A Guide to ISO 27001 Mandatory Documents

Missing any documentation or including any unnecessary files could lead to delayed certification or even non-compliance. This is why Hicomply have provided a comprehensive list of the correct ISO 27001 mandatory documents needed for your business’ Stage 1 audit.

What are the ISO 27001 mandatory documents?

To achieve ISO 27001 compliance, your organisation will need to create, collate, and maintain several documents that demonstrate your policies on reviewing and maintaining your security controls to the external auditor.

When undergoing your Stage 1 audit, you will need the following ISO 27001 mandatory documents:

• Clause 4.3: Scope of the ISMS
• Clause 5.2: Information security policy
• Clause 5.5.1: Any documented information the organisation sees as necessary to support ISMS
• Clause 6.1.2: Information security risk assessment process/methodology
• Clause 6.1.3: Information security risk treatment plan and Statement of Applicability (SoA)
• Clause 6.2: Information security objectives

• Clause 7.1.2 and 13.2.4: Defined security roles and responsibilities
• Clause 7.2: Evidence of competence
• Clause 8.1: Asset inventory, acceptable use of assets, and operational planning
• Clause 8.2 and 8.3: Results of the information security risk assessment and information security risk treatment
• Clause 9.1: Access control policy, evidence of ISMS monitoring and tracking metrics
• Clause 9.2: A documented internal audit process and completed internal audit reports
• Clause 9.3: Results of management reviews
• Clause 10.1: Evidence of any non-conformities and corrective actions taken
• Clause 12.4: User activity, exceptions, and security incident logs

What are the Annex A controls for ISO 27001 documentation?

Annex A clauses need to be complied with for ISO 27001 certification and these often require significant documentation. The following documentation examples are frequently created by organisations seeking compliance:

• Clause 6.2.1: Mobile device, BYOD, and remote work policies
• Clause 7.5: Document control process and controls for managing records
• Clause 8.2.1: Information classification policy
• Clauses 8.3 and 11.2: Data retention and disposal policy
• Clauses 9.2, 9.3, 9.4: Password policy
• Clause 11.1.5: Procedures for working in secure areas
• Clause 11.2: Clear desk and clear screen policies

• Clauses 12.1 and 14.2: Change management policy
• Clause 12.3: Data backup policy
• Clause 13.2: Data transfer policy
• Clause 14.2.5: Secure software development/engineering principles
• Clause 15.1.1: Supplier security policy
• Clause 16.1.5: Incident management procedure
• Clause 17.1: Business continuity procedures
• Clause 18.1.1: Statutory, regulatory, and contractual requirements

What are the consequences of missing any ISO 27001 mandatory documents?

When undergoing an ISO 27001 audit, your auditor will note all non-conformities – regardless of whether these are major or minor – and state opportunities for improvement. Missing any ISO 27001 mandatory documents is considered a major non-conformity.

Non-conformities will significantly delay the certification process for your organisation. When found with a non-conformity, you must gather, recreate, and catalogue any missing documentation so that it can be submitted to the auditor for review. This process takes 1-4 weeks on average.

ISO 27001 mandatory documents made simple with Hicomply

The volume of documentation needed to achieve ISO 27001 compliance can be quite intimidating to newcomers, however, it’s extremely important to get this correct – not only for certification, but also for the benefits it provides your business with.

At Hicomply, we specialise in streamlining the documentation process. Our ISMS dashboard allows you to keep track of all your documents in one place – giving you compliance as you work! Contact us today to book a demo.