ISO 27001 Compliance Checklist: The Documentation Required

ISO 27001 Checklist

Documenting your information security management system (ISMS) for evidence of compliance with the ISO 27001:2022 standard can be confusing as it is not clear which documents are mandated and which are discretionary. Consequently, most of us overcompensate and produce far more paperwork than we need causing redundant and conflicting policies to confuse our stakeholders, staff and of course the Auditors.

Here’s a reminder on the documents that are specifically required by the standard — where an Auditor would expect to find them — and which ones are optional. Below is a complete ISO 27001 Compliance Checklist needed for you to get started today.

ISO 27001 Policies and Compliance Checklist – The Required ISO 27001 Documentation

ISO 27001 Compliance ChecklistAuditor Will Expect to Find it Here
The Scope of your ISMSISMS Manual Document
Leadership, Evidence of Management CommitmentLeadership, Evidence of Management Commitment Document
Your Information Security PoliciesInformation Security Policy Document
Your Information Security ObjectivesInformation Security Objectives Document
Your Information Security Risk Assessment ProcessRisk Treatment Plan Document
A Risk Treatment PlanRisk Treatment Plan Document
A Statement of ApplicabilityStatement of Applicability Document
Security Monitoring and Measuring ResultsInformation Security Objectives Document
Definitions of Security Roles and ResponsibilitiesISMS Manual Document
Records of Training, Skills and QualificationCompany HR Records
Your Operating ProceduresIndividual Document of Each Procedure
Your Internal Audit ProgrammeInternal Audit Schedule Document and Internal Audit Report Documents
Your Evidence Audit Programmes and the Audit ResultsAgenda and Minutes of Management Review Meetings
Your Evidence and Results of Management ReviewsAgenda and Minutes of Management Review Meetings
Nonconformity and Corrective ActionSecurity Incident Log

ISO 27001 Policies Required for Compliance According to ISO 27001 Annex A

Below is a list of some ISO 27001 Policies required to be compliant. It is an essential addition to your documentation.

  • Access Control Policy
  • Acceptable Use of Assets Policy
  • Cryptographic Controls Policy
  • Key Management Policy
  • Clear Desk & Clear Screen Policy
  • Backup Policy
  • Information Transfer Policies (and Procedures)
  • Secure Development Policy
  • Risks of Supplier’s Products or Services
  • See all policies required in the: ISO 27001 Mandatory Documentation Guide

While these policies are mandated by control requirements found in Annex A of the standard, if you decide that they are not relevant to your organisation (for example Cryptography) then they are not needed but be prepared to justify this to your Auditor.

Depending on the organisation the required list of policies above may need supplementing by other policies to provide a comprehensive information security environment. Typical examples are policies governing external visitors or a policy on the length and composition of passwords. These additional policies would be in the ‘good to have’ category.  Let’s look at a few more.

What Are the Optional “Good to Have” ISO 27001 Documents?

There can be several optional documents depending on the type and size of the organisation but the following documents that are good to have — are relevant to just about everyone:

  • Written Procedure for Document Control
  • Documented procedure for Internal Audit
  • Documented Information Classification Policy
  • Documented Business Continuity Plan

One final point. While the ISO 27001 standard requires specific documentation detailing policies and procedures, it is also a good idea to document specific actions and activities which can serve as evidence of compliance. The minutes of meetings, for example, provide documentary evidence to the auditor that the activities are taking place.

Other typical activities worth documenting include:

  • The Information Security Team Assessments of Non-conformities or Reported Incidents
  • The Risk Committee Development of the Risk Treatment Plan
  • Internal Audit Scheduling and Reports
  • Management Review of the Information Security Management System

Need a Hand?

It can seem like a gruelling task to define and write your documentation, but it doesn’t have to be this way. Risk Crew consultants can support you with all your ISO 27001 requirements to help you achieve compliance, including:

Additional ISO 27001 Resources

inventory

ISO 27001 Documentation Guide/Checklist

Learn all the documentation & policies required to achieve certification to the standard.

auto_stories

ISO 27001 Certification Case Study

Read how Risk Crew helped a Agri-food organisation achieve and maintain ISO 27001 certification.

Risk Crew