Country
List of mandatory documents required by ISO 27001 (2013 revision)
With the new revision of ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?
So here is the list – below you will see not only mandatory documents, but also the most commonly used documents for ISO 27001 implementation.
Mandatory documents and records required by ISO 27001:2013
Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Non-mandatory documents
There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
So this is it – what do you think? Is this too much to write? Do these documents cover all aspects of information security?
Click here to download the white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision). It has more detailed information on the most common ways for structuring and implementing mandatory documents and records.
Hi, is this info still valid for mandatory documents for iso 27001 certifications ?
Yes, ISO 27001:2013 is the current version of this standard
Does ISO 27001:2013 define how to track version/revision numbers? What is the standard for ISO as I have always used whole numbers to track versions. Does ISO require V 1.0 etc?
ISO 27001, as well as other ISO management standards, does not prescribe how to track version/revision numbers. It only requires that control of documents is established and maintained, so organizations are free to chose any format that better suits them. Although version numbering is not required by ISO standards, this is considered to be a best practice.
This article will provide you further explanation about managing documentation:
– Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
This material will also help you regarding managing documentation:
– Managing ISO Documentation: A Plain English Guide
https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Hello!
Is A.12.1.1 Documented operating procedures related with this? Can I use this for my audit to check compliance with A.12.1.1?
1 – Is A.12.1.1 Documented operating procedures related with this?
Answer: The control A.12.1.1 is one of the mandatory documents listed above, provided that there are risks that justify its implementation. Some of the records listed as mandatory may be referred in the operating procedures (Logs of user activities, exceptions, and security events – related to clauses A.12.4.1 and A.12.4.3), but this will depend on how you will write this procedure.
These articles will provide you further explanation about selecting and documenting controls:
– The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
– How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
2- Can I use this for my audit to check compliance with A.12.1.1?
Answer: To check the compliance of control A.12.1.1 implementation you have to consider the results of risk assessment, because they will inform you which risks are relevant and should be treated by practices documented in the operational procedures.
These materials will also help you regarding audits:
– ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
– ISO 27001:2013 Internal Auditor course https://training.advisera.com/course/iso-27001-internal-auditor-course/
Hello! 🙂
Please help me with answer to the question: Is the above list of mandatory documents and records compatible with and required by ISO27001:2017
ISO 27001:2017 brings no changes regarding mandatory documents and records, so the above list is compatible with documents and records required by ISO27001:2017.
This article will provide you further explanation about ISO 27001:2017:
– European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
Thank you very much for answer! 🙂
Pls tell me which evidences comes under “Documents of external origin” other than the 1. vendor prescribed technical specifications documents 2. VA and PT reports 3. NDAs
For ISO 27001, documents of external origin are any documents that are required for the planning, implementation, operation, evaluation and improvement of information security.
Considering that, besides the documents you mentioned we can include others such as laws (e.g., copy of EU GDPR), contracts (e.g., customer contract), service agreements (e.g., supplier service agreement), and standards (e.g., the ISO 27001 itself or a regulation adopted by your industry).