ISO 27001 Compliance Checklist: The Documentation Required

Man with lots of documents on his desk

Documenting your information security management system (ISMS) for evidence of compliance with the ISO 27001:2022 standard can be confusing as it is not clear which documents are mandated and which are discretionary. Consequently, most of us overcompensate and produce far more paperwork than we need causing redundant and conflicting policies to confuse our stakeholders, staff and of course the Auditors.

Here’s a reminder on the documents that are specifically required by the standard — where an Auditor would expect to find them — and which ones are optional. Below is a complete ISO 27001 Compliance Checklist needed for you to get started today.

ISO 27001 Compliance Checklist – The Required ISO 27001 Documentation

ISO 27001 Compliance Checklist Auditor Will Expect to Find it Here
The Scope of your ISMS ISMS Manual Document
Leadership, Evidence of Management Commitment Leadership, Evidence of Management Commitment Document
Your Information Security Policies Information Security Policy Document
Your Information Security Objectives Information Security Objectives Document
Your Information Security Risk Assessment Process Risk Treatment Plan Document
A Risk Treatment Plan Risk Treatment Plan Document
A Statement of Applicability Statement of Applicability Document
Security Monitoring and Measuring Results Information Security Objectives Document
Definitions of Security Roles and Responsibilities ISMS Manual Document
Records of Training, Skills and Qualification Company HR Records
Your Operating Procedures Individual Document of Each Procedure
Your Internal Audit Programme Internal Audit Schedule Document and Internal Audit Report Documents
Your Evidence Audit Programmes and the Audit Results Agenda and Minutes of Management Review Meetings
Your Evidence and Results of Management Reviews Agenda and Minutes of Management Review Meetings
Nonconformity and Corrective Action Security Incident Log

ISO 27001 Policies required for Compliance According ISO 27001 Annex A

Below is a list of some ISO 27001 Policies required to be compliant. It is an essential addition to your documentation.

  • Access Control Policy
  • Acceptable Use of Assets Policy
  • Cryptographic Controls Policy
  • Key Management Policy
  • Clear Desk & Clear Screen Policy
  • Backup Policy
  • Information Transfer Policies (and Procedures)
  • Secure Development Policy
  • Risks of Supplier’s Products or Services
  • See all policies required in the: ISO 27001 Mandatory Documentation Guide

While these policies are mandated by control requirements found in Annex A of the standard, if you decide that they are not relevant to your organisation (for example Cryptography) then they are not needed but be prepared to justify this to your Auditor.

Depending on the organisation the required list of policies above may need supplementing by other policies to provide a comprehensive information security environment. Typical examples are policies governing external visitors or a policy on the length and composition of passwords. These additional policies would be in the ‘good to have’ category.  Let’s look at a few more.

What Are Optional “Good to Have” ISO 27001 Documents?

There can be several optional documents depending on the type and size of the organisation but the following documents that are good to have — are relevant to just about everyone:

  • Written Procedure for Document Control
  • Documented procedure for Internal Audit
  • Documented Information Classification Policy
  • Documented Business Continuity Plan

One final point. While the ISO 27001 standard requires specific documentation detailing policies and procedures, it is also a good idea to document specific actions and activities which can serve as evidence of compliance. The minutes of meetings, for example, provide documentary evidence to the auditor that the activities are taking place.

Other typical activities worth documenting include:

  • The Information Security Team Assessments of Non-conformities or Reported Incidents
  • The Risk Committee Development of the Risk Treatment Plan
  • Internal Audit Scheduling and Reports
  • Management Review of the Information Security Management System

Need a Hand?

It can seem like a gruelling task to define and write your documentation, but it doesn’t have to be. Risk Crew consultants can support you with all your ISO 27001 requirements to help you achieve compliance, including:

Additional ISO 27001 Resources

inventory

ISO 27001 Documentation Guide & Checklist

 

Learn what documentation and policies are required to achieve certification to the standard.

add_task

ISO 27001 Readiness Assessment

 

Learn what additional steps it would take for your organisation to reach compliance with this online tool.

auto_stories

ISO 27001:2022 Transition Guide

 

Excellerate your implementation and/or transition with guidance on the new standard.

 

 

Risk Crew