CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

List of mandatory documents required by ISO 27001 (2013 revision)

Author: Dejan Kosutic

With the new revision of ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?

Here is the list of ISO 27001 mandatory documents – below you’ll see not only the mandatory documents, but also the most commonly used documents for ISO 27001 implementation.

Mandatory documents and records required by ISO 27001:2013

Here are the documents you need to produce if you want to be compliant with ISO 27001: (Please note that documents from Annex A are mandatory only if there are risks which would require their implementation.)

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e and 6.2)
    • Risk assessment report (clause 8.2)
    • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    • Inventory of assets (clause A.8.1.1)
    • Acceptable use of assets (clause A.8.1.3)
    • Access control policy (clause A.9.1.1)
  • Operating procedures for IT management (clause A.12.1.1)
  • Secure system engineering principles (clause A.14.2.5)
  • Supplier security policy (clause A.15.1.1)
  • Incident management procedure (clause A.16.1.5)
  • Business continuity procedures (clause A.17.1.2)
  • Statutory, regulatory, and contractual requirements (clause A.18.1.1)

And here are the mandatory records:

  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

Non-mandatory documents

There are numerous non-mandatory documents that can be used for ISO 27001 implementation, especially for the security controls from Annex A. However, I find these non-mandatory documents to be most commonly used:

  • Procedure for document control (clause 7.5)
  • Controls for managing records (clause 7.5)
  • Procedure for internal audit (clause 9.2)
  • Procedure for corrective action (clause 10.1)
  • Bring your own device (BYOD) policy (clause A.6.2.1)
  • Mobile device and teleworking policy (clause A.6.2.1)
  • Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
  • Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
  • Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
  • Procedures for working in secure areas (clause A.11.1.5)
  • Clear desk and clear screen policy (clause A.11.2.9)
  • Change management policy (clauses A.12.1.2 and A.14.2.4)
  • Backup policy (clause A.12.3.1)
  • Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
  • Business impact analysis (clause A.17.1.1)
  • Exercising and testing plan (clause A.17.1.3)
  • Maintenance and review plan (clause A.17.1.3)
  • Business continuity strategy (clause A.17.2.1)

So this is it – what do you think? Is this too much to write? Do these documents cover all aspects of information security?

Click here to download the white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision). It has more detailed information on the most common ways for structuring and implementing mandatory documents and records.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

11 responses to “List of mandatory documents required by ISO 27001 (2013 revision)”

  1. Mahaveer says:

    Hi, is this info still valid for mandatory documents for iso 27001 certifications ?

  2. Jessica says:

    Does ISO 27001:2013 define how to track version/revision numbers? What is the standard for ISO as I have always used whole numbers to track versions. Does ISO require V 1.0 etc?

  3. Charlene Louie Cortez says:

    Is A.12.1.1 Documented operating procedures related with this? Can I use this for my audit to check compliance with A.12.1.1?

  4. Karolina Wrona says:

    Hello! 🙂

    Please help me with answer to the question: Is the above list of mandatory documents and records compatible with and required by ISO27001:2017

  5. vineet aggarwal says:

    Pls tell me which evidences comes under “Documents of external origin” other than the 1. vendor prescribed technical specifications documents 2. VA and PT reports 3. NDAs

    • Rhand Leal says:

      For ISO 27001, documents of external origin are any documents that are required for the planning, implementation, operation, evaluation and improvement of information security.

      Considering that, besides the documents you mentioned we can include others such as laws (e.g., copy of EU GDPR), contracts (e.g., customer contract), service agreements (e.g., supplier service agreement), and standards (e.g., the ISO 27001 itself or a regulation adopted by your industry).

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.