Skip to main contentChat with us

ISO 27001:2022  ·  Documentation Checklist

The Documents ISO 27001 Actually Requires

Template vendors will sell you 80 documents. The standard explicitly requires about 14 — plus whatever your applicable Annex A controls demand. This checklist separates the three tiers: strictly mandatory, mandatory-when-applicable, and commonly expected. Each item links to the clause or control guide that explains how to write it.

Clause-by-Clause GuidesFree Templates

Tier 1 · Always Mandatory

Required by Clauses 4–10

These are the places where ISO 27001:2022 explicitly states documented information shall be available or retained. No scope, no industry, no size exempts you from any of them.

ISMS Scope

Clause 4.3

A statement of what the ISMS covers — locations, organizational units, services, and interfaces — and the reasoning behind any boundary decisions.

How to satisfy Clause 4.3

Information Security Policy

Clause 5.2

The top-level policy approved by leadership: commitments, the framework for setting objectives, and the mandate for the ISMS.

How to satisfy Clause 5.2

Risk Assessment Process

Clause 6.1

Your documented method for identifying, analyzing, and evaluating information security risks — criteria, scales, and ownership included.

How to satisfy Clause 6.1

Risk Treatment Process

Clause 6.1

How risk treatment options are selected, controls are determined, and residual risk is approved by risk owners.

How to satisfy Clause 6.1

Statement of Applicability (SoA)

Clause 6.1

The control-by-control declaration: which of the 93 Annex A controls apply, why, their implementation status — and justification for every exclusion.

How to satisfy Clause 6.1

Information Security Objectives

Clause 6.2

Measurable security objectives at relevant functions and levels, with plans covering who does what, with what resources, by when.

How to satisfy Clause 6.2

Evidence of Competence

Clause 7.2

Records demonstrating that people doing ISMS work are competent — certifications, training records, experience summaries.

How to satisfy Clause 7.2

Operational Planning & Control Records

Clause 8.1

Documentation sufficient to show security processes are carried out as planned — runbooks, tickets, approvals at the depth your processes need.

How to satisfy Clause 8.1

Risk Assessment Results

Clause 8.2

The retained output of each risk assessment cycle — typically your risk register with scores, owners, and dates.

How to satisfy Clause 8.2

Risk Treatment Results

Clause 8.3

The risk treatment plan and evidence of its execution — selected controls, implementation status, and risk-owner approvals of residual risk.

How to satisfy Clause 8.3

Monitoring & Measurement Results

Clause 9.1

Evidence of what you measured, how, when, and what the results showed — your ISMS metrics and their evaluation.

How to satisfy Clause 9.1

Internal Audit Programme & Results

Clause 9.2

The audit programme (scope, frequency, methods) plus the reports of each internal audit performed.

How to satisfy Clause 9.2

Management Review Results

Clause 9.3

Minutes and decisions from top-management reviews of the ISMS — inputs considered, improvement decisions, resource changes.

How to satisfy Clause 9.3

Nonconformity & Corrective Action Records

Clause 10.2

The nature of each nonconformity, actions taken, and the verified results of corrective action — including root-cause analysis.

How to satisfy Clause 10.2

Tier 2 · Mandatory When the Control Applies

Driven by Your Statement of Applicability

Each Annex A control you mark applicable in the SoA brings documentation with it. These are the ones auditors sample on nearly every engagement.

A.5.1

Topic-Specific Security Policies

Access control, cryptography, incident management, supplier security, and similar policies — the working layer below the top-level policy.

A.5.1 implementation guide →

A.5.9

Inventory of Information & Assets

The asset register with assigned owners — the backbone document most other controls reference.

A.5.9 implementation guide →

A.5.10

Acceptable Use Rules

Documented rules for acceptable use and handling of information and assets, acknowledged by users.

A.5.10 implementation guide →

A.5.15

Access Control Rules

The documented rules governing logical and physical access, derived from business and security requirements.

A.5.15 implementation guide →

A.5.20

Supplier Security Agreements

Contracts or addenda embedding security requirements with each relevant supplier.

A.5.20 implementation guide →

A.5.24

Incident Management Procedures

The incident response plan: roles, severity classification, escalation, communication, and evidence handling.

A.5.24 implementation guide →

A.5.26

Incident Response Records

Documentation of how actual incidents were assessed, contained, and resolved.

A.5.26 implementation guide →

A.5.29

Continuity & Disruption Plans

How information security is maintained during disruption, integrated with business continuity arrangements.

A.5.29 implementation guide →

A.5.31

Legal & Regulatory Register

The documented inventory of legal, statutory, regulatory, and contractual security requirements and how each is met.

A.5.31 implementation guide →

A.5.37

Documented Operating Procedures

Runbooks for security-relevant operations — backup, onboarding/offboarding, deployment, incident escalation.

A.5.37 implementation guide →

A.8.13

Backup Records

Backup definitions (scope, frequency, retention) and evidence of restoration tests.

A.8.13 implementation guide →

A.8.32

Change Management Records

Evidence that changes to systems and processing facilities follow defined change control.

A.8.32 implementation guide →

Tier 3 · Expected, Not Mandated

What Auditors Ask For Anyway

Not named as documented information by the standard — but so universally used to evidence conformity that their absence invites questions. Know which ones you are choosing to skip.

Interested Parties Register

Stakeholders and their security-relevant requirements (clause 4.2 requires the analysis; a register is the standard way to evidence it).

Risk Register

The living operational form of your risk assessment results — universally expected even though the standard only names the results.

ISMS Roles & Responsibilities Matrix

A RACI or equivalent making clause 5.3 assignments visible — auditors ask for it by name.

Awareness & Training Records

Attendance and completion evidence supporting clauses 7.2–7.3 — expected at every audit.

Document Control Procedure

How documents are versioned, approved, and distributed per clause 7.5 — usually a short procedure plus register.

Communication Plan

Who communicates what about the ISMS, when, and to whom (clause 7.4) — a simple table satisfies it.

ISMS Manual

NOT required by ISO 27001:2022 at all — a 2005-era habit. A scope document, policy, and SoA make a separate manual redundant (see FAQ).

Rule of thumb from our audit work: if a document does not change a decision, prove a requirement, or tell someone what to do, it is shelf-ware — and auditors notice shelf-ware faster than gaps. Write the 20–35 documents your scope genuinely needs and keep every one of them alive.

Documentation FAQ

Common Documentation Questions

How many mandatory documents does ISO 27001:2022 require?
The standard explicitly requires documented information in roughly 14 places across clauses 4–10 — from the ISMS scope (4.3) to corrective action records (10.2). On top of that, every applicable Annex A control can require its own documentation (policies, registers, procedures, records). In practice a lean first certification carries 20–35 documents; anything past 50 usually signals copy-paste template bloat rather than rigor.
Is an ISMS manual mandatory in ISO 27001:2022?
No. ISO 27001 has never required an "ISMS manual" — the concept carried over from old ISO 9001 practice. The 2022 standard requires specific documented information (scope, policy, SoA, risk processes, and records), not a consolidated manual. Some organizations still create a short one as an index for auditors and new joiners, which is fine — just know it is a convenience, not a requirement.
Can we combine multiple mandatory documents into one?
Yes. The standard requires the information to exist and be controlled — not a specific document count or structure. Small organizations commonly combine the risk assessment and risk treatment processes into one methodology document, or fold objectives into the security policy. Combine freely, but keep each requirement traceable so an auditor can find it without archaeology.
What is the difference between documents and records in ISO 27001?
ISO 27001:2022 calls both "documented information", but the distinction still matters operationally: documents say what you intend to do (policies, processes, plans) and are maintained — kept current through reviews. Records prove what you actually did (audit reports, training logs, incident records) and are retained — protected from alteration. Auditors check documents for adequacy and records for evidence.
Do we need documents for Annex A controls we excluded in the SoA?
No — an excluded control needs no implementation documentation. What you do need is a defensible justification for the exclusion inside the Statement of Applicability itself. Auditors test exclusions hard: "we don't develop software" works for the development controls only if nothing in scope actually involves code you build or customize.
What format do ISO 27001 documents need to be in?
Any format works — wiki pages, Confluence spaces, Google Docs, PDFs, or a GRC platform — as long as clause 7.5 controls apply: identification, review and approval, version control, availability to those who need them, and protection against unauthorized change. Auditors certify ISMSs run entirely on Notion as readily as ones run on Word templates.

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

ISO 27001

ISO 27001 Knowledge Hub

All 93 Annex A controls, all clauses, every guide in the cluster.

Read more
ISO 27001

ISO 27001 Implementation

The phased ISMS build, from scoping to surveillance audits.

Read more
ISO 27001

ISO 27001 Templates

ISMS policy templates, SoA workbook, risk register, and audit checklists.

Read more
ISO 27001

Annex A Controls Overview

All 93 controls across organizational, people, physical and tech domains.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
ISO 27001

ISO 27001 Overview

The ISMS standard — the baseline certificate global buyers ask for.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations