Skip links

Checklist of ISO 27001 Mandatory Documentation

Checklist of ISO 27001

A great documentation by Advisera, which provides you clause by clause Explanation of ISO 27001, which I believe can help you to learn more about ISO 27001.

The PDF document explains each clause of the ISO 27001 standard, while providing guidelines on what needs to be done to meet each requirement. This white paper will help you understand how to protect the confidentiality, integrity, and availability of information in your company, by demonstrating:

  • how to apply a process approach
  • how to plan and analyze processes within the organization
  • how to implement the Plan-Do-Check-Act cycle
  • how to evaluate performance in order to make improvements
  • how to address information security risks by being well prepared

To download the document :

More ISO

Mandatory documents and records required by ISO 27001:2013

Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
    • Risk assessment report (clauses 8.2 and 8.3)
    • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    • Inventory of assets (clause A.8.1.1)
    • Acceptable use of assets (clause A.8.1.3)
    • Access control policy (clause A.9.1.1)
      • Operating procedures for IT management (clause A.12.1.1)
      • Secure system engineering principles (clause A.14.2.5)
      • Supplier security policy (clause A.15.1.1)
      • Incident management procedure (clause A.16.1.5)
      • Business continuity procedures (clause A.17.1.2)
      • Statutory, regulatory, and contractual requirements (clause A.18.1.1)

      And here are the mandatory records:

      • Records of training, skills, experience and qualifications (clause 7.2)
      • Monitoring and measurement results (clause 9.1)
      • Internal audit program (clause 9.2)
      • Results of internal audits (clause 9.2)
      • Results of the management review (clause 9.3)
      • Results of corrective actions (clause 10.1)
      • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

      Non-mandatory documents

      There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:

      • Procedure for document control (clause 7.5)
      • Controls for managing records (clause 7.5)
      • Procedure for internal audit (clause 9.2)
      • Procedure for corrective action (clause 10.1)
      • Bring your own device (BYOD) policy (clause A.6.2.1)
      • Mobile device and teleworking policy (clause A.6.2.1)
      • Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
      • Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
      • Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
      • Procedures for working in secure areas (clause A.11.1.5)
      • Clear desk and clear screen policy (clause A.11.2.9)
      • Change management policy (clauses A.12.1.2 and A.14.2.4)
      • Backup policy (clause A.12.3.1)
      • Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
      • Business impact analysis (clause A.17.1.1)
      • Exercising and testing plan (clause A.17.1.3)
      • Maintenance and review plan (clause A.17.1.3)
      • Business continuity strategy (clause A.17.2.1)
ISO 27001
ISO 27001

What is the meaning of ISO 27001?

First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”

It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.

ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.

ISO framework and the purpose of ISO 27001

ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).

Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:

  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.

What is an ISMS?

An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:

  1. identify stakeholders and their expectations of the company in terms of information security
  2. identify which risks exist for the information
  3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
  4. set clear objectives on what needs to be achieved with information security
  5. implement all the controls and other risk treatment methods
  6. continuously measure if the implemented controls perform as expected
  7. make continuous improvement to make the whole ISMS work better

This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.