ISO 27001 Required Documents, Policies and Procedures

, , ,
Besides the question what controls you need to cover for ISO 27001 the other most important question is what documents, policies and procedures are required and have to be delivered for a successful certification. The biggest goal of ISO 27001 is to build an Information Security Management System (ISMS). That is a framework of all your documents including your policies, processes and procedures and others that I will cover here in this article.

What is the problem?

The biggest challenge for CISO’s, Security or Project Managers is to understand and interpret the controls correctly to identify what documents are needed or required. Unfortunately, ISO 27001 and especially the controls from the Annex A are not very specific about what documents you have to provide. ISO 27002 gets a little bit more into detail. Here you can find controls that specifically name what documents and what kind of documents (policy, procedure, process) are expected. The challenge of every framework is, that it is just a frame you have to fill with your own paint to show your big picture. The list of required documents we are seeing today comes from best practices and experiences over many years but also experience we have from other ISO framework implementations (e.g. ISO 9001).

What kind of documents are expected?

Essentially each framework is a collection of documented rules, guidelines, best practices or methods. This collection comes in form of policies, processes, procedures, instructions, or any other form that prove the implementation of your security controls and measures. Obviously, these papers are in office formats like Word, Excel, PowerPoint or PDF. But often you can also find system configuration files, logs, database extracts, network plans, etc.

How many documents do you commonly find in your ISMS?

When you look at a usual ISMS from a medium sized business you usually find about 50 to 100 documents. But you can say there are at least 30 mandatory documents you have to deliver to get certified. It always depends on what controls you have covered; how big your organization is or how intense you are going with your policies, procedures or processes.

What mandatory documents are required for ISO27001:2013?

Here you can find the complete list of mandatory and optional documents you should have. These documents include the ones that are necessary to define or describe the implementation of your Information Security Management System (ISMS) and your Risk Management. And also, the ones that show the organization and implementation of your information security and controls. You could also use it as an example for your internal audit plan, stage 1 checklist or compliance checklist.


Mandatory documents for the management of the ISMS and risks:
  • Scope or area of application of the ISMS
    In this article you can find “How to define an write your scope statement“.
  • Statement of Applicability
  • Inventory of Assets
  • Risk Management process or procedure
  • Risk Treatment plan
  • Risk Assessment Report
  • Security Roles and Responsibilities
Mandatory policies you have to deliver according ISO 27001 Annex A:
  •  Information Security Policy (A.5.1.1)
  • Mobile Device Policy (A.6.2.1)
  • Remote Access / Teleworking Policy (A.6.2.2)
  • Access Control Policy (A.9.1.1)
  • Cryptography Policy (A.10.1.1)
  • Cryptography Key Management Policy (A.10.1.2)
  • Clear Desk and Screen Policy (A.11.2.9)
  • Acceptable Use of Information Assets Policy (A.8.1.3)
  • Communications (Information Transfer) Policy (A.13.2.1)
  • Secure Development Policy or Plan (A.14.2.1)
  • Supplier Management Security Policy (A.15.1.1)
Mandatory procedures or processes according to ISO 27001 Annex A:
  • Information Classification and Management
  • Asset Management
  • Vulnerability Management (see “Modern and Agile Vulnerability and Patch Management Process“)
  • Management of (Removable) Media and Storage Devices
  • User Access Management
  • Working in secure areas
  • Change Management
  • Capacity Management
  • Anti-Malware
  • Backup and Recovery
  • Information Security Incident Management
  • Business Continuity Plan
Other mandatory documents:

 In addition to the specified policies and procedures above you should also have these documents available to prove the implementation of your controls:

  • Adequate job descriptions of your employees dealing with information security
  • Trainings of your staff (especially IT personnel)
  • Audit plans
  • Internal and external audits (e.g. pentests, assessments) and the results
  • Maintenance plans and performed maintenance work (especially for your data centers)
  • Any kind of logs, KPI’s, key figures, configuration files, network plans, etc.
  • Meeting minutes (showing the discussion of risks and overall security topics)
List of not mandatory or optional documents:
  • Physical and Environmental Security
  • Information Transfer
  • Privacy and Protection of personal information
  • Information Security Strategy
  • Logging Concept
  • Password Policy
  • Vulnerability Management Policy
  • Awareness plans


The given list of policies, processes and procedures is just an example of what you can expect. I got a small organization certified with these documents. But that does not mean that you can get away with it. The number of documents required also depends on the size of the company, on the business area, which regulations or laws must be complied with or what is your overall goal for security, etc. Sometimes it is even better to write less than too much. Always keep in mind that everything that is written down must also be verifiable and provable.

That might be also interesting:

How to Implement a Vulnerability Management Process

, , , , ,
Vulnerability and Patch Management are major and essential tasks of the Information- and IT-Security. A good vulnerability and patch management process helps you to identify, evaluate, prioritize and reduce the technical security risks of your company or organization. Even if you are not planning to implement security frameworks like ISO 27001 or NIST Cybersecurity Framework (CSF) you should consider to implement a basic vulnerability management process or technical measures and controls to be prepared for critical cybersecurity attacks or threats.…
Read More

ISO 27001 How to Define your Scope Statement

, , , ,
Defining your ISO 27001 scope statement is one of the first steps for building your ISMS. Although it is just a short separate document or small paragraph in your security policy it is one of the most important point. This is because every next step is related to your scope or area of application. In this article you can find out why the definition of your scope is so important, how to write your statement, what it does have to…
Read More

ISO 27001 Controls you need to cover

, , ,
If you are about to start a project for implementing the ISO 27001 security framework you want to know which controls you need to cover. This is one of the first questions you always get as a consultant. And it is one of the most important because you want to know about the size and therefor the time and budget you need to successfully implement this security standard. Here I want to give a quick overview about the controls for…
Read More

What is the best Cybersecurity Strategy for 2021

You read and hear about cyberattacks, data leakages or compromises all the time today. Companies and organizations are getting attacked constantly. Some successfully, some undiscovered and others were lucky or well protected. The risk is steadily increasing and not only that, but also regulatory requirements beginning to raise. So it is clear that a lot of companies want to improve and prove their Cybersecurity by setting up a cybersecurity strategy. The problem is often, they don’t know how and where…
Read More

Share this article

6 Comments. Leave new

  • Aaron Birdsong
    May 14, 2020 4:37 am

    Nice post!

  • Richard Regalado
    September 20, 2020 2:11 am

    Hello Florian. Since no controls are required, there is no mandatory policy or procedure from Annex A. Have a nice day.

  • Hi Florian, I loved what ever shared here, very crisp and to the point.

  • Hi Sir,
    Can you please help how to create a process in below concern, A software company is having an aggressive growth plan which includes ramping up resources from current strength of 50 to 250 in the next 1 year. This includes, developers, Project Managers, Solution Architect, Sales personnel, HR, Admin and Finance personnel as well. Prepare a comprehensive plan in terms of achieving ISO 27001/2013 standards for the organization, in the next 2 years. The plan should cover all departments, budgets, tools, etc. required for achieving the same.

  • Very helpful post. Thank you

  • Such great website

    Amazing blog thanks for sharing today on this blog


Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed