ISO 27001: no specific form required, but documentation is necessary
ISO 27001 does not prescribe how extensive your documentation must be, as long as you can demonstrate that your processes work and are being followed. In this blog, we list the documents you need according to ISO 27001:2022 and provide practical tips for each section to keep it workable. You can also use this blog as an ISO 27001 checklist for an internal or external audit.
Mandatory documentation according to ISO 27001:2022
These are documents and records that you must be able to demonstrate you have. Without this basis, you simply will not pass an audit.
Scope of the ISMS (4.3)
The scope shows which parts of your organization fall under the ISMS. Think of departments, processes, locations, systems, and services. This is not only important for the auditor, but will also be stated on your certificate. Stakeholders can immediately see how far your ISMS reaches. A simple example:
Information security related to advising, designing, developing, integrating, maintaining, and operating mobile and web applications for, among other things, processing personal health information and providing associated external hosting services.
Ensure that the scope is clear and practical, so that everyone understands exactly what is included.
Information security policy and objectives (5.2, 5.3 & 6.2)
Here you set out what information security means for your organization. The policy provides direction. Ensure that management is familiar with and has approved this policy. Don't forget that this policy document must also be communicated within the organization and made available to relevant stakeholders (if applicable). You can do this with a management statement.
In addition, it is important that management periodically obtains and communicates information about the performance of the management system. In practice, this often takes place via Q meetings, periodic IB consultations, or management reports. These reports form input for the management review, as required in section 9.3 of ISO 27001. The organization must demonstrate that this information is actually assessed by top management and that decisions or improvement actions result from this.
Risk analysis, risk treatment, and risk methodology (6.1.2)
You must be able to demonstrate how you identify, assess, and treat risks. This concerns not only the end result, but also the method you use. Risk analysis is at the heart of your entire ISMS. Everything you do must logically follow from this. Want to know how to carry it out? You can read about it here.
Statement of Applicability (6.1.3D)
In the statement of applicability, you specify which measures from Annex A you apply and which you do not, including justification. This document is used extensively during audits and must always be up to date. In addition, this document is often requested by stakeholders so that they can see the scope of your certification.
Risk management plan (6.1.3E)
This document specifies the measures you are taking, who is responsible, and when they have been implemented or are planned. Not everything needs to be finalized, but you must demonstrate that you are making informed choices and have arranged for follow-up.
Objectives (6.2)
In addition to the risk treatment plan, your information security objectives must also be available as documented information. These objectives specify what you want to achieve with information security and provide direction for improvements. Consider an objective such as: "Reduce the number of security incidents caused by phishing by 30 percent within 12 months" or "All employees must complete security awareness training annually." Ensure that the objectives are measurable, have an owner, and are evaluated periodically. This shows that information security is not a one-time action, but part of your business operations.
Proof of competence (7.2D)
You need to be able to demonstrate that the people involved in information security know what they are doing. You can demonstrate this with concrete documentation. Think of diplomas and certificates, but also training courses attended, attendance lists, e-learning results, or internal knowledge sessions.
You can also bring along your experience: minutes from progress or assessment meetings, project plans that someone has worked on, or documented roles and responsibilities within the ISMS. The point is that an auditor can see that this person demonstrably has the knowledge and experience that matches his or her role.
Operational planning and control (8.1)
You record which activities you perform, who is responsible for them, and how often they occur. This includes periodic checks on authorizations to ensure that only the right people have access to systems. This also includes annually recurring components such as management reviews and internal audits. In addition, you can record monthly or quarterly checks, such as a clean desk and clear screen check or a review of log files. By planning and documenting these types of recurring tasks, you demonstrate that you have structural control over information security and do not only become active just before an audit.
Results of information security risk assessments (8.3)
Not only the method, but also the results of your risk analyses must be demonstrable. Auditors want to see that risks are reviewed periodically and are not determined on a one-off basis.
Monitoring and measuring results (9.1)
You must demonstrate how you measure and monitor whether your information security is effective. This can be done through KPIs, reports, checks, or evaluations.
Internal audit program and audit results (9.2)
An internal audit program is essentially your own audit plan. It sets out when you will conduct internal audits, which parts of the ISMS you will assess, and who will conduct the audit. The aim is to periodically check whether your agreements are still valid and whether they are being complied with in practice.
The audit results are the outcomes of this process: findings, areas for improvement, and any deviations. You don't have to resolve everything immediately, but you do need to show that these points have been recorded, discussed, and scheduled. This allows you to use the internal audit as preparation for the external audit, rather than as a mandatory checklist.
Results of management review (9.3)
Top management must be demonstrably involved in the ISMS. The management review shows that risks, performance, incidents, and improvements are discussed at the executive level. You can demonstrate compliance by, for example, keeping minutes or meeting reports that cover all aspects of the standard.
Nonconformities and corrective actions (10.1)
If something goes wrong, you must record and follow up on these deviations. It's not about being flawless, but about showing that you are learning and improving. Make sure you also have evidence of the results of corrective measures.
Documentation expected (based on ISO 27002/Annex A)
These documents are not strictly mandatory, but auditors will expect them if they are relevant to your organization and risks.
A.5 Organizational control measures
This chapter focuses on policy, agreements, and responsibilities. Auditors mainly check whether you have made clear choices and recorded them. You record this in the information security policy discussed above (5.2).
A.5.9 Inventory of information and other related business assets
You make an inventory list of information and other company assets (including owners—think laptops, phones, etc.).
A.5.10 Acceptable use of information and company resources
You document how employees handle information and resources such as laptops, mobile phones, and systems. Consider an acceptable use policy that states what is and is not permitted, such as private use, installing software, or using external storage.
A.5.12 Classifying information
In this document, you describe how information is classified based on confidentiality, availability, and integrity. A practical example is a classification scheme with labels such as public, internal, confidential, and strictly confidential, including what that means for storage and sharing.
A.5.14 Transfer of information
You document how information is shared securely, both internally and externally. This includes agreements on encryption, secure email or portals, and avoiding unsecured channels. You can link this to your classification policy: how am I allowed to distribute confidential or internal documents?
A.5.15 Access security
This document describes the principles for accessing systems and information. For example, the principle of least privilege and the use of strong authentication. In an access policy, for example, you combine control measures A5.15 and A5.18.
A.5.18 Access rights
Here you can record how access rights are granted, changed, and revoked. An example is an authorization procedure for new hires, job changes, and resignations.
A.5.19 Information security in supplier relationships
You document how you deal with suppliers and what security requirements you impose. Think of a supplier policy or standard security clauses in contracts.
A.5.23 Information security when using cloud services
A security policy for cloud services, for example, specifies how you assess and manage cloud providers. This includes agreements on data location, backups, and exit strategies.
A.5.24/A.5.26 Planning, preparing, and responding to information security incidents
You describe how incidents are identified, reported, handled, and evaluated. This is often an incident response procedure with an incident log as evidence.
A.5.31 Legal, statutory, regulatory, and contractual requirements
You document how you identify and comply with laws and regulations. This includes an overview of relevant legislation such as GDPR, NIS2, and contractual obligations.
A.5.32 Intellectual property rights
Here you describe how you deal with copyrights, licenses, and ownership of information. For example, agreements about software licenses and use of content.
A.5.34 Privacy and protection of personal data
This document describes how personal data is protected. This includes a privacy policy, data breach procedure, and links to GDPR obligations (such as creating a register of processing activities).
A.5.37 Documented operating procedures
Here you record how critical processes (relating to information security) are carried out. These can be work instructions for management, monitoring, or change management.
A.6 Control measures for humans
This chapter focuses on awareness, responsible behavior, and ensuring information security throughout the entire employment relationship: from employee onboarding to offboarding.
A.6.1 Screening
You must document how employee screening is conducted prior to employment. When screening components are applied, such as requesting a Certificate of Good Conduct (VOG), the organization must also be able to demonstrate this, for example by means of documented screening criteria and evidence that the screening has actually been carried out.
A.6.2 Terms of employment
Employment contracts or similar agreements must explicitly address responsibilities relating to information security. This ensures that employees are aware of their obligations regarding confidentiality and the secure handling of information.
A.6.4 Disciplinary procedure
The organization must have a documented disciplinary procedure for violations of information security policy. These agreements are often laid down in a code of conduct, staff handbook, or employment contract and clearly state the consequences of non-compliance.
A.6.5 Responsibilities after termination or change of employment
Upon termination of employment or change of position, it must be demonstrated that employees have been made aware of their continuing responsibilities with regard to information security. This can be evidenced, for example, by a letter of resignation, exit statement, or other recorded communication.
A.6.6 Confidentiality and non-disclosure agreements
Theorganization must determine which confidentiality or non-disclosure agreements are necessary to protect information. These agreements must be documented, signed by employees and other relevant stakeholders, and periodically reviewed for relevance and appropriateness. In practice, this involves confidentiality clauses in employment contracts, separate NDAs, or contractual agreements with third parties.
A.6.7 Remote working
The organization documents how employees work securely from home or at external locations. This includes establishing agreements on the use of VPN, private equipment, and physical security of workplaces.
A.7 Physical control measures
This is about protecting physical resources and workplaces.
A.7.7 Clear desk and clear screen
You establish how workstations are to be left, for example in a clear desk and clear screen policy. Think of guidelines for tidying up documents and locking screens.
A.7.10 Storage media
You describe how physical and digital storage media are managed and disposed of. For example, procedures for destroying hard drives or USB sticks.
A.8 Technological control measures
This chapter deals with technical measures and IT security.
A.8.9 Configuration Management
In a configuration management policy, for example, you define how systems are set up and managed. A practical example is a baseline configuration for servers and networks.
A.8.10 Deletion of information
You describe how information is securely deleted. For example, procedures for erasing data when equipment is written off.
A.8.13 Backing up information
You document how backups are made, tested, and restored. Auditors often want to see evidence of backup schedules and test results.
A.8.15 Logging/A.8.16 Monitoring activities
You determine which events are logged and how logs are assessed. For example, agreements on retention periods and monitoring.
A.8.24 Use of cryptography
For example, you draw up a cryptography policy that specifies how and when encryption is applied. This includes encryption of laptops, backups, and data traffic.
A.8.25 Security during the development cycle
When developing, you describe how security is incorporated into design, construction, and testing. For example, you describe code reviews and security tests in a software development policy.
A.8.27 Secure system architecture and technical principles
You document the principles for secure IT architecture. Think of network segmentation, redundancy, and minimal exposure to the internet.
Tip for all ISO 27001 documentation
ISO 27001 does not require as many documents as possible, but rather documentation that is consistent with your organization and risks. You must be able to deliver on everything you write down. And you must be able to demonstrate everything you do.
Are you unsure whether your documentation is sufficient for certification? An ISO 27001 check or internal audit is often the quickest way to find out. This will show you immediately where you are already doing well and where you can still take steps towards certification such as ISO 27001. Schedule a no-obligation, free consultation below.
