Achieving ISO 27001 certification is a significant milestone for organizations seeking to establish robust information security management systems (ISMS). ISO 27001 is designed to adapt to each organization’s unique needs, acknowledging that information security requirements vary. Therefore, none of its controls are universally mandatory for compliance. Instead, ISO 27001 mandates a structured approach for organizations to determine which ISO 27001 controls are essential for their specific context.
ISO 27001 constitutes an information security management system, and the core of this system lies in a set of mandatory documents. The standard is exceedingly particular about the necessity of documentation.
Let’s put it this way: If an action or procedure is not documented, it does not exist within the framework of ISO 27001. The documentation is the lifeline that breathes substance into your ISMS, offering a clear, auditable record of your commitment to information security and adherence to ISO 27001 standards.
This article will explore the mandatory documentation requirements outlined in ISO 27001:2022. These mandatory clauses are integral to achieving ISO 27001 certification and building a comprehensive ISMS.
The Significance of Documentation in ISO 27001
In the context of the ISO 27001:2022 standard, “documents” refers to documented information, encompassing information required by the standards, such as the ISMS (Information Security Management System) Scope and Information Security Policy. Additionally, it includes documents that organizations define as necessary for their operations, such as support policies, procedures, plans, and similar documents that need to be recorded.
Documents can take various forms, from traditional paper to digital text or spreadsheet files, videos, audio files, and more. It’s important to note that organizations need to manage not only their internal documents, such as policies and project documentation but also external documents, including different types of correspondence and documentation received with equipment.
An Overview of ISO 27001 Requirements
ISO 27001:2022 consists of seven mandatory clauses, each addressing crucial aspects of information security management:
Clause 4: Context of the Organization
This clause requires organizations to understand their internal and external context, including relevant stakeholders and their expectations. It sets the foundation for developing an effective ISMS tailored to the organization’s unique context.
Clause 5: Leadership
Leadership commitment is emphasized in this clause. Top management must demonstrate their involvement in and support for the ISMS. It includes defining roles, responsibilities, and authorities for information security.
Clause 6: Planning
Planning involves assessing risks and opportunities related to information security. Organizations must establish information security objectives and develop plans to achieve them. This clause is essential for risk management and strategy development.
Clause 7: Support
Support covers the necessary resources, competence, awareness, communication, and documented information required for effective ISMS implementation. Adequate support is crucial for ensuring the success of the ISMS.
Clause 8: Operation
This clause focuses on the implementation of the ISMS. It covers areas such as risk assessment, risk treatment, and the implementation of information security controls. It ensures that security measures are put into practice.
Clause 9: Performance Evaluation
Organizations must monitor, measure, analyze, and evaluate the performance of their ISMS. This includes conducting internal audits and management reviews to ensure that the ISMS remains effective.
Clause 10: Improvement
Continuous improvement is a fundamental principle of ISO 27001. This clause requires organizations to take corrective actions when non-conformities are identified and seek opportunities for improvement in information security management.
In addition to these seven clauses, ISO 27001 includes an Annex A section. Annex A is drawn directly from ISO 27002 and provides a list of potential information security controls organizations can implement to address specific risks. It is closely tied to Clause 6, which focuses on risk assessment and treatment.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
ISO 27001 Mandatory Documents List
Here is a summary of the ISO 27001 required documents:
| Documentation Requirement | ISO 27001 Reference | Typically Documented Via |
| Scope of the ISMS | Clause 4.3 | ISMS Scope Document |
| Information Security Policy | Clause 5.2 | Information Security Policy |
| Risk Assessment and Risk Treatment | Clause 6.1.2 | Risk Assessment and Treatment Methodology |
| Statement of Applicability | Clause 6.1.3 (d) | Statement of Applicability |
| Risk Treatment Plan | Clauses 6.1.3 (e), 6.2, 8.3 | Risk Treatment Plan |
| Information Security Objectives | Clause 6.2 | List of Security Objectives |
| Risk Assessment and Treatment Report | Clauses 8.2, 8.3 | Risk Assessment & Treatment Report |
| Inventory of Assets | Control A.5.9 | Inventory of Assets or List of Assets in the Risk Register |
| Acceptable Use of Assets | Control A.5.10 | IT Security Policy |
| Incident Response Procedure | Control A.5.26 | Incident Management Procedure |
| Statutory, Regulatory, and Contractual Requirements | Control A.5.31 | List of Legal, Regulatory, and Contractual Requirements |
| Security Operating Procedures for IT Management | Control A.5.37 | Security Procedures for IT Department |
| Definition of Security Roles and Responsibilities | Controls A.6.2 and A.6.6 | Agreements, NDAs, and specifying responsibilities in each security policy and procedure |
| Definition of Security Configurations | Control A.8.9 | Security Procedures for IT Department |
| Secure System Engineering Principles | Control A.8.27 | Secure Development Policy |
This table summarizes the critical mandatory documentation requirements in ISO 27001, their respective ISO references and typical documentation methods.
What is a Statement of Applicability?
Annex A provides a comprehensive list of potential information security controls organizations can consider for addressing specific risks. However, the standard recognizes that not all controls will be relevant or applicable to every organization’s unique context and security needs.
Instead, organizations are encouraged to conduct a risk assessment to identify their specific security risks and vulnerabilities. Based on the results of this assessment, organizations should select and implement controls from Annex A or design their own controls tailored to their risk mitigation strategies. The key is to ensure that the chosen controls effectively address identified risks and align with the organization’s information security objectives.
The decision-making process regarding control selection and implementation should be documented in the Statement of Applicability (SoA), which justifies the inclusion or exclusion of specific controls. The SoA serves as evidence of the organization’s deliberate and informed approach to information security control implementation. It is important to focus on controls that are relevant and necessary for mitigating identified risks rather than attempting to implement all controls listed in Annex A.
The SoA should also include additional information on each control and link to relevant documentation regarding its implementation.
The SoA should include:
- a list of your chosen controls;
- justification for their inclusion;
- whether your controls have been implemented or not; and
- the justification for excluding any of the Annex A controls (excluding the physical controls because you don’t have a physical office to protect).
Why Should You Be ISO 27001 Compliant?
The ISMS ensures the confidentiality, integrity and availability of your information through a thorough risk management process and gives confidence to stakeholders (clients, employees, suppliers, etc.) that your risks are adequately managed.
As you develop and refine your ISMS, you will be putting in the work to identify threats, analyze their potential effects, and implement controls to minimize them. With the ISO framework in place, your organization will be built on best practices that will support your business, customers, and team. You can build a structured business with defined policies and procedures, monitor risk more effectively, explain the impact of potential threats, increase customer trust, and set your business up for long-term success.
In addition, implementing ISO 27001 can simplify the process of achieving compliance with various international laws and compliance standards such as the GDPR and SOC 2 and can help you meet the information security controls of best practice frameworks such as the NIST CSF.
Compliance proves to internal and external parties your organization’s ability to meet your own information security requirements.
ISO 27001 Guide To Compliance
Organizations seeking to comply with the ISO/IEC 27001 must undergo audits regularly and implement and maintain its requirements. These mandatory requirements include ISMS scope determination, information security policy and topic-specific policies, risk assessment processes and procedures, the Statement of Applicability, evidence of competence, evidence of monitoring, and many more.
Centraleyes Can Get You on the Road to ISO Compliance
The Centraleyes platform provides a streamlined and supportive process for achieving ISO 27001 compliance, walking organizations through the necessary steps to prepare for the audits fully. With built-in questionnaires, templates for the Statement of Applicability and the required ISO policies, automated data collection and analysis, prioritized remediation guidance, and real-time customized scoring, companies will find everything they need to finish, with the coveted certification just around the corner. The platform enables organizations to reach complete ISO readiness, both for companies who choose to use it as a risk framework and those who want to prepare for full compliance with ISO 27001. Centraleyes offers full coverage for the 2013 version and the latest October 2022 release.
In addition, Centraleyes offers a smart mapping feature, linking the ISO 27001 questionnaire to its control inventory. This allows organizations to easily share information across various frameworks throughout the platform, saving time and money while improving their data’s accuracy. The platform also provides organizations with complete visibility into their cyber risk levels and compliance status and generates a report to help with audit preparation.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
