List of mandatory documents required by ISO 27001:2013

It has been a fair while since ISO27001:2013 for Information Security Management Systems was published yet it's adoption is only really now starting to gain some traction, just in time for the work on the next revision to really get underway. Like all ISO standards there are set requirements about what you must do, ISO list these as "shall" , part of these must does is of course documentation and records. It's fair to say that there are a few more requirements in ISO27001 than some of the other standards but they all do make sense and will lead to a really sound Information Security Management System. 

We've made a list of them below along with the ones that we also recommend and the clauses that they are linked to. Unlike other standards, the ISO27001:2013 Information Security Management standard has an Annex which acts like a check list linked back to risks, some of the documentation requirements are only applicable if that particular risk is applicable to your organisation. We'll talk more about Annex A in future blog posts.

• Scope of the Information Security Management System (ISMS)- Clause 4.3
• Information security policy - clause 5.2
• Information security objectives - clause 6.2
• Risk assessment process - clause 6.12
• Risk treatment process - clause 6.13
• Statement of Applicability for controls in Annex A - - clause 6,13,d
• Risk treatment plan - clause 6.13.e
• Risk assessment report- clause 8.2
• Definition of security roles and responsibilities (should be in employment agreement) - clause A7.1.2
• Inventory of assets - clause A8.1.1
• Acceptable use of assets - clause A8.1.3
• Access control policy - clause A9.1.1
• Operating procedures for Information Security - clause A12.1.1
• Incident management procedure - clause A16.1.5
• Business continuity strategy & procedures - clause A17.1
• Statutory, regulatory, and contractual requirements - clause A18.1.1

• Confidentiality or Non-Disclosure agreements- Clause A.13.2.4
• Secure system engineering principles- Clause A.14.2.5
• Supplier security policy Clause A.15.1.1

• Procedure for document control - clause 7.5
• Controls for managing records - clause 7.5
• Procedure for internal audit - clause 9.2
• Procedure for corrective action - clause 10.1
• Bring your own device (BYOD) policy - clause A6.2.1
• Mobile device and teleworking policy - clause A6.2.1
• Information classification policy - clause A8.2
• User Access Rights Policies including Password control - clause A9.2
• Disposal and destruction policy - clause A.8.3.2 and clause A.11.2.7
• Procedures for working in secure areas - clause A.11.1.5
• Clear desk and clear screen policy - clause A.11.2.9
• Organisational Change management policy - clause A.12.1.2
• Software Change management policy - clause A.14.2.4
• Backup policy - clause A.12.3.1
• Information transfer policy - clause A.13.2
• Business impact analysis - clause A.17.1.1
• ISMS Continuity controls testing plan - clause A.17.1.3

• List of Interested Parties, Legal and Other Requirements - clause 4.2 & - clause 6.1
• Competence (e.g. Skills Matrix & associated proof of skills) - clause 7.2
• Evidence of communication - clause 7.4
• Monitoring and measurement results - clause 9.1.1
• Internal Audit Program & Results - clause 9.2
• Results of Management Reviews of ISMS - clause 9.3
• Nonconformities, corrective actions & improvement suggestions - clause 10.1 & - clause 10.2
• Logs of user activities, exceptions, faults and security events - clause A.12.4.1
• Logs of System Administrator & System user activities, exceptions, faults and security events - clause A.12.4.3

To make it simple we've created this check sheet that you can use to track everything that you need,