ISO 27001:2022 Documentation and Evidence

4.3ISMS Scope The ISMS Scope Statement defines the information assets your organization and ISMS is required to protect. ISO 27001 requirements state organizations must take into account the context of your organization, interested parties or stakeholders, and a description of your business location and org chart.
4.1Organization and contextCompany org chart, including key stakeholders
4.2StakeholdersList of key ISMS stakeholders that’s updated periodically. ISMS stakeholders include personnel that oversee and manage the ISMS, as well as those who depend on it to operate effectively.
4.4ISMS DescriptionSystem description documentation including details of the ISMS purpose and high level overview of the system architecture. This can include a boundary overview and/or a high level description of the ISMS IT infrastructure and system diagram. Often times these descriptions can be found in ISMS policies, procedures, and guidelines.
5.1LeadershipEvidence demonstrating company leadership is committed to maintaining and improving the ISMS. Documentation can include budgets, strategies, meeting minutes, and communications from senior management
5.2Information Security PolicyThe information security policy explain’s how management approaches information security. It defines how the company protects the confidentiality, integrity, and availability of sensitive data.
5.3Information Security Roles and ResponsibilitiesOrg charts and job descriptions including control owners responsible for particular security controls and processes
6.1.1Actions to address risks and opportunitiesISMS management meeting minutes, audit reports and recommendations, remediation plans and corrective actions.
6.1.2, 6.1.3Information Security Risk Assessment/Treatment Process and PlanDocumented Risk Assessment and Risk Treatment Process, which explains how you identify, evaluate, and prioritize risks. This document should also include how often you reviews and update your risk assessment and treatment plans.  Other documentation includes your Risk Treatment Plan, Risk register, and Risk matrix.
6.1.3Statement of ApplicabilityThe Statement of Applicability explains which Annex A security controls are — or aren’t — applicable to your organization’s ISMS.

It should list the controls your organization has selected to mitigate risk, explain why these controls were chosen for your ISMS, state whether the controls have been fully implemented, and explain why any controls were excluded
6.2Information Security Objectives and PlansDocument that outlines your organization’s business objectives and the risks associated with them, along with internal control objectives and metrics. Documentation can include budgets, strategies, meeting minutes, and communications from senior management.
7.1ISMS ResourcesAny documents concerning resources dedicated to maintaining and improving the ISMS, including audit reviews, incident reports, remediation plans, strategy/planning/budgeting documents, management meeting minutes, etc.
7.2CompetenceISO 27001 requires organization to “retain documented information as evidence of competence.” For example, evidence of security awareness training for personnel directly involved with maintaining the ISMS
7.3Employee Security Awareness and TrainingInclude any security awareness training materials, including posters, presentations, leaflets, quizzes, training course certificates, attendance records, etc.
7.4CommunicationInclude any communications made about the ISMS, such as a certification announcement. Document any processes or policies made around what needs to be communicated, when, and to whom.
7.5.1General documentationHow will you organize, review, and update your ISMS documentation? A spreadsheet like this one can be used as evidence, or a separate document management system.
7.5.2Templates for creating and updating documentationAll ISMS documents should have templates that include elements like version control, revision history, management approval, etc.
7.5.3Documentation controlAny reports about who has access to ISMS documents and the type of access they have (view/edit), classification type, etc.
8.1Operational planning and control proceduresISO 27001 requires organizations to maintain documentation that information security processes are being followed and carried out as they were intended. This can include budgets demonstrating the appropriate resources are being dedicating to maintaining and improving the ISMS, compliance activities relating to internal audits, incident reports, vulnerability assessments, penetration test reports, etc.
8.2Risk assessment resultsPeriodic risk assessment reports, updated risk registers, meeting minutes where business risks were discussed — any documentation that shows your auditor that your processes yield useful information concerning business risks.
8.3Risk treatment resultsRisk treatment plan, penetration test reports, vulnerability assessments, internal audit reports, management reviews, control test reports
9.1MetricsAny security metrics reports, dashboards, presentations, emails, etc. that show the efficacy of the ISMS is being measured and those metrics are being acted upon.
9.2ISMS Internal AuditsInternal audit reports, nonconformity reports and remediation timelines, audit calendars.
9.3ISMS Management ReviewsManagement review reports, calendars and plans for management reviews, recommendations.
10.1Continuous improvementAny documents that show continuous improvement of the ISMS. This can include internal/ external audit reports, incident reports, corrective action, ISMS planning, management meeting minutes etc.
10.2Nonconformity and Corrective actionList of nonconformity and remediation plans, including owners and timelines. Incident reports, audit findings, or complaints may also be used as documentation. Your auditor needs to see that nonconformists are being identified and resolved.

The Policies

In addition, the following policy documents should be in place. Each policy applies to either all staff or specific functions, i.e. IT, HR, Facilities etc.

A.5.1 Information Security Policy and Topic-Specific Policies such as
a)access control;
b) physical and environmental security;
c) asset management;
d) information transfer;
e) secure configuration and handling of user endpoint devices;
f) networking security;
g) information security incident management;
h) backup;
i) cryptography and key management;
j) information classification and handling;
k) management of technical vulnerabilities;
l) secure development.
A 5.7 Threat intelligence
A.5.9 Inventory of Information and Other Associated Assets
A.5.10Rules For the Acceptable Use and Procedures for Handling Information and Other Associated Assets
A 5.12Classification of information based on confidentiality, integrity, availability and relevant interested party requirements.
A.5.13Procedures for Information Labeling
A.5.14 Information Transfer Rules, Procedures or Agreements
A.5.15 Topic-Specific Policy on And Rules for Access Control
A 5.18Access rights to information and other associated assets based on Topic-Specific Policy on And Rules for Access Control
A.5.19Processes And Procedures to Manage the Information Security Risks Associated with the Use of Supplier’s Products or Services
A.5.21 Processes and Procedures to Manage the Information Security Risks Associated with the ICT Products and Services Supply Chain
A.5.23Processes for Acquisition, Use, Management and Exit from Cloud Services
A.5.24 Information Security Incident Management Processes, Roles and Responsibilities
A.5.28 Procedures for the Identification, Collection, Acquisition and Preservation of Evidence related to information security events
A 5.29process for Information security during disruption
A 5.30 Plan for ICT readiness for business Continuity
A.5.31 Legal, Statutory, Regulatory and Contractual Requirements Relevant to Information Security
A.5.32 Procedures To Protect Intellectual Property Rights
A.5.37 Operating Procedures for Information Processing Facilities
A.6.2 Employment Contractual Agreements
A.6.4 Disciplinary Process
A.6.6Confidentiality or Non-Disclosure Agreements
A 6.7 Remote working process and Remote access policy
A 7.7 Clear desk and clear screen rules
A 7.4 System monitoring
A 7.5 Protection against physical and Environmental threats
A 7.6 Working in secure area
A 7.9Security of assets off-premises such as mobile device and laptop
A 7.10Handling of storage media
A 7.14Secure Disposal of equipment
A 8.1 User end point device
A.8.3 Topic-Specific Policy on Access Control for information and other associated assets restriction
A.8.5Secure authentication technologies and procedures as per Topic-Specific Policy on Access Control
A 8.6 Capacity Management
A 8.7 Protection against malware
A 8.8 Management of technical vulnerabilities
A.8.9 Configurations, Including Security Configurations, of Hardware, Software, Services and Networks
A 8.11 Data Masking as per as per Topic-Specific Policy on Access Control
A.8.13 Topic-Specific Policy on Backup
A.8.15Logs that Record Activities, Exceptions, Faults, and Other Relevant Events
A 8.19 Installation of software
A.8.21 Security Mechanisms, Service Levels and Service Requirements of Network Services
A 8.23Web filtering
A.8.24 Rules for the Effective Use of Cryptography
A.8.25 Rules for the Secure Development of Software and Systems
A.8.26 Information Security Requirements for applications
A.8.27 Principles for Engineering Secure Systems in information system development activity
A.8.29 Security Testing Processes in development life cycle.
A 8.32 Change Management

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply