ISMSISO 27001:2022 Mandatory Documentation Requirements
| Mandatory Document | ISO 27001:2022 Reference | Interpretation | Usually Documented Through |
|---|---|---|---|
| Scope of the ISMS | Clause 4.3 | The ISMS scope clarifies the boundaries of the certified ISMS in relation to the context or business situation of the organization (e.g. certain business units, sites or departments), and its information risks and security requirements plus any imposed by third parties (e.g. laws and regulations plus contractual obligations). | ISMS Scope Document
|
| Information Security Policy | Clause 5.2 | The information security policy lays out and confirms senior management's commitment to the organization's information security objectives and continuous improvement of the ISMS. Senior management may prefer to mandate a single, succinct, broad/overarching governance-type policy. | Information Security Policy |
| Risk Assessment and Risk Treatment Process | Clause 6.1.2 | A structured and repeatable process for risk assessment must be established. This involves documenting a comprehensive risk assessment procedure outlining the identification, analysis, evaluation, and prioritization of information risks with periodic reviews and updates. | Risk Assessment and Treatment Methodology
|
| Statement of Applicability (SoA) | Clause 6.1.3(d) | The SoA lays out the information risk and security controls that are relevant and applicable to your organization's ISMS, as determined by your risk assessments or as required by laws, regulations or good practice. Cross-reference them against ISO/IEC 27001 Annex A controls. | Statement of Applicability
|
| Risk Treatment Plan | Clauses 6.1.3(e), 6.2, 8.3 | Risk treatment decisions, such as selecting treatments and implementing controls, require a written policy and/or procedure for consistently deciding on and implementing appropriate information risk treatments. Various structures may be utilized to articulate the process through which information risks are controlled. | Risk Treatment Plan
|
| Information Security Objectives | Clause 6.2 | The ISO requirement to "retain documented information on the information security objectives" allows for flexibility. It's beneficial to begin with the organization's high-level business objectives and derive information risk and security objectives from them. | Information Security Objectives
|
| Competence Records | Clause 7.2 | Evidence of competence must be retained. This could involve relying on HR records to document relevant experience, skills, qualifications, and training courses for core ISMS personnel within the information risk and security management function. | HR Documents and Records |
| Operational Planning and Control | Clause 8.1 | Documentation must be kept "to the extent necessary to have confidence that the processes have been carried out as planned." This includes management information related to the ISMS, such as budgets, progress reports, policies, procedures, and compliance activities. | ISMS Procedures and Management Information
|
| Risk Assessment Results | Clause 8.2 | The risk assessment process should generate information regularly including risk assessment reports, risk metrics, prioritized lists of risks, information risk inventories or catalogs, and entries in corporate risk inventories/catalogs. | Risk Assessment & Treatment Report
|
| Risk Treatment Results | Clause 8.3 | Evidence that identified information risks are being 'treated' as decided must be collected. This could include reports on control tests, implementation plans, financial records for risk management spending, and metrics showing incident reduction. | Risk Treatment Evidence and Control Test Reports
|
| Monitoring and Measurement Results | Clause 9.1 | The ISMS generates metrics to track and guide information risks, controls, and the ISMS overall. Evidence includes security metrics presented in reports, systems, dashboards, and presentations, plus documentation proving these metrics are being acknowledged and acted upon. | Logs and Dashboards |
| Internal Audit Programme and Results | Clause 9.2 | Evidence primarily consists of ISMS internal audit reports documenting key audit findings, conclusions, and recommendations. Supporting evidence includes audit programs, plans, calendars, budgets, scopes, and working paper files. | Internal Audit Program and Reports |
| Management Review Results | Clause 9.3 | Evidence includes management review reports, calendars, plans, budgets, scopes, working papers containing evidence, recommendations, action plans, and closure notes. Auditors may interview top management regarding the ISMS and issues raised in reports. | Management Review Minutes and Reports |
| Nonconformities and Corrective Actions | Clause 10.1 | Nonconformities refer to partially or wholly unsatisfied requirements. Evidence must demonstrate routine and systematic identification, reporting, addressing, and resolution of issues including root-cause analysis, corrective actions, and effectiveness reviews. | Nonconformity/Corrective Action Reports (NCAR) |