Font size: +
3 minutes reading time (628 words)

List of mandatory documents required by ISO 27001:2013

It has been a fair while since ISO27001:2013 for Information Security Management Systems was published yet it's adoption is only really now starting to gain some traction, just in time for the work on the next revision to really get underway. Like all ISO standards there are set requirements about what you must do, ISO list these as "shall" , part of these must does is of course documentation and records. It's fair to say that there are a few more requirements in ISO27001 than some of the other standards but they all do make sense and will lead to a really sound Information Security Management System. 

We've made a list of them below along with the ones that we also recommend and the clauses that they are linked to. Unlike other standards, the ISO27001:2013 Information Security Management standard has an Annex which acts like a check list linked back to risks, some of the documentation requirements are only applicable if that particular risk is applicable to your organisation. We'll talk more about Annex A in future blog posts.

  Mandatory Documents for ISO27001:2013

  • Scope of the Information Security Management System (ISMS)- Clause 4.3
  • Information security policy - clause 5.2
  • Information security objectives - clause 6.2
  • Risk assessment process - clause 6.12
  • Risk treatment process - clause 6.13
  • Statement of Applicability for controls in Annex A - - clause 6,13,d
  • Risk treatment plan - clause 6.13.e
  • Risk assessment report- clause 8.2
  • Definition of security roles and responsibilities (should be in employment agreement) - clause A7.1.2
  • Inventory of assets - clause A8.1.1
  • Acceptable use of assets - clause A8.1.3
  • Access control policy - clause A9.1.1
  • Operating procedures for Information Security - clause A12.1.1
  • Incident management procedure - clause A16.1.5
  • Business continuity strategy & procedures - clause A17.1
  • Statutory, regulatory, and contractual requirements - clause A18.1.1

Mandatory Documents from Annex A if there are risks found which would require their implementation

  • Confidentiality or Non-Disclosure agreements- Clause A.13.2.4
  • Secure system engineering principles- Clause A.14.2.5
  • Supplier security policy Clause A.15.1.1

Non-Mandatory Documents (but commonly used)

  • Procedure for document control - clause 7.5
  • Controls for managing records - clause 7.5
  • Procedure for internal audit - clause 9.2
  • Procedure for corrective action - clause 10.1
  • Bring your own device (BYOD) policy - clause A6.2.1
  • Mobile device and teleworking policy - clause A6.2.1
  • Information classification policy - clause A8.2
  • User Access Rights Policies including Password control - clause A9.2
  • Disposal and destruction policy - clause A.8.3.2 and clause A.11.2.7
  • Procedures for working in secure areas - clause A.11.1.5
  • Clear desk and clear screen policy - clause A.11.2.9
  • Organisational Change management policy - clause A.12.1.2
  • Software Change management policy - clause A.14.2.4
  • Backup policy - clause A.12.3.1
  • Information transfer policy - clause A.13.2
  • Business impact analysis - clause A.17.1.1
  • ISMS Continuity controls testing plan - clause A.17.1.3

Mandatory Records

  • List of Interested Parties, Legal and Other Requirements - clause 4.2 & - clause 6.1
  • Competence (e.g. Skills Matrix & associated proof of skills) - clause 7.2
  • Evidence of communication - clause 7.4
  • Monitoring and measurement results - clause 9.1.1
  • Internal Audit Program & Results - clause 9.2
  • Results of Management Reviews of ISMS - clause 9.3
  • Nonconformities, corrective actions & improvement suggestions - clause 10.1 & - clause 10.2
  • Logs of user activities, exceptions, faults and security events - clause A.12.4.1
  • Logs of System Administrator & System user activities, exceptions, faults and security events - clause A.12.4.3

  Grab the Checksheet

To make it simple we've created this check sheet that you can use to track everything that you need,

Just tell us where you want it emailed to and we'll do the rest.

Download Now

Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Please let us know your preference

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo
When it comes to managing your ISO or compliance system, managing documentation, capturing incidents / NCR's and ensuring that you follow through on everything having a tool that makes it easy is a must.

Mango QHSE is a cloud based QHSE system that is fully integrated to manage all of your compliance requirements in one, easy to use system.
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting Ltd | All Rights Reserved

ISO27001 and the Awareness and Communication Requi...
ISO27001 and the Resources and Competence Requirem...

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 16 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to