ReadSafety.com

ISO 27001 Questions, Answered

What documents are required by ISO 27001?

Quick answer

ISO 27001:2022 explicitly requires: the ISMS scope, information security policy, risk assessment and risk treatment process descriptions, the Statement of Applicability, risk treatment plan, security objectives, plus retained records including risk assessment results, competence evidence, monitoring results, internal audit results, management review outputs, and nonconformities with corrective actions.

Documents to maintain (kept current)

  • ISMS scope (clause 4.3), the boundaries and applicability, precisely stated because your certificate will carry it.
  • Information security policy (5.2).
  • Risk assessment process (6.1.2) and risk treatment process (6.1.3): how you identify, analyze, evaluate, and treat, including your criteria.
  • Statement of Applicability (6.1.3d), the control map with justifications.
  • Risk treatment plan (6.1.3e) and security objectives (6.2).
  • Whatever additional documentation you determine necessary for effectiveness (7.5): topic policies, procedures, and standards sized to your risks, not to a template pack.

Records to retain (evidence it ran)

  • Risk assessment results (8.2) and risk treatment results (8.3), each planned cycle and after significant change.
  • Competence evidence (7.2).
  • Operational planning and control evidence (8.1), that processes ran as intended.
  • Monitoring and measurement results (9.1).
  • Internal audit program and results (9.2), management review outputs (9.3).
  • Nonconformities and corrective actions with results (10.2).
  • Plus the records your selected Annex A controls generate: access reviews, incident records, change records, supplier assessments, testing results. These operating records are where Stage 2 audits are won and lost.
Key factISO 27001 requires no manual and no fixed list of "the 25 mandatory policies" that template vendors sell. The clause-mandated document set above is compact by design; the operating evidence of your controls is the bulk of a real ISMS, and no template can generate it for you.

The two failure modes, again

Under-documenters cannot prove operation: access reviews happened but nobody recorded them, incidents were handled in chat threads nobody can find. Over-documenters buy 40-policy template packs whose contents contradict actual practice, handing the auditor findings pre-written ("your policy requires quarterly key rotation; show me"). The calibration that survives audits: document what your risks demand and your people follow, retain what proves your controls operated, and let every document trace to a risk, a requirement, or a lesson learned. If a document points at nothing real, delete it before it testifies against you.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC