ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


List of mandatory documents required by ISO 27001 (2013 revision)

'By 'Dejan Kosutic on September 30, 2013

With the new revision of  ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?

So here is the list – below you will see not only mandatory documents, but also the most commonly used documents for ISO 27001 implementation.

Mandatory documents and records required by ISO 27001:2013

Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)

  • Scope of the ISMS (clause 4.3)
  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and risk treatment methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
  • Inventory of assets (clause A.8.1.1)
  • Acceptable use of assets (clause A.8.1.3)
  • Access control policy (clause A.9.1.1)
  • Operating procedures for IT management (clause A.12.1.1)
  • Secure system engineering principles (clause A.14.2.5)
  • Supplier security policy (clause A.15.1.1)
  • Incident management procedure (clause A.16.1.5)
  • Business continuity procedures (clause A.17.1.2)
  • Statutory, regulatory, and contractual requirements (clause A.18.1.1)

And here are the mandatory records:

  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

Non-mandatory documents

There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:

  • Procedure for document control (clause 7.5)
  • Controls for managing records (clause 7.5)
  • Procedure for internal audit (clause 9.2)
  • Procedure for corrective action (clause 10.1)
  • Bring your own device (BYOD) policy (clause A.6.2.1)
  • Mobile device and teleworking policy (clause A.6.2.1)
  • Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
  • Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
  • Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
  • Procedures for working in secure areas (clause A.11.1.5)
  • Clear desk and clear screen policy (clause A.11.2.9)
  • Change management policy (clauses A.12.1.2 and A.14.2.4)
  • Backup policy (clause A.12.3.1)
  • Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
  • Business impact analysis (clause A.17.1.1)
  • Exercising and testing plan (clause A.17.1.3)
  • Maintenance and review plan (clause A.17.1.3)
  • Business continuity strategy (clause A.17.2.1)

So this is it – what do you think? Is this too much to write? Do these documents cover all aspects of information security?

Click here to download a white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision) with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

  • mawi

    For non-mandatory documents how to verify implementation of the process ?

  • Dejan Kosutic

    Mawi, to verify whether a document (mandatory or non-mandatory) was implemented, you need to check whether real activities exist in the company that comply with these rules – whether people behave as the rules define, whether the records and logs are created, etc.

  • Harshit

    Nice insights, Thanks Dejan…

  • Tadas

    Secure system engineering principle. how do you think what should be in this principles document?

  • ISO Consultant Ram

    Thanks Dejan

  • Dejan Kosutic

    Tadas, these can include input data validation, debugging, techniques for authentication, secure
    session controls, etc.

  • Tadas

    So basicaly A.12.2 from old standart?

  • Dejan Kosutic

    Yes, it includes A.12.2 from ISO 27001:2005, but it can (and should) go much wider.

  • mock

    Means an organisation is still obliged to establish the non mandatory documents provided the activities/process exist in the company. I thought we can proved the process by showing the records only without specific procedure. Tq

  • Dejan Kosutic

    No – you don’t have to write a document for each process. If your process is not very critical or not very complex or it doesn’t include too many people, there is no need to write a policy or a procedure.

  • Karan

    Don’t we require the Mandatory Procedures Document, which were required in the early standard ISO 27001:2005.

    1) Internal ISMS Audit Procedure
    2) Corrective and Preventive Action Procedure
    3) Control of Documents and Records Procedure

  • Dejan Kosutic

    Karan, ISO 27001:2013 requires you to set up those processes, however you don’t need to document them. So in reality, if you are a small company you probably won’t document those, whereas larger companies probably will document them.

  • Karan

    Thanks, dejan.

  • Peter Piercy

    Hi Dejan,
    Does a new White Paper exist for this standard?

  • Dejan Kosutic

    Peter, here you will find a couple of white papers related to ISO 27001 2013 revision:

  • thirumaran

    Thanks for sharing about ISO 27001 Mandatory Documents

  • Bob

    Very helpful. Thank You.

  • Rashpal

    What is the key things a business will need to deliver in the first year after accreditation of ISO27001:2005?

  • Dejan Kosutic

    The key thing is to comply with all the policies and procedures the company has published. Also, the company needs to close all the nonconformities identified during the certification.

  • G

    Hi, here you state Procedure for document control is non -mandatory but in your other post ( you say it is mandatory…which is it?

  • Dejan Kosutic

    The old 2005 revision of ISO 27001 required Procedure for document control to be documented, but 2013 revision does not require this any more – the article you are referring to was written in 2010, before 2013 revision was published. See also this article:

  • عامر علي

    Dear Dejan
    Can you please help me with the implementation of ISO 27001 version 2013.

  • Dejan Kosutic

    Sure, here you can find the implementation steps:

    And here you’ll find a set of documents for the implementation:

  • Marcia Maggiore

    Hi, Dejan!

    I was trying to find the free template of the Statement of Applicability, but I couldn’t. I did download the free documents, but it wasn’t there. Sure, I’m in a mistake but, is it possible to get your help? Thanks in advanced. Regards.

  • Dejan Kosutic

    Marcia, you can find a free preview of Statement of Applicability in our toolkit – you can download it here:

  • Marcia Maggiore

    Thank you, Dejan.