Your policies and procedures are the what and how of your organization’s ISMS. Your documentation is the evidence you’ll use to prove the strength of your security controls to your auditor.

What kind of ISO/IEC 27001 compliance documentation is required for your audit?

List of Information Security Management System (ISMS) documentation

A typical ISO 27001 certification audit will require documentation for:

• Clause 4.3: Scope of the ISMS
• Clause 5.2: Information security policy
• Clause 5.5.1: Any documented information the organization sees as necessary to support ISMS
• Clause 6.1.2: Information security risk assessment process/methodology
• Clause 6.1.3: Information security risk treatment plan and Statement of Applicability (SoA)
• Clause 6.2: Information security objectives
• Clause 7.1.2 and 13.2.4: Defined security roles and responsibilities
• Clause 7.2: Evidence of competence
• Clause 8.1: Asset inventory, acceptable use of assets, and operational planning
• Clause 8.2 and 8.3: Results of the information security risk assessment and information security risk treatment
• Clause 9.1: Access control policy, evidence of ISMS monitoring and tracking metrics
• Clause 9.2: A documented internal audit process and completed internal audit reports
• Clause 9.3: Results of management reviews
• Clause 10.1: Evidence of any non-conformities and corrective actions taken
• Clause 12.4: User activity, exceptions, and security incident logs

List of Annex A documentation

All of the Annex A clauses are required for ISO 27001 compliance and can involve a substantial amount of documentation. Below are a few examples of documents that are typically created for ISO 27001 certification:  

• Clause 6.2.1: Mobile device, BYOD, and remote work policies
• Clause 7.5: Document control process and controls for managing records
• Clause 8.2.1: Information classification policy
• Clauses 8.3 and 11.2: Data retention and disposal policy
• Clauses 9.2, 9.3, 9.4: Password policy
• Clause 11.1.5: Procedures for working in secure areas
• Clause 11.2: Clear desk and clear screen policies
• Clauses 12.1 and 14.2: Change management policy
• Clause 12.3: Data backup policy
• Clause 13.2: Data transfer policy
• Clause 14.2.5: Secure software development/engineering principles
• Clause 15.1.1: Supplier security policy
• Clause 16.1.5: Incident management procedure
• Clause 17.1: Business continuity procedures
• Clause 18.1.1: Statutory, regulatory, and contractual requirements

Preparing documentation for your auditor

Getting your documentation organized will save headaches and help you complete your Stage 1 audit on time. Reviewing documentation allows your auditor to get a better understanding of your systems before beginning a Stage 2 audit.

When gathering documentation for your audit, consider a standard reporting format that includes:

• The reason that policy or procedure was created
• The department responsible for approving, implementing, and updating the policy
• The approval and implementation dates
• The systems, processes, or applications affected by the policy
• Tracking of user policy acceptance

A simpler way to create ISO 27001 mandatory documents

One of the most tedious aspects of ISO 27001 compliance is creating policies and collecting required documentation. As you get ready for your certification audit, you’ll likely have hundreds of documents to create, collect, organize with the right controls, and keep up-to-date. 

Secureframe simplifies and streamlines the entire process of preparing for and maintaining your ISO 27001 certification. We’ll help you build a compliant ISMS, monitor your tech stack for vulnerabilities, and help you manage risks. Schedule a demo today to learn more.