO 27001:2022 revision.
If you have ever wondered what documents are mandatory in the 2022 revision of ISO/IEC 27001, here is the list you need. Below, you will see the mandatory documents, along with the most commonly used non-mandatory documents for ISO 27001 implementation.
- ISMS Scope document
- Information Security Policy
- Risk Assessment Report
- Statement of Applicability
- Internal Audit Report
Mandatory ISO 27001 documents
Here are the items you must document if you want to be compliant with ISO 27001, and the most common ways to title those documents:
| What must be documented | ISO 27001 reference | Usually documented through |
| Scope of the ISMS | Clause 4.3 | ISMS Scope document |
| Information security policy | Clause 5.2 | Information Security Policy |
| Risk assessment and risk treatment process | Clause 6.1.2 | Risk Assessment and Treatment Methodology |
| Statement of Applicability | Clause 6.1.3 d) | Statement of Applicability |
| Risk treatment plan | Clauses 6.1.3 e, 6.2, and 8.3 | Risk Treatment Plan |
| Information security objectives | Clause 6.2 | List of Security Objectives |
| Risk assessment and treatment report | Clauses 8.2 and 8.3 | Risk Assessment & Treatment Report |
| Inventory of assets | Control A.5.9* | Inventory of Assets, or List of Assets in the Risk Register |
| Acceptable use of assets | Control A.5.10* | IT Security Policy |
| Incident response procedure | Control A.5.26* | Incident Management Procedure |
| Statutory, regulatory, and contractual requirements | Control A.5.31* | List of Legal, Regulatory, and Contractual Requirements |
| Security operating procedures for IT management | Control A.5.37* | Security Procedures for IT Department |
| Definition of security roles and responsibilities | Controls A.6.2 and A.6.6* | Agreements, NDAs, and specifying responsibilities in each security policy and procedure |
| Definition of security configurations | Control A.8.9* | Security Procedures for IT Department |
| Secure system engineering principles | Control A.8.27* | Secure Development Policy |
*Note: ISO 27001 documents or records required by Annex A controls are mandatory only if there are risks or requirements from interested parties that would demand implementing those controls.
ISO 27001 records that are mandatory
Here are the mandatory records:
| What must be recorded | ISO 27001 reference | Usually recorded through |
| Trainings, skills, experience, and qualifications | Clause 7.2 | Training certificates and CVs |
| Monitoring and measurement results | Clause 9.1 | Measurement Report |
| Internal audit program | Clause 9.2 | Internal Audit Program |
| Results of internal audits | Clause 9.2 | Internal Audit Report |
| Results of the management review | Clause 9.3 | Management Review Minutes |
| Results of corrective actions | Clause 10.2 | Corrective Action Form |
| Logs of user activities, exceptions, and security events | Control A.8.15* | Automatic logs in information systems |
Non-mandatory ISO 27001 documents
There are numerous non-mandatory ISO 27001 documents that can be used for the implementation, especially for the security controls from Annex A, but not all of them are equally useful. I find these non-mandatory documents to be most commonly used:
- Procedure for Document and Record Control (clause 7.5, control A.5.33)
- Procedure for Internal Audit (clause 9.2)
- Procedure for Corrective Action (clause 10.2)
- Information Classification Policy (controls A.5.10, A.5.12, and A.5.13)
- Information Transfer Policy (control A.5.14)
- Access Control Policy (control A.5.15)
- Password Policy (controls A.5.16, A.5.17, and A.8.5)
- Supplier Security Policy (controls A.5.19, A.5.21, A.5.22, and A.5.23)
- Disaster Recovery Plan (controls A.5.29, A.5.30, and A.8.14)
- Mobile Device, Teleworking, and Work from Home Policy (controls A.6.7, A.7.8, A.7.9, and A.8.1)
- Procedures for Working in Secure Areas (controls A.7.4 and A.7.6)
- Clear Desk and Clear Screen Policy (control A.7.7)
- Bring Your Own Device (BYOD) Policy (controls A.7.8 and A.8.1)
- Disposal and Destruction Policy (controls A.7.10, A.7.14, and A.8.10)
- Backup Policy (control A.8.13)
- Encryption Policy (control A.8.24)
- Change Management Policy (control A.8.32)
How does the ISO 27001 2022 revision impact mandatory documents and records?
The new ISO 27001:2022 brings good news when it comes to documentation:
- This new revision requires fewer mandatory documents when compared to the old ISO 27001:2013 revision.
- Even though there are 11 new security controls in the 2022 revision, there is no need to write any new documents because of them – it is enough to include new sections about those controls in the documents that you have already written for the 2013 revision of the standard – see the table below.
| New security controls in ISO 27001:2022 | Existing ISO 27001 documents where these controls can be included |
| A.5.7 Threat intelligence | Incident Management Procedure |
| A.5.23 Information security for use of cloud services | Supplier Security Policy |
| A.5.30 ICT readiness for business continuity | Disaster Recovery Plan |
| A.7.4 Physical security monitoring | Procedures for Working in Secure Areas |
| A.8.9 Configuration management | Security Procedures for IT Department |
| A.8.10 Information deletion | Disposal and Destruction Policy |
| A.8.11 Data masking | Secure Development Policy |
| A.8.12 Data leakage prevention | Security Procedures for IT Department |
| A.8.16 Monitoring activities | Security Procedures for IT Department |
| A.8.23 Web filtering | Security Procedures for IT Department |
| A.8.28 Secure coding | Secure Development Policy |
To get the templates for all mandatory documents and the most common non-mandatory documents, along with a wizard that helps you fill out those templates, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.
