The 10 Mandatory Documents for ISO 27001 Certification
The Mandatory Documents for ISO 27001 Certification
One of the biggest fears business leaders have about ISO 27001 is the "mountain of paperwork." While it’s true that you need a solid documentation foundation, you don't need to write a 500-page manual.
ISO 27001 is about "Documented Information." This means you need policies (what you intend to do) and records (proof that you did it). Here is the lean list of what is actually required for certification.
The Core ISMS Documents
These are the "Big Four" that define your system. Without these, you cannot be certified:
1. The Scope of the ISMS
A clear definition of what parts of your business are covered. Is it the whole company? Just the SaaS platform? Just the London office?
2. Information Security Policy
A high-level document, approved by the CEO, that outlines the company’s commitment to security.
3. Risk Assessment Methodology and Report
The "How" and "What" of your risk management. You must prove you have a systematic way of identifying threats.
4. Statement of Applicability (SoA)
The master list of which Annex A controls you have chosen to implement and why.
The Pillars of Your ISMS
While the standard requires dozens of records, these 10 documents form the backbone of your implementation.
Mandatory Policies and Procedures
Beyond the core system, you need specific policies for day-to-day operations.
- Access Control Policy: Who gets access to what, and how is it revoked?
- Classification of Information: How do you label data (Public, Internal, Confidential)?
- Supplier Security Policy: How do you ensure your vendors aren't a weak link?
- Incident Management Procedure: What happens when something goes wrong?
- Business Continuity Plan: How does the company survive a disaster?
The "Evidence" (Records)
Policies are just promises. Auditors look for Records to prove the promises were kept. Required records include:
- Asset Inventory: A list of your hardware, software, and data.
- Training Records: Proof that staff attended security awareness sessions.
- Internal Audit Report: The results of your own "self-check" audit.
- Management Review Minutes: Proof that the leadership team discusses security at least once a year.
- Corrective Action Logs: A record of mistakes found and how they were fixed.
Pro-Tip: Quality Over Quantity
Many companies fall into the trap of using "standard templates" that are 30 pages long. Don't do this. If a policy is too long, nobody will read it, and you won't follow it.
- Keep policies to 2-3 pages.
- Use simple language.
- Use tools like Confluence, Notion, or a dedicated GRC tool to keep documents live and accessible.
FAQ: Frequently Asked Questions
Does every policy need to be a PDF?
No. Documented information can be a Wiki page, a GitHub README, or even a video. As long as it is controlled (i.e., you know who edited it and which version is current), it counts.
Can we combine multiple policies into one?
Yes! In fact, most auditors prefer a single "Employee Security Handbook" over 15 separate small PDF files.
What if a document is missing during the audit?
If it's a mandatory document, it will be a "Major Non-conformity." However, if you have the process in place but just forgot to write it down, the auditor might give you a few days to fix it.
Conclusion: Document to Guide, Not to Burden
Documentation should be a roadmap for your employees, not a weight on their shoulders. By focusing on the mandatory requirements first, you can build a lean, effective system that secures your business and passes the audit with flying colors.
Confused about what to write? We provide audited, battle-tested templates that you can customize in hours, not weeks.