Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

List of mandatory documents according to the ISO 27001 2022 revision

Updated: November 28, 2022, according to the changes in ISO 27001:2022 revision.

If you have ever wondered what documents are mandatory in the 2022 revision of ISO/IEC 27001, here is the list you need. Below, you will see the mandatory documents, along with the most commonly used non-mandatory documents for ISO 27001 implementation.

Some of the mandatory ISO 27001 documents and records:
  • ISMS Scope document
  • Information Security Policy
  • Risk Assessment Report
  • Statement of Applicability
  • Internal Audit Report

Mandatory ISO 27001 documents

Here are the items you must document if you want to be compliant with ISO 27001, and the most common ways to title those documents:

What must be documented ISO 27001 reference Usually documented through
Scope of the ISMS Clause 4.3 ISMS Scope document
Information security policy Clause 5.2 Information Security Policy
Risk assessment and risk treatment process Clause 6.1.2 Risk Assessment and Treatment Methodology
Statement of Applicability Clause 6.1.3 d) Statement of Applicability
Risk treatment plan Clauses 6.1.3 e, 6.2, and 8.3 Risk Treatment Plan
Information security objectives Clause 6.2 List of Security Objectives
Risk assessment and treatment report Clauses 8.2 and 8.3 Risk Assessment & Treatment Report
Inventory of assets Control A.5.9* Inventory of Assets, or List of Assets in the Risk Register
Acceptable use of assets Control A.5.10* IT Security Policy
Incident response procedure Control A.5.26* Incident Management Procedure
Statutory, regulatory, and contractual requirements Control A.5.31* List of Legal, Regulatory, and Contractual Requirements
Security operating procedures for IT management Control A.5.37* Security Procedures for IT Department
Definition of security roles and responsibilities Controls A.6.2 and A.6.6* Agreements, NDAs, and specifying responsibilities in each security policy and procedure
Definition of security configurations Control A.8.9* Security Procedures for IT Department
Secure system engineering principles Control A.8.27* Secure Development Policy

*Note: ISO 27001 documents or records required by Annex A controls are mandatory only if there are risks or requirements from interested parties that would demand implementing those controls.


ISO 27001 records that are mandatory

Here are the mandatory records:

What must be recorded ISO 27001 reference Usually recorded through
Trainings, skills, experience, and qualifications Clause 7.2 Training certificates and CVs
Monitoring and measurement results Clause 9.1 Measurement Report
Internal audit program Clause 9.2 Internal Audit Program
Results of internal audits Clause 9.2 Internal Audit Report
Results of the management review Clause 9.3 Management Review Minutes
Results of corrective actions Clause 10.2 Corrective Action Form
Logs of user activities, exceptions, and security events Control A.8.15* Automatic logs in information systems

Non-mandatory ISO 27001 documents

There are numerous non-mandatory ISO 27001 documents that can be used for the implementation, especially for the security controls from Annex A, but not all of them are equally useful. I find these non-mandatory documents to be most commonly used:

  • Procedure for Document and Record Control (clause 7.5, control A.5.33)
  • Procedure for Internal Audit (clause 9.2)
  • Procedure for Corrective Action (clause 10.2)
  • Information Classification Policy (controls A.5.10, A.5.12, and A.5.13)
  • Information Transfer Policy (control A.5.14)
  • Access Control Policy (control A.5.15)
  • Password Policy (controls A.5.16, A.5.17, and A.8.5)
  • Supplier Security Policy (controls A.5.19, A.5.21, A.5.22, and A.5.23)
  • Disaster Recovery Plan (controls A.5.29, A.5.30, and A.8.14)
  • Mobile Device, Teleworking, and Work from Home Policy (controls A.6.7, A.7.8, A.7.9, and A.8.1)
  • Procedures for Working in Secure Areas (controls A.7.4 and A.7.6)
  • Clear Desk and Clear Screen Policy (control A.7.7)
  • Bring Your Own Device (BYOD) Policy (controls A.7.8 and A.8.1)
  • Disposal and Destruction Policy (controls A.7.10, A.7.14, and A.8.10)
  • Backup Policy (control A.8.13)
  • Encryption Policy (control A.8.24)
  • Change Management Policy (control A.8.32)

How does the ISO 27001 2022 revision impact mandatory documents and records?

The new ISO 27001:2022 brings good news when it comes to documentation:

  • This new revision requires fewer mandatory documents when compared to the old ISO 27001:2013 revision.
  • Even though there are 11 new security controls in the 2022 revision, there is no need to write any new documents because of them – it is enough to include new sections about those controls in the documents that you have already written for the 2013 revision of the standard – see the table below.
New security controls in ISO 27001:2022 Existing ISO 27001 documents where these controls can be included
A.5.7 Threat intelligence Incident Management Procedure
A.5.23 Information security for use of cloud services Supplier Security Policy
A.5.30 ICT readiness for business continuity Disaster Recovery Plan
A.7.4 Physical security monitoring Procedures for Working in Secure Areas
A.8.9 Configuration management Security Procedures for IT Department
A.8.10 Information deletion Disposal and Destruction Policy
A.8.11 Data masking Secure Development Policy
A.8.12 Data leakage prevention Security Procedures for IT Department
A.8.16 Monitoring activities Security Procedures for IT Department
A.8.23 Web filtering Security Procedures for IT Department
A.8.28 Secure coding Secure Development Policy

To get the templates for all mandatory documents and the most common non-mandatory documents, along with a wizard that helps you fill out those templates, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: