ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Mandatory documented procedures required by ISO 27001

'By 'Dejan Kosutic on May 04, 2010

If you heard that ISO 27001 requires many procedures, this is not quite true. The standard actually requires only four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. The term “documented” means that “the procedure is established, documented, implemented and maintained” (ISO/IEC 27001, 4.3.1 Note 1).

Note: in this blog post I will not write about other mandatory documents like ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, etc. – here I focus on procedures only.

The procedure for the control of documents (document management procedure) should define who is responsible for approving documents and for reviewing them, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function.

The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.

The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.

The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.

But why is it that ISO 27001 requires documented procedures that are not related to information security, while security procedures are not mandatory?

The answer is in risk assessment – ISO 27001 does require you to perform risk assessment, and when this risk assessment identifies certain unacceptable risks, then ISO 27001 requires a control from its Annex A to be implemented that will decrease the risk(s). The control can be technical (for instance, anti-virus software for decreasing the risk of malicious software attack), but could also be organizational – to implement a policy or a procedure (for instance, implement a back-up procedure). Therefore, the procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.

One important note though – as opposed to the four mandatory procedures which must be documented, the procedures arising from controls in Annex A  do not have to be documented. It is up to the organization to estimate whether such a procedure is to be documented or not.

You could consider the four mandatory procedures as the pillars of your management system (together with the security policy) – after they are firmly set in the ground, you can start building the walls of your house. This becomes obvious when you look at other management systems – the same four procedures are mandatory there, too – in ISO 9001 (quality management systems), ISO 14001 (environmental management systems), and BS 25999-2 (business continuity management systems). As a consequence, you can use these procedures as the main link between different management systems if you want to develop the so called “integrated management system”.

You can also check out our video tutorial How to Write ISO 27001/ISO 22301 Document Control Procedure (commercially sold video).

  • Dave Parker

    In 4.3.3 of ISO/IEC 27001:2005 it says that the “controls needed . . of records shall be documented and implemented.”

    This implies the need for a fifth documented procedure.

  • Dejan Kosutic

    It is true that ISO 27001 says that control of records must be documented, but it doesn’t require separate documented procedure for it. Usually, in ISO 27001 records management is documented through other documents like Document management procedure, or through procedures describing other processes.

    This is where ISO 27001 is different from ISO 9001 – ISO 9001 requires that separate Records management procedure must exist.

  • Elder Guerra

    Hi, i’m a technologist, specialiced in busines strategy, i’m new to ISMS but several years implementing ISO 9K and BalancedScorecards, and i have joined the two procedures of documents control and registers, maybe because i’m a systems engineer and have know how of ISO 9K i’m feeling confortable with ISO 27K, your blogs are helping me a lot Dejan, we have to raise up latin america, you are being so helpfull. I have clients that have implemented the management review as another process (On ISO 9K) and for order it helped, is that ok on ISO 27K too?? regards from a coallegue at Guatemala, Central América.

  • Dejan Kosutic

    Hi Elder,

    Thank you for your compliments – I’m really glad that you find my blog useful.

    If I understood well, you are asking me if you can use your ISO 9001 Management Review for ISO 27001 also – the answer is yes, but you have to amend the timetable with requirements from ISO 27001.

    This approach will work for smaller organizations because the structure of Management Review described in those two standards is rather similar. However, for larger organization it may be more practical to do these reviews separately because the issues for quality and information security for a big company will be quite different.

  • Elder Guerra

    Ok, thanks Dejan, clear with that, it will help because we’re implementing ISO 27K in a company of 50 employees that already have the ISO 9K certification. One more, as i read in your blog, i understand that Management Review is not a mandatory procedure, because is not part of the four procedures that you list, am i right ?? of course that the results from audits, corrective actions, etc. are an input. For me, in ISO 9k it helped a lot to document the management review as a procedure, but how about for ISO 27K ??

  • Dejan Kosutic

    Neither ISO 9001 nor ISO 27001 require a documented procedure for Management Review – however if you consider such a procedure to be helpful, you can write it for any of these standards.

    What both ISO 9001 and ISO 27001 explicitly do require is to have a record from Management Review.

    Maybe this blog post can help you: Using ISO 9001 for implementing ISO 27001

  • Clinton

    Hi Dejan,

    I am a small company (2 staff). I am thinking of going for certification. I am a ISO27K certified but never take a company through the certification process (I assist with minor internal policies when i was with another company). I am hoping to do so myself and use my company as a genepeg. I was wondering how long you think this wold take to get all the documentation in place in a organised manner for the certification body.

    I noticed you mentioned four key procedures in the article above. For such a small company, what other core documentations would you suggest I need?

    Many thanks


  • Dejan Kosutic

    Hi Clinton,

    For a very small company (2 employees) ISO 27001 implementation might take somewhere between 2 and 4 months – if you want to do it right.

    Besides the 4 mandatory procedures, every organization that wants to get certified against ISO 27001 must have these documents at minimum: ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability and Risk Treatment Plan.

    However, depending on which controls you have selected as applicable in Statement of Applicability, you will also need to document some of the controls too – for instance, Access control policy (A.11.1.1) must be documented if selected applicable. Therefore, after you write your Statement of Applicability search for the term “documented” in ISO 27001 Annex A.

  • Arif

    Just goign through your tips and it’s really help full. I am just in the process of implemeting ISMS, I would like to know if GAP report is a must before ISMS implementation or SOA is enough?

    During the ISMS quaterly review do i have to submit a report as ISMS manager to ISC?

  • Dejan Kosutic

    Hi Arif,

    Gap report is not required by ISO 27001, so Statement of Applicability is enough.

    I’m not sure what you meant by ISC?

  • Arif

    Thanks a lot for your reply.
    We are now implementing ISMS and we are planned to review it quaterly so as ISMS implementor and manager do i have to generate a report at end of every review and submitted it to management (ISC is information security comittee.

    ISMS team has to review it or shell we ask each operation team to review their own assets and procedures by them self?

    Sorry for bothering you so much.

  • Dejan Kosutic

    Hi Arif,

    No bother at all!

    ISO 27001 does not require a formal report to be send to security committee, you can do it also in some informal way. However, the certification auditor will ask you for an evidence that such committee did receive all the important information, so it is recommended to put such information in writing (it could also be in a form of email).

    Each level of management needs to review the assets/information security processes for which they are responsible – therefore, both the operation teams need to do it (on the basic level – clause 4.2.3 b), and ISMS team needs to do it (on mid-level – control A.6.1.2). However, the top management too needs to do the review on the high level (through Management Review – clause 7).

    Therefore, everyone needs to consider whether his or her activities regarding information security are OK – like for any other field of management.

  • Arif

    Thanks for the detailed clarificationa and valuable information.

  • nobody

    i think everybody shall read the ISO27001 – there more than 4 Dokuments required!!!!

  • Dejan Kosutic

    You are right that ISO 27001 requires more than 4 documents – to be precise, clause 4.3.1 of the standard requires at least 12 documents.

    The point of this post was about the mandatory procedures – there are 4 that are required by ISO 27001.


  • jannat….

    Dear sir, Your information really useful, Can you send me internal audit and control of documents procedure format? for read or documents?

  • Dejan Kosutic

    Jannat, here you can download a free preview of all the ISO 27001 documents:

  • jannat….

    Dear sir, Thanks for your link.What is the deference between ISO 27001 standard and annex A. If any client not following annex then what is the problem? can you explain me?

  • jannat….

    Dear sir, Thanks for your link.What is the deference between ISO 27001 standard and annex A. If any client not following annex then what is the problem? can you explain me?

  • Dejan Kosutic

    Annex A is crucial part of ISO 27001 – not following this Annex means non-compliance with the standard. You can find more information about the Annex here:

  • zilani

    Dear sir,

    As per my knowledge and your blog. I’ve collected information for mandatory documented procedure is- 4 procedure (1.Control of Documents 2.Internal ISMS Audit 3. Corrective Action 4. Preventive Action) and 5 mandatory records is-
    (5.2.2d Education,
    training, skills, experience and qualification

    6.0 Internal audit
    verification results

    7.1 Management Review
    of ISMS

    8.2 Results of
    corrective action

    8.3 Results of
    preventative action)

    you also mention some required documents is…(ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan)

    Without written all document list. how many due documents can be for mandatory of iso 27001. Can you send me with clause.

    Your cooperation will be highly appreciated.


  • Dejan Kosutic

    Zilani, you have correctly listed all the required documents from main part of ISO 27001 (they are listed in Clause 4.3.1). You should also write certain documents for controls in Annex A, but that depends on the results of your risk assessment see this blog post for more information –

  • SecurityFan

    Hej Dejan,
    as far as I see it, clause 4.3.1 only requires:
    e)Report of Riskanalysis
    g)Controlling (btw, could you elaborate on this document?)
    h)1. documentation records
    h)2. ISMS implementation documentation

    Which makes 10 documents… What am i missing? Thanks!

  • Dejan Kosutic

    SecurityFan, here you can read a blog post which explains ISO 27001 mandatory documents:

  • mac

    Dear Dejan.
    Can you please guide on the new risk assessment approach which an organisation should take based on the revised standard and also elaborate on how to modify the old approach (building information asset register based on CIA, determining information assets value and then performing a threat- vulnerability analysis and finally concluding with the risk treatment plan.)

  • Dejan Kosutic

    Mac, if you already implemented risk assessment based on old approach (assets-threats-vulnerabilities), it is perfectly acceptable for new 2013 revision also.

    New revision allows you to identify risks without determining assets, threats and vulnerabilities, so you for an example you can identify a risk as “A laptop could be attacked by a virus”, or “Company operations could be disrupted because of an earthquake.”

  • Lorna

    Hi Dejan,
    Is the above still valid for ISO 27001:2013?

  • Dejan Kosutic

    Lorna, no – this article was written when ISO 27001:2005 was valid and these rules do not apply for ISO 27001:2013. 2013 revision requires procedures for internal audit, document control and corrective actions to exist, but they do not need to be documented – see details here:

  • SincereManager

    Existing situation: We have defined the policies which enlist just the PRINCIPLES of information security across the ISO 27001 domains.

    We are now planning to create only the procedures to capture HOW the org is working to fulfill the PRINCIPLES outlined in the policies.
    For the STANDARDs we tell the management to simply refer to the “Exhaustive list of control objectives enlisted in the ISO 27001:2013″


    1. Is our approach correct?
    2. OR If you insist we have to write separate standards, then pls guide what should be written in them…

  • SincereManager

    Further when planning the content for the TECHNICAL procedures (networks, systems, VA PT, application security etc.) we are ending up writing more of IT Security instead of Information Security.

    Pls guide:

    1. HOW to select the level of detail which goes into the procedures OR

    Is it sufficient to only create your above mentioned 4 procedures to get ISO 27001:2013 certification?

    2. Shall we we still need to create Non-technical procedures like ‘Clear Screen Clear Desk’, password management, social media, IT acceptable usage procedures etc. ?

  • Dejan Kosutic

    ISO 27001 does not prescribe how you should structure your documentation or how detailed it should be, so your approach could work. Although, my feeling is you will have too many documents which won’t be very concrete, so the questions is if such documentation will be useful. Read also this article: Seven steps for implementing policies and procedures

  • Dejan Kosutic

    The level of details in your procedures will depend on the risks and the number of people performing those processes – the higher the risks and the more people preforming the processes, the more detailed procedures should be.

    The decision about writing policies and procedures should be made through Statement of Applicability, based on risk assessment – this article will help you:

    By the way, the 4 procedures from this article were mandatory in ISO 27001:2005, but they are not mandatory in ISO 27001:2013 any more – see also this article:

  • budisuranta

    Dear Mr Dejan
    About the documentation for ISO 27001
    Let’s say ISO 27001 is implemented ONLY in IT Department,

    Who is supposed to have responsibility to keep and manage all the documentation? (example: monthly log access report, Monthly log visitor report)

    Is it responsiblity of the security or the IT Department employee?

  • Dejan Kosutic

    ISO 27001 does not prescribe who should manage the documentation, and in my opinion this should not be a job for one person. For example, responsibility for the backup logs will be probably with the IT administrator, while security officer will be responsible for e.g. incident records.