ISO 27001 certification requires organisations to prove their compliance with the Standard with appropriate documentation.
List of documents required for ISO 27001:2013
You must document:
- Scope (4.3)
- Information security policy (5.2 e)
- Information security risk assessment process (6.1.2)
- Information security risk treatment process, including a risk treatment plan (6.1.3)
- Statement of Applicability (6.1.3)
- Information security objectives (6.2)
- Evidence of competence (7.2)
- That “determined by the organisation as being necessary for the effectiveness of the ISMS” (7.5.1 b)
- Information necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
- Results of information security risk assessments (8.2)
- Results of information security risk treatment (8.3)
- Evidence of the information security performance monitoring and measuring results (9.1)
- Internal audit programme(s) and the audit results (9.2 g)
- Internal audit procedure (ISO 27000:2014, sec. 2.5)
- Evidence of the results of management reviews (9.3)
- Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)
It is also best practice to provide supporting documentation for your chosen Annex A controls. Auditors will need to confirm each of your organisation’s processes is systematically communicated, understood, executed and effective.
Where to start with ISO 27001 documentation
Providing the documentation for your information security management system (ISMS) is often the hardest part of achieving ISO 27001 certification. It’s a daunting process and many companies don’t know where to start.
Documentation can run into thousands of pages for more complex businesses.
For these reasons, many companies choose to outsource support when it comes to tackling ISO 27001 documentation.
The ISO 27001 ISMS Documentation Toolkit has been used by more than 2000 organisations worldwide and, unlike other toolkits on the market, is proven to have helped organisations achieve certification.
The toolkit includes:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.