Mandatory ISO 27001:2022 Documentation
- Home
- Blog
Categories
Latest Post
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
ISO 9001 Internal Auditor Course
Understanding Information Classification in ISO 27001
If you’ve ever wondered which documents are mandatory in the 2022 revision of ISO/IEC 27001, here’s the list you need. Below are both the mandatory documents for ISO 27001:2022 implementation and the most commonly used non-mandatory documents.
Key Mandatory Documents and Records
Some of the Mandatory ISO 27001 Documents:
ISMS Scope Document
Information Security Policy
Risk Assessment Report
Statement of Applicability
Internal Audit Report
Detailed Mandatory Documentation:
| What Must Be Documented | ISO 27001 Reference | Usually Documented Through |
|---|---|---|
| Scope of the ISMS | Clause 4.3 | ISMS Scope Document |
| Information Security Policy | Clause 5.2 | Information Security Policy |
| Risk Assessment and Risk Treatment Process | Clause 6.1.2 | Risk Assessment and Treatment Methodology |
| Statement of Applicability | Clause 6.1.3 d) | Statement of Applicability |
| Risk Treatment Plan | Clauses 6.1.3 e, 6.2, and 8.3 | Risk Treatment Plan |
| Information Security Objectives | Clause 6.2 | List of Security Objectives |
| Risk Assessment and Treatment Report | Clauses 8.2 and 8.3 | Risk Assessment & Treatment Report |
| Inventory of Assets | Control A.5.9* | Inventory of Assets, or List of Assets in the Risk Register |
| Acceptable Use of Assets | Control A.5.10* | IT Security Policy |
| Incident Response Procedure | Control A.5.26* | Incident Management Procedure |
| Statutory, Regulatory, and Contractual Requirements | Control A.5.31* | List of Legal, Regulatory, and Contractual Requirements |
| Security Operating Procedures for IT Management | Control A.5.37* | Security Procedures for IT Department |
| Definition of Security Roles and Responsibilities | Controls A.6.2 and A.6.6* | Agreements, NDAs, and specifying responsibilities in each security policy and procedure |
| Definition of Security Configurations | Control A.8.9* | Security Procedures for IT Department |
| Secure System Engineering Principles | Control A.8.27* | Secure Development Policy |
Note: Individual documentation requirements according to Annex A controls are mandatory only if there are risks or requirements from interested parties demanding those controls.
Mandatory ISO 27001 Records:
| What Must Be Recorded | ISO 27001 Reference | Usually Recorded Through |
|---|---|---|
| Trainings, Skills, Experience, and Qualifications | Clause 7.2 | Training Certificates and CVs |
| Monitoring and Measurement Results | Clause 9.1 | Measurement Report |
| Internal Audit Program | Clause 9.2 | Internal Audit Program |
| Results of Internal Audits | Clause 9.2 | Internal Audit Report |
| Results of Management Review | Clause 9.3 | Management Review Minutes |
| Results of Corrective Actions | Clause 10.2 | Corrective Action Form |
| Logs of User Activities, Exceptions, and Security Events | Control A.8.15* | Automatic Logs in Information Systems |
Non-Mandatory ISO 27001 Documents
There are numerous non-mandatory ISO 27001 documents for implementation, especially for security controls from Annex A. Here are some commonly used non-mandatory documents:
Procedure for Document and Record Control (Clause 7.5, Control A.5.33)
Procedure for Internal Audit (Clause 9.2)
Procedure for Corrective Action (Clause 10.2)
Information Classification Policy (Controls A.5.10, A.5.12, and A.5.13)
Information Transfer Policy (Control A.5.14)
Access Control Policy (Control A.5.15)
Password Policy (Controls A.5.16, A.5.17, and A.8.5)
Supplier Security Policy (Controls A.5.19, A.5.21, A.5.22, and A.5.23)
Disaster Recovery Plan (Controls A.5.29, A.5.30, and A.8.14)
Mobile Device, Teleworking, and Work from Home Policy (Controls A.6.7, A.7.8, A.7.9, and A.8.1)
Procedures for Working in Secure Areas (Controls A.7.4 and A.7.6)
Clear Desk and Clear Screen Policy (Control A.7.7)
Bring Your Own Device (BYOD) Policy (Controls A.7.8 and A.8.1)
Disposal and Destruction Policy (Controls A.7.10, A.7.14, and A.8.10)
Backup Policy (Control A.8.13)
Encryption Policy (Control A.8.24)
Change Management Policy (Control A.8.32)
Impact of ISO 27001:2022 Revision on Documentation
The new ISO 27001:2022 revision brings good news for documentation:
It requires fewer mandatory documents compared to the 2013 revision.
Although there are 11 new security controls, there is no need to create new documents. Include new sections about these controls in existing documents from the 2013 revision.
| New Security Controls in ISO 27001:2022 | Existing ISO 27001 Documents Where These Controls Can Be Included |
|---|---|
| A.5.7 Threat Intelligence | Incident Management Procedure |
| A.5.23 Information Security for Use of Cloud Services | Supplier Security Policy |
| A.5.30 ICT Readiness for Business Continuity | Disaster Recovery Plan |
| A.7.4 Physical Security Monitoring | Procedures for Working in Secure Areas |
| A.8.9 Configuration Management | Security Procedures for IT Department |
| A.8.10 Information Deletion | Disposal and Destruction Policy |
| A.8.11 Data Masking | Secure Development Policy |
| A.8.12 Data Leakage Prevention | Security Procedures for IT Department |
| A.8.16 Monitoring Activities | Security Procedures for IT Department |
| A.8.23 Web Filtering | Security Procedures for IT Department |
| A.8.28 Secure Coding | Secure Development Policy |
Ensuring Compliance
To ensure you have all mandatory documents for ISO 27001:2022, you have two options:
ISO 27001:2022 Documentation Toolkit: Contains all mandatory documents and records, along with commonly used non-mandatory documentation.
ISO 27001 Software: Select software with all required documents and wizards to help you complete them quickly.
Choosing the right tool can speed up your compliance process and help you avoid embarrassment at the certification audit.
