| clause no | ISO 27001:2022 REQUIRED DOCUMENTATION | DOCUMENT DESCRIPTION |
| 4.3 | ISMS Scope | The ISMS Scope Statement defines the information assets your organization and ISMS is required to protect. ISO 27001 requirements state organizations must take into account the context of your organization, interested parties or stakeholders, and a description of your business location and org chart. |
| 4.1 | Organization and context | Company org chart, including key stakeholders |
| 4.2 | Stakeholders | List of key ISMS stakeholders that’s updated periodically. ISMS stakeholders include personnel that oversee and manage the ISMS, as well as those who depend on it to operate effectively. |
| 4.4 | ISMS Description | System description documentation including details of the ISMS purpose and high level overview of the system architecture. This can include a boundary overview and/or a high level description of the ISMS IT infrastructure and system diagram. Often times these descriptions can be found in ISMS policies, procedures, and guidelines. |
| 5.1 | Leadership | Evidence demonstrating company leadership is committed to maintaining and improving the ISMS. Documentation can include budgets, strategies, meeting minutes, and communications from senior management |
| 5.2 | Information Security Policy | The information security policy explain’s how management approaches information security. It defines how the company protects the confidentiality, integrity, and availability of sensitive data. |
| 5.3 | Information Security Roles and Responsibilities | Org charts and job descriptions including control owners responsible for particular security controls and processes |
| 6.1.1 | Actions to address risks and opportunities | ISMS management meeting minutes, audit reports and recommendations, remediation plans and corrective actions. |
| 6.1.2, 6.1.3 | Information Security Risk Assessment/Treatment Process and Plan | Documented Risk Assessment and Risk Treatment Process, which explains how you identify, evaluate, and prioritize risks. This document should also include how often you reviews and update your risk assessment and treatment plans. Other documentation includes your Risk Treatment Plan, Risk register, and Risk matrix. |
| 6.1.3 | Statement of Applicability | The Statement of Applicability explains which Annex A security controls are — or aren’t — applicable to your organization’s ISMS. It should list the controls your organization has selected to mitigate risk, explain why these controls were chosen for your ISMS, state whether the controls have been fully implemented, and explain why any controls were excluded |
| 6.2 | Information Security Objectives and Plans | Document that outlines your organization’s business objectives and the risks associated with them, along with internal control objectives and metrics. Documentation can include budgets, strategies, meeting minutes, and communications from senior management. |
| 7.1 | ISMS Resources | Any documents concerning resources dedicated to maintaining and improving the ISMS, including audit reviews, incident reports, remediation plans, strategy/planning/budgeting documents, management meeting minutes, etc. |
| 7.2 | Competence | ISO 27001 requires organization to “retain documented information as evidence of competence.” For example, evidence of security awareness training for personnel directly involved with maintaining the ISMS |
| 7.3 | Employee Security Awareness Training | Include any security awareness training materials, including posters, presentations, leaflets, quizzes, training course certificates, attendance records, etc. |
| 7.4 | Communication | Include any communications made about the ISMS, such as a certification announcement. Document any processes or policies made around what needs to be communicated, when, and to whom. |
| 7.5.1 | General documentation | How will you organize, review, and update your ISMS documentation? A spreadsheet like this one can be used as evidence, or a separate document management system. |
| 7.5.2 | Templates for creating and updating documentation | All ISMS documents should have templates that include elements like version control, revision history, management approval, etc. |
| 7.5.3 | Documentation control | Any reports about who has access to ISMS documents and the type of access they have (view/edit), classification type, etc. |
| 8.1 | Operational planning and control procedures | ISO 27001 requires organizations to maintain documentation that information security processes are being followed and carried out as they were intended. This can include budgets demonstrating the appropriate resources are being dedicating to maintaining and improving the ISMS, compliance activities relating to internal audits, incident reports, vulnerability assessments, penetration test reports, etc. |
| 8.2 | Risk assessment results | Periodic risk assessment reports, updated risk registers, meeting minutes where business risks were discussed — any documentation that shows your auditor that your processes yield useful information concerning business risks. |
| 8.3 | Risk treatment results | Risk treatment plan, penetration test reports, vulnerability assessments, internal audit reports, management reviews, control test reports |
| 9.1 | Metrics | Any security metrics reports, dashboards, presentations, emails, etc. that show the efficacy of the ISMS is being measured and those metrics are being acted upon. |
| 9.2 | ISMS Internal Audits | Internal audit reports, nonconformity reports and remediation timelines, audit calendars. |
| 9.3 | ISMS Management Reviews | Management review reports, calendars and plans for management reviews, recommendations. |
| 10.1 | Continuous improvement | Any documents that show continuous improvement of the ISMS. This can include internal/ external audit reports, incident reports, corrective action, ISMS planning, management meeting minutes etc. |
| 10.2 | Nonconformity and remediation | List of nonconformity and remediation plans, including owners and timelines. Incident reports, audit findings, or complaints may also be used as documentation. Your auditor needs to see that nonconformists are being identified and resolved. |
The Policies
In addition, the following policy documents should be in place. Each policy applies to either all staff or specific functions, i.e. IT, HR, Facilities etc.
