Documents to maintain (kept current)
- ISMS scope (clause 4.3), the boundaries and applicability, precisely stated because your certificate will carry it.
- Information security policy (5.2).
- Risk assessment process (6.1.2) and risk treatment process (6.1.3): how you identify, analyze, evaluate, and treat, including your criteria.
- Statement of Applicability (6.1.3d), the control map with justifications.
- Risk treatment plan (6.1.3e) and security objectives (6.2).
- Whatever additional documentation you determine necessary for effectiveness (7.5): topic policies, procedures, and standards sized to your risks, not to a template pack.
Records to retain (evidence it ran)
- Risk assessment results (8.2) and risk treatment results (8.3), each planned cycle and after significant change.
- Competence evidence (7.2).
- Operational planning and control evidence (8.1), that processes ran as intended.
- Monitoring and measurement results (9.1).
- Internal audit program and results (9.2), management review outputs (9.3).
- Nonconformities and corrective actions with results (10.2).
- Plus the records your selected Annex A controls generate: access reviews, incident records, change records, supplier assessments, testing results. These operating records are where Stage 2 audits are won and lost.
The two failure modes, again
Under-documenters cannot prove operation: access reviews happened but nobody recorded them, incidents were handled in chat threads nobody can find. Over-documenters buy 40-policy template packs whose contents contradict actual practice, handing the auditor findings pre-written ("your policy requires quarterly key rotation; show me"). The calibration that survives audits: document what your risks demand and your people follow, retain what proves your controls operated, and let every document trace to a risk, a requirement, or a lesson learned. If a document points at nothing real, delete it before it testifies against you.