The ISO 27001 Documentations: A Beginner’s Guide

ISO 27001 documentation

To get certified, you need to prepare ISO 27001 documentation needed for the application, auditing, and the rest of the process. Although not all documentation is actually mandatory but it is always better to be prepared.

Why ISO 27001 Documentation Is Needed?

The ISO 27001 itself is a standard that can be used to make sure that the company’s ISMS is done under the best and latest practice. The ISO 27001 documentation is used to show the ISMS method that is done in the company and that the company actually do it.

That is why, you need to have the documentation especially if you want to pass the auditing then you need to be prepared. To make the documentation, it is best that the company do your own internal audit.

The internal audit can help documenting every ISMS in your company. Furthermore, it can also help to verify that the ISMS actually function as intended. Usually it will take around 3 months to prepare all of the documentation needed if you already have a team that knows what they are doing.

Check List of Mandatory Documentation Needed

Actually, there is no official list for the mandatory documentation that you need to apply for ISO 27001. However, we will give you this checklist of ISO 27001 documentation that you should have as they are most likely needed.

1. SoA documentation

This documentation is used to link the risk treatment and risk assessment. It is the document that will be used by the auditor to audit your company. So, you really need to prepare this documentation if you want to pass the audit.

Do not forget that the SoA documentation also need to be update continuously. You also need to make control document which provide the overview on the implementation of information security used by your company.

2. ISMS scope documentation for Clause 4.3

This documentation is used to show the area of business that are covered using the company’s ISMS. That is why, it is a key document that is needed if you want to successfully be certified.

The documentation also usually presented to the stakeholders so you need to clarify it further. Try to also provide some type of strategy or/and statement for the company’s vision with the ISMS scope.

3. Documentation of methodology used on risk treatment and risk assessment

This ISO 27001 documentation is used to show the method used by the company to priorities, evaluate, analyze and identify the information risk. That is why you need to decide which method that is more suitable for your company and then create the list, matrix, report and any other documentation that can be use to show the way the company control the risk.

4. Documentation of the objectives and policy used on the information security

The company’s management should create a policy on the information security that is suitable for the company’s specific industry. This policy documentation will show that the top management actually committed with fulfilling ISMS objective and will continue to improve it.

5. Documentation of the plan used for risk treatment for clause 6.1.3

In the clause you will see that you need to have a plan for risk treatment. So, you need to create the procedure and process that can be used to treat information risk. Then you also need to show that the process actually operates and work effectively.

6. Documentation that report the risk assessment

After risk is identified then you need to know which part that require further assessment. You should also decide things that can trigger the risk assessment. Usually risk assessment for information security will be done at least once a year.

7. Documentation that define the responsibility for security roles

You need to have ISO 27001 documentation that can show the responsibility for security roles. It can be done in various ways and there are a few toolkits that you can find to document it.

8. Documentation of procedure for incident management

Incident here is defined as event that are unwanted and can endanger the availability, integrity and confidentiality of information. There are various incidents that can occur such as system breach, phishing and many other.

The procedure used to deal with the incident should also include collecting evidence, forensic analysis, incident communication process, as well as incident documentation.

9. Documentation on the business continuity plan and procedure

Even if the company is affected by serious incident but the business should still run. You need to make sure that the company should at least be able to maintain their essential function.

Thus, you need to document the crisis management as well as business continuity which includes all of the plan, policies, report, strategies, and procedures.

10. Assets and inventory documentation

You need to document all of the assets and inventory in your company that is related to the IT system along with the owners and manager that responsible for them.

11. Documentation of acceptable use for the assets

It is important for your company to have training and guideline on the method to use the company’s assets listed previously. The documentation should also list the people that are authorized to use them.

The documentation should also be access by everyone in your company including the temporary and contractors.

12. Documentation on operating procedure to be use by IT management

You need to create documentation that define the operating procedure which can be easily understand and read. It should also be maintained and review regularly with the latest update.

13. Documentation on access management and access control policy

You need to create ISO 27001 documentation that combine the access management and access control policy with guide that can teach safe way to use VPN, firewall and password. The guide should be revised and reviewed regularly to keep it up-to-date.

14. Documentation on secure principles for the system engineering

You need to document the implementation of Control 8.27 that can teach you about the preventative control which can help you to eliminate threats on the company’s information assists.

15. Documentation on the security policy of the supplier

Controlling security inside the company is something that can be done. However, you also need to make sure that the supplier you use also have their own security policy. Thus, you also need to ask them about their security policy and document it as necessary in relation to your own company’s security policy.

16. Documentation on the contract, regulation and statute requirements

On Annex A.18.1 you will see a lot of things regarding the regulation and legislation impact on the company. That is why, you need to provide documentation that show how the company address various contractual, regulatory, and legal obligation.

Mandatory Records to Get the Certification

Besides the ISO 27001 documentation, you also need to provide a few records that show how well your company manage ISMS and perform best practice needed to maintain it. The records needed includes:

  • Record of the employee’s experience, skill, training as well as other qualification

This record is needed to show that the the team that manage the company’s ISMS is actually have the right qualification to do their job. The qualification should include various point-of-view such as legal, IT, HR, commercial and many other.

  • Measurement and monitoring result record

There are various things that you need to monitor and then measure according to your company’s industry but especially on the availability of the sensitive data that is protected by the system.

  • Record of the program done during internal audit

The internal audit needs to be done at least once a year so the record should also be update accordingly to make sure that your company meet the standard for the certification and maintain the requirement to keep the certification.

  • Record of the result on the internal audit

There are a few things that the internal audit should provide in the record such as documentation reviews, evidence sampling, staff and contractors interviews, as well as assessments findings. This will show the result of the internal audit.

  • Record of the management review result

The review is done to show the evidence and information to the top management and that the ISMS is still effective and functional. So, you need to provide the record of the review result.

  • Record of the corrective action done

This record shows the corrective action done for the identified security risk. However, the record should also include the discovery method all the way to the correction method.

  • Record of the logs that show security events, exceptions and user activities

Sometimes sensitive information might be included in the logs, so when making the record you should also implement privacy measures to protect personal information.


You need to make sure that you have all of those documentation along with all of the records needed for your company to get the certification. The preparation might take a lot of time as the process is very complicated but it will be worth it.

To make sure that the audit can be done smoothly then you need to prepare all of the mandatory ISO 27001 documentation as well as the record in advance. Once your company get the certification then there are many benefits that you can get for the business.

Description: Discover the role of documentation in an ISO 27001 compliant information security management system (ISMS). Learn about the types of documentation required and best practices for creating and maintaining them.

Tags: ISO 27001 documentation, ISO 27001 documentation list, mandatory ISO 27001 documentation, ISO 27001 documentation record, important ISO 27001 documentation

Leave a Reply