The production and maintenance of particular documents and controls that describe an organization’s information security policies, procedures, and processes is one of the essential conditions for ISO 27001 certification documentation. These required records provide the framework for achieving and proving conformity to ISO 27001 requirements.

There are a huge number of lists of main papers needed to comply with ISO 27001 standards. Each of these papers is essential to various phases of implementing ISO 27001, ensuring a methodical and organized approach to information security management. However, not every single piece of additional documentation is required, but just to be safe, secure, and certified is preferable to being sorry, as we always say.

In this article, we will get to know the documents and controls needed to help comply with ISO 27001. To make it possible for organizations to comply with ISO 27001, it is important that they understand the mandatory documents that are needed. Organizations may build a solid basis for information security management by properly applying these documents and controls, protecting the confidentiality, integrity, and accessibility of their important data assets.


It’s vital to remember that the precise titles of these papers may change based on the preferences and internal naming practices of the company. The titles listed below are often used and express each document’s purpose.

The important thing is to make sure the names adequately describe the content and make it simple to locate and retrieve the paperwork needed to comply with ISO 27001.

Scope of ISMS: This clearly identifies the business sectors that your ISMS covers for your stakeholders. You could wish to include a vision statement and/or plan along with the ISMS scope to provide your stakeholders with more clarity. Remember that the main component of a successful certification is your specified ISMS scope. 

Information security policy: Top management must create an information security strategy that is pertinent to the goals of your particular organization. The policy demonstrates senior management’s dedication to the ISMS goals and the ongoing development of those goals.

Risk assessment and treatment: You must demonstrate how you recognize, examine, rank, and prioritize your information 


threats. Make the decisions that are right for your organization, and then put them in a report, a list, a matrix, or any other compelling document that demonstrates how your risks are being managed.

Statement of Applicability (SoA): The control goals and controls chosen for implementation inside the ISMS are identified and justified in the Statement of Applicability (SoA), which is a document. It lists the security measures from ISO 27001 Annex A that have been selected and justifies their applicability in the organization’s particular situation. The SOA assists in making sure that the chosen controls complement the organization’s risk profile and adequately safeguard its information assets.

Risk treatment plan: The activities and steps that must be taken to address the risks that have been identified are described in the risk treatment plan. It offers a step-by-step guide for carrying out risk management procedures, such as the adoption of certain security controls or other risk mitigation techniques. The strategy includes information on who is in charge of carrying out each step, timetables, and monitoring systems to guarantee successful risk management.

Information Security Objectives: Information security objectives are definite targets that a company establishes for its ISMS. These goals represent the organization’s priorities and ideal information security results and are in line with its information security policy. Increasing the protection of sensitive data, expanding incident response capabilities, or raising staff knowledge and training are a few examples of information security goals.

Risk assessment and treatment report: The risk assessment process, results, and risk treatment choices made by the company are all thoroughly covered in the risk assessment and treatment report. It details the outcomes of risk analyses, including identified hazards, their likelihood, and consequences, as well as the organization’s risk management choices. The report aids in proving compliance with ISO 27001 criteria and acts as a reference for continuing risk management initiatives.

Inventory of assets: All information assets inside an organization are identified and listed in an inventory of assets. As well as intangible assets like intellectual property, confidential information, and sensitive data, this also encompasses tangible assets like hardware, software, and data repositories. Organizations may better understand their asset landscape by doing an inventory, evaluating their worth and importance, and putting in place the necessary security safeguards to secure them.

Acceptable use of assets: The policies and procedures that outline how employees, independent contractors, and other authorized users should utilize organizational assets are referred to as acceptable use of assets. To guarantee correct usage, guard against misuse, and reduce security risks, these rules specify acceptable behaviors, access limitations, and responsibilities connected to the use of assets.

Incident response procedure: An incident response procedure specifies the procedures and actions to take in the event of a security incident or breach. It offers a methodical method for recognizing, reacting to, containing, looking into, and recovering from security problems. To reduce the effects of crises and quickly resume regular operations, the method specifies roles and duties, communication protocols, and escalation mechanisms.

Statutory, regulatory, and contractual requirements: These terms are used to describe the legal and regulatory standards that a company must follow with regard to information security. These requirements might consist of contractual obligations, data protection mandates, industry-specific rules, and privacy legislation. Organizations are required to recognize, comprehend, and adhere to these standards, incorporating them into their information security procedures and making sure the proper controls are in place.

Security operating procedures for IT management: IT management and security operating procedures provide standards and best practices for managing and running safe IT systems. System administration, access control, change management, vulnerability management, patch management, and incident response are all covered by these processes. In addition to ensuring the continued security and dependability of IT operations, they offer guidance and policies to reduce security risks related to IT infrastructure.

Definition of security roles and responsibilities: Clarifying the roles, duties, and accountability of individuals or teams involved in information security inside an organization is a key component of the definition of security roles and responsibilities. End users, system administrators, data custodians, and information security managers are examples of roles that fall under this category. These roles should be clearly defined to ensure that everyone is aware of their security duties, to facilitate efficient coordination, and to prevent gaps or overlaps in security-related tasks.

Definition of security configurations: The term “security configurations” refers to the process of identifying and recording the precise configurations and settings that must be applied to IT systems, apps, and gadgets in order to guarantee secure functioning. Configuring firewalls, access restrictions, encryption standards, password guidelines, and other security-related settings falls under this category. Consistently defining and executing security settings increases the overall security posture of the company’s IT infrastructure by reducing vulnerabilities.

Secure system engineering principles: The concepts of secure system engineering are a collection of standards and procedures for creating safe IT systems and applications from the bottom up. Incorporating security controls, threat modeling, secure coding techniques, and thorough testing into the system development life cycle are the main goals of these concepts. Organizations may create more dependable and secure systems that are better able to fend off emerging threats by following secure system engineering principles.


The mandatory records of ISO 27001 are:

Mandatory records of ISO 27001

Records of Corrective Actions: Identification of nonconformities, implementation of corrective measures to resolve them, and proof of their success.

Records of Training and Awareness: Records of training efforts, training programs, and employee involvement in information security awareness training and activities.

Internal Audit Records: Records of internal audit operations, including the audit plan, audit scope, audit results, and any remedial measures adopted as a result of the audits.

Records of Documented Information:These include policies, processes, work instructions, records, and documentation of the development, review, and management of documents pertinent to the ISMS.

Records of Management Reviews: A record of the agenda, minutes, and any decisions or actions made during management review meetings held by top management to assess the effectiveness of the ISMS.

Records of incident response: Records of information security events, including incident reports, conclusions of investigations, and steps taken to lessen the effects of incidents and stop them from happening again.


The ISO 27001 2022 revision makes updates and adjustments to the requirements of the standard, which have an effect on the obligatory papers and records. Here are some broad points to keep in mind, even if the precise adjustments may vary:

Impact Of ISO 27001

Examine and Update: In light of the updated ISO 27001 standards, organizations must examine their current obligatory documentation and records. This entails determining any gaps or regions that need to be modified in order to comply with the new standard.

Documents Introduced Newly or Modified: The revision may call for the addition of new, mandatory documents or the revision of already existing ones. The documentation for an organization’s information security management system (ISMS) should make sure to include any newly necessary papers.

Enhanced Documentation Requirements: The amended standard could give some parts of documentation more prominence. To demonstrate compliance with certain standards, organizations could be required to submit more information or proof in their records.

Streamlining and simplification: The adjustment may be made to make the documentation requirements more efficient and straightforward. This can entail cutting back on the number of required papers or changing their formatting to make them clearer and easier to understand.

Alignment with Annex A: The 2022 version may make modifications to Annex A, which contains a summary of the control goals and controls. Organizations must thus check their Statement of Applicability (SoA) and related documents to make sure they accurately represent the most recent control needs.

Transition period: Organizations that have previously achieved ISO 27001 certification will probably have a transition period to modify their paperwork in order to comply with the new standards. It is crucial to remain up-to-date on any transitional instructions given by the accreditation or certification agencies.

Get a professional help from CertPro

Organizations must create and maintain a number of necessary documents that serve as the cornerstone of a successful information security management system in order to achieve ISO 27001 compliance. These papers provide the framework required to identify, assess, and manage information security threats. Organizations may profit from CertPro’s experience as a trusted partner in ISO 27001 compliance throughout the certification process. In order to help firms adopt and maintain the required documentation and ensure a successful route towards ISO 27001 certification, CertPro offers extensive assistance, advice, and auditing services. Organizations may improve their information security posture and win the trust of their stakeholders by working with CertPro to protect sensitive data and precious assets.


What information must the ISMS documentation have?

The ISMS must expressly comprise: 4.1 through 10.2 of the fundamental criteria are discussed, together with the risk assessment and management processes that result in the choice of the Annex A controls.

How many provisions of ISO 27001 need to be followed?

  • The two components of ISO 27001 are organized separately. 11 clauses make up the first and most important section, from clause 0 to clause 10. The foundation for your Statement of Applicability (SoA), comprising 114 controls, is provided in the second portion, Annex A.

What are the six ISO-required procedures?

Control of Documents, Control of Records, Internal Audit, Corrective Action, Preventive Action, and Control of Non-Conforming Products are the six procedures. The six procedures are: document control, record control, internal audit, corrective action, preventive action, and product control for non-conforming products.

What are the requirements for passing ISO 27001?

The threshold for passing is 70%. The complete list of languages used for the “Certified ISO/IEC 27001 Lead Auditor” test could be secan the examination application form.

Who conducts audits of ISO 27001?

Competent and Unbiased auditors: Auditors who are qualified and impartial must conduct audits in accordance with ISO 27001. It is often necessary for the auditor to demonstrate competence for an ISO 27001 audit by having a proven understanding of the standard and auditing best practices.



The protection of sensitive information has become critical for businesses and organizations in today's digital age. With the rising frequency and sophistication of cyber threats, it is critical to implement strong security measures to safeguard critical data. ISO...

read more
ISO 27001:2022 Annex A Controls

ISO 27001:2022 Annex A Controls

In an era characterized by digital transformation and increased cybersecurity dangers, protecting sensitive information has risen to the top of the priority list for businesses worldwide. Businesses are turning to internationally recognized standards to strengthen...

read more

Get In Touch 

have a question? let us get back to you.