One of the most common questions from organisations starting ISO 27001 is: "What documents do we actually need to create?" The standard does not prescribe a fixed document structure — it specifies outcomes and evidence requirements, leaving the format to you. But it is explicit about which documents must exist. Miss one and an auditor will raise a major non-conformity.
This list covers every document explicitly required by ISO 27001:2022, separated into policies and procedures (documents that say what you will do) and records (evidence that you did it). Both are mandatory. The distinction matters because auditors look for them separately.
ISO 27001:2022 Documentation at a Glance
Clauses 4–10 + Annex A12+
Mandatory policies & procedures
Documents that describe your ISMS
15+
Mandatory records
Evidence that you operate the ISMS
25+
Recommended additional docs
Strongly expected by auditors
Mandatory Policies and Procedures
These are documents that describe how your organisation operates its ISMS. They must be documented, approved, controlled, and available to relevant staff. Auditors will ask to see them and interview staff about whether the content is followed.
Document
Clause
What it must cover
Information Security Policy
5.2
Objectives, management commitment, scope of ISMS
ISMS Scope Statement
4.3
What is included, what is excluded and why
Risk Assessment Methodology
6.1.2
How risks are identified, scored, and owned
Risk Treatment Plan
6.1.3
Which controls are applied and why
Statement of Applicability (SoA)
6.1.3d
All 93 controls: applicable, excluded, justification
Information Security Objectives
6.2
Measurable goals with owners and timelines
Supplier Security Policy
A.5.19
Requirements for third-party access and processing
Access Control Policy
A.5.15
How access to systems is granted, reviewed, revoked
Asset Management Policy
A.5.9
How assets are inventoried and classified
Incident Management Procedure
A.5.24
How incidents are identified, logged, and resolved
Business Continuity Policy
A.5.29
BCP/DRP requirements and recovery objectives
Internal Audit Procedure
9.2
Audit scope, frequency, method, and reporting
Mandatory Records
Records are evidence that you have actually done what your policies say. They are typically logs, completed forms, meeting minutes, and outputs from processes. Auditors scrutinise records more heavily than policies — because anyone can write a policy, but records prove the policy is being followed.
Record
Clause
What to capture
Risk Register
6.1.2
All identified risks with scores and owners
Risk Treatment Plan (completed)
6.1.3
Control decisions, implementation status
Information Asset Register
A.5.9
All assets: type, owner, classification, location
Internal Audit Report
9.2
Audit findings, conformities, and non-conformities
Management Review Minutes
9.3
Agenda, attendees, decisions, action items
Security Awareness Training Records
A.6.3
Who completed training, when, sign-off
Incident Log
A.5.24
All incidents: date, type, response, closure
Corrective Action Log
10.1
Non-conformities, root cause, actions, verification
Supplier Agreements / Assessments
A.5.19
Contracts, DPAs, security questionnaires
Competence Records
7.2
Staff qualifications, training, certifications
Access Review Records
A.5.18
Periodic reviews of user access rights
Vulnerability Management Log
A.8.8
Scans, findings, patch status, risk decisions
Backup Test Records
A.8.13
Restoration tests with dates and results
BCP/DR Test Records
A.5.30
Exercises, outcomes, lessons learned
Legal Register
4.2 / A.5.31
Applicable legislation and compliance status
Documents vs Records: Why the Distinction Matters
📄 Documents (say what you do)
- →Written and approved before audit
- →Version-controlled (v1.2, last reviewed date)
- →Communicated to relevant staff
- →Updated when processes change
- →Retained for their defined lifetime
📋 Records (prove you did it)
- →Generated during normal operations
- →Timestamped and attributable to individuals
- →Cannot be backdated — auditors check metadata
- →Retained per your retention schedule
- →Most commonly requested in Stage 2
Recommended Additional Documents
The standard does not explicitly mandate these, but Annex A controls strongly imply them — and auditors will expect to see evidence that each control is implemented. In practice these are required:
- Acceptable Use Policy (A.5.10)
- Clear Desk and Screen Policy (A.7.7)
- Password / Authentication Policy (A.5.17)
- Remote Working Policy (A.6.7)
- Cryptography and Key Management Policy (A.8.24)
- Change Management Procedure (A.8.32)
- Secure Development Policy (A.8.25 — if applicable)
- Data Classification Policy (A.5.12)
- Physical Security Policy (A.7.1)
- Network Security Policy (A.8.20)
- Disciplinary Procedure (A.6.4)
- Data Retention and Disposal Procedure (A.8.10)
The Most Common Document Failures
Based on what certification bodies report as the leading causes of Stage 1 failures:
Common major non-conformities at Stage 1
Missing SoA
The single most common Stage 1 failure. All 93 controls must be listed with explicit inclusion/exclusion decisions and written justifications.
Risk register not linked to SoA
The risk treatment decisions in your risk register must trace to specific Annex A controls in the SoA. Auditors check this link explicitly.
No management review record
The standard requires documented evidence of management review at planned intervals. A verbal briefing with no minutes does not satisfy this.
Objectives without measurement
Security objectives (Clause 6.2) must be measurable and show progress. "Improve security" is not an objective.
No internal audit before Stage 2
You must complete at least one internal audit cycle before Stage 2. Auditors verify this in the audit report and management review minutes.
How to Organise Your Documents
ISO 27001 does not prescribe a document management system. You can use Notion, SharePoint, Confluence, Google Drive, or a dedicated GRC platform. What matters is that your documents meet the requirements of Clause 7.5:
- Available and suitable for use where needed
- Adequately protected (confidentiality, integrity)
- Controlled for distribution and access
- Stored and preserved (including legibility)
- Retrieved, used, and preserved in a controlled way
- Retained for specified periods and then disposed of
In practice this means: each document should have a version number, owner, review date, and approval record. Records should be timestamped and access-controlled. A simple spreadsheet index mapping document titles to file locations and review dates is sufficient for smaller organisations.