Thursday, May 16, 2013

List of mandatory documents required by ISO 27001

'By 'Dejan Kosutic on April 09, 2013
It’s actually funny, but it is rather difficult to find a list of all mandatory documents required by ISO 27001 anywhere on the Internet – this problem came to my attention when one of the readers of my blog told me he had to read several of my articles to assemble this list.
Anyway, a complete list of mandatory documents has two parts: the first part is related to documents which are required in the main part of the standard (clauses 4 to 8), and the second part is related to Annex A.
Mandatory documents required in the main part of ISO 27001
The first part is rather straightforward – most of required documents are listed in clause 4.3.1:
  • ISMS scope
  • ISMS policy and objectives
  • Risk assessment methodology
  • Risk assessment report
  • Statement of Applicability
  • Risk treatment plan
  • Description on how to measure effectiveness of controls
  • Procedure for document management
  • Controls for record management
  • Procedure for internal audit
  • Procedure for corrective action
  • Procedure for preventive action
Records required by the main part of the standard are as follows:
  • Records related to effectiveness and/or performance of the ISMS
  • Records of management decisions
  • Records of significant security incidents
  • Records of training, skills, experience and qualifications
  • Results of internal audit
  • Results of management review
  • Results of corrective actions
  • Results of preventive actions
Documents for Annex A
This is where it gets confusing – ISO 27001 doesn’t require all the controls from Annex A to be implemented, and it doesn’t clearly indicate how each control should be documented. To learn how to determine which controls to implement, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.
The documents that are mandatory in Annex A (providing that the control is applicable) are the following:
  • Information security policy
  • Inventory of assets
  • Rules for acceptable use of assets
  • Definition of roles and responsibilities
  • Operating procedures for information technology and communications management
  • Access control policy
  • List of relevant statutory, regulatory and contractual requirements
  • Records provided by third parties
  • Logs recording user activities, exceptions, events, etc.
And, here are the documents that are quite commonly used when implementing controls from Annex A, although they are not mandatory:
  • Classification policy
  • Change management policy
  • Backup policy
  • Disposal and destruction policy
  • Information exchange policy
  • Password policy
  • Clear desk and clear screen policy
  • Policy on use of network services
  • Mobile computing and teleworking policy
  • BYOD – Bring your own device policy
  • Incident management procedure
Which documents do you think should be used in ISO 27001 implementation?
Click here to download a white paper Checklist of ISO 27001 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.


  1. ISO 27001 Audit
    Certification Europe is accredited to audit and issue certificates for ISO 27001 Information Security Management Systems. This means that we have the authority, expertise and knowhow to go into organisations and assess them against the requirements of ISO27001.

  2. This is a great article on the topic of the benefits of ISO 27001 certification.
    ISO 27001 Download

  3. Good information posted .Thanks for sharing information.

    ISO 9001 Certification

  4. nice blog !! thanks for sharing the information about iso consultants . this is really nice and interested to read.

  5. nice blog !! i was looking for blogs related of iso consultants . then i found this blog, this is really nice and interested to read.

  6. i was looking for blog related iso consultants . then i found this blog, this is really nice and interested to read.