Documenting your information security management system (ISMS) for evidence of compliance with the ISO 27001:2022 standard can be confusing as it is not clear which documents are mandated and which are discretionary. Consequently, most of us overcompensate and produce far more paperwork than we need causing redundant and conflicting policies to confuse our stakeholders, staff and of course the Auditors.
Here’s a reminder on the documents that are specifically required by the standard — where an Auditor would expect to find them — and which ones are optional. Below is a complete ISO 27001 Compliance Checklist needed for you to get started today.
ISO 27001 Policies and Compliance Checklist – The Required ISO 27001 Documentation
| ISO 27001 Compliance Checklist | Auditor Will Expect to Find it Here |
|---|---|
| The Scope of your ISMS | ISMS Manual Document |
| Leadership, Evidence of Management Commitment | Leadership, Evidence of Management Commitment Document |
| Your Information Security Policies | Information Security Policy Document |
| Your Information Security Objectives | Information Security Objectives Document |
| Your Information Security Risk Assessment Process | Risk Treatment Plan Document |
| A Risk Treatment Plan | Risk Treatment Plan Document |
| A Statement of Applicability | Statement of Applicability Document |
| Security Monitoring and Measuring Results | Information Security Objectives Document |
| Definitions of Security Roles and Responsibilities | ISMS Manual Document |
| Records of Training, Skills and Qualification | Company HR Records |
| Your Operating Procedures | Individual Document of Each Procedure |
| Your Internal Audit Programme | Internal Audit Schedule Document and Internal Audit Report Documents |
| Your Evidence Audit Programmes and the Audit Results | Agenda and Minutes of Management Review Meetings |
| Your Evidence and Results of Management Reviews | Agenda and Minutes of Management Review Meetings |
| Nonconformity and Corrective Action | Security Incident Log |
ISO 27001 Policies Required for Compliance According to ISO 27001 Annex A
Below is a list of some ISO 27001 Policies required to be compliant. It is an essential addition to your documentation.
- Access Control Policy
- Acceptable Use of Assets Policy
- Cryptographic Controls Policy
- Key Management Policy
- Clear Desk & Clear Screen Policy
- Backup Policy
- Information Transfer Policies (and Procedures)
- Secure Development Policy
- Risks of Supplier’s Products or Services
- See all policies required in the: ISO 27001 Mandatory Documentation Guide
While these policies are mandated by control requirements found in Annex A of the standard, if you decide that they are not relevant to your organisation (for example Cryptography) then they are not needed but be prepared to justify this to your Auditor.
Depending on the organisation the required list of policies above may need supplementing by other policies to provide a comprehensive information security environment. Typical examples are policies governing external visitors or a policy on the length and composition of passwords. These additional policies would be in the ‘good to have’ category. Let’s look at a few more.
What Are the Optional “Good to Have” ISO 27001 Documents?
There can be several optional documents depending on the type and size of the organisation but the following documents that are good to have — are relevant to just about everyone:
- Written Procedure for Document Control
- Documented procedure for Internal Audit
- Documented Information Classification Policy
- Documented Business Continuity Plan
One final point. While the ISO 27001 standard requires specific documentation detailing policies and procedures, it is also a good idea to document specific actions and activities which can serve as evidence of compliance. The minutes of meetings, for example, provide documentary evidence to the auditor that the activities are taking place.
Other typical activities worth documenting include:
- The Information Security Team Assessments of Non-conformities or Reported Incidents
- The Risk Committee Development of the Risk Treatment Plan
- Internal Audit Scheduling and Reports
- Management Review of the Information Security Management System
Need a Hand?
It can seem like a gruelling task to define and write your documentation, but it doesn’t have to be this way. Risk Crew consultants can support you with all your ISO 27001 requirements to help you achieve compliance, including:
- ISO 27001 Gap Analysis
- ISMS Strategy & Documentation
- Information Security Policies and Procedures
- Information Security Awareness Training
- ISO 27001 Pre-Auditing
- ISO 27001 Maintenance Services
- Risk Crew also provides Security Penetration Testing, we can be your partner in helping you gain ISO compliance and help you stay compliant
Additional ISO 27001 Resources
ISO 27001 Documentation Guide/Checklist
Learn all the documentation & policies required to achieve certification to the standard.
ISO 27001 Certification Case Study
Read how Risk Crew helped a Agri-food organisation achieve and maintain ISO 27001 certification.
ISO 27001:2022 Transition Guide
Accelerate your implementation and/or transition with guidance on the new standard.