Clause 7.5
Documented information

Any platform that supports four capabilities can carry an ISMS: permission control (who can view, who can change), version history, search or reliable navigation, and some way to capture approval. Confluence and other wikis, SharePoint, Google Drive, and dedicated GRC platforms all qualify; so does a disciplined file share. Paper conforms in principle and punishes you in practice.

Pick the platform your team already lives in. Documentation that sits inside daily tooling gets read and updated; documentation in a separate system gets visited twice a year. The one hard rule is a single source of truth: the moment policies live in three places, you have versions disagreeing with each other — and an auditor will find the disagreement faster than you will.

The register is one table listing every controlled document: title, owner, version, status (draft, approved, retired), approval date and approver, next review date, classification, and location. It serves two masters — auditors use it as their index into your ISMS, and you use it as the dashboard that shows which reviews are overdue and which documents lost their owner.

Make each document self-describing too, per 7.5.2: title, version, date, and owner on the document itself. Document IDs (POL-01, PROC-07) are optional — useful for cross-referencing once you pass a couple of dozen documents, pure bureaucracy before that. Keep classification honest: most ISMS documents are internal, a few are confidential, and your information security policy may be deliberately public.

Approval should be proportionate to the document. The information security policy warrants top-management sign-off; an operational procedure needs its process owner, not the CEO. Define two or three approval tiers in the document control procedure and resist routing everything to the top — heavyweight approval is the single biggest reason documentation goes stale.

Distinguish substantive change from editorial change. A typo fix or a broken link should not trigger a full re-approval cycle; a change to scope, requirements, or responsibilities should. Capture approvals in the platform itself — a workflow state, a recorded approval click, even a dated comment from the approver. Wet signatures on printed cover pages still satisfy auditors, but they create exactly the friction that kills review discipline.

Adopt a simple version convention — major.minor works: minor for editorial updates, major for substantive ones — and keep a change log per document, even three lines per revision. The platform's native version history covers the forensic detail; the change log gives owners and auditors the readable summary of what changed and why.

Retention is a decision, not a default. Map each record type to a period derived from legal, regulatory, and contractual obligations plus your own evidentiary needs — keeping core ISMS records for at least one full three-year certification cycle is common practice, so the trail covers recertification. Disposition is part of the requirement: deletion should be a controlled, recorded act, not a quiet cleanup. And bring external documents — standards you claim conformity to, regulator circulars, customer security schedules — into the register with a named owner who tracks when they change.

No edition of ISO 27001 has ever required an ISMS manual — the idea is inherited from old quality-management practice. The spine of your documentation is already defined by the standard: the scope statement (Clause 4.3), the information security policy (5.2), the risk assessment and treatment processes with the Statement of Applicability (6.1), the security objectives (6.2), and the operating procedures and records the remaining clauses call for.

If you want a single orientation point, write a two-page index that links to those documents and shows how they connect. A sixty-page manual that paraphrases the standard adds no conformity, duplicates content that will drift out of sync, and hands the auditor extra surface area for findings.

Auditors sample. From the register they pull a handful of documents and run the same battery: Is the version in circulation the latest approved one? Where is the approval evidence, and was the approver appropriate for the document's tier? Was the scheduled review actually performed? Do cross-references point at documents that still exist? They will also ask a staff member to find the procedure they would use for a routine task — availability, tested live.

Run that battery on yourself quarterly: pick five documents at random and trace version, approval, review date, and findability. Sweep for orphans — documents referencing retired tools, departed owners, or superseded policies. Twenty minutes of self-sampling every quarter is the cheapest audit preparation that exists.