ISO27001security.

com

Mandatory ISMS documentation

Mandatory Information Security Management System Documents

Required for ISO/IEC 27001 Certification
By Osama Salah and Gary Hinson
16th January 2009

Introduction
Members of the ISO27k Implementers Forum often ask which documents are explicitly mandated for certification of their Information Security
Management System (ISMS) against ISO/IEC 27001:2005. Since opinions vary somewhat, we have compiled the following table by
referencing and explaining certain clauses from the standard, particularly but not only those under clause 4.3 Documentation requirements.
An ISMS is intended to bring information security under management control in order to ensure that it satisfies and is maintained to continue
satisfying the organizations information protection requirements. Documentation is an important element of any management system because
it clarifies the management processes and activities for users of the system and interested parties (including certification auditors). The notes
to clause 4.3.1 Documentation, plus the following clauses 4.3.2 Control of documents and 4.3.3 Control of records lay out in some detail what is
required of the documentation for the purposes of the certification audit. There is more to it than red tape! If you take care to produce good
quality documentation, it is more likely that your ISMS will meet the organizations objectives, not just those of the standard and the auditors.
Clause 1.2 of the standard specifies that compliance with clauses 4 through 8 inclusive is mandatory for certification. The italicized ISO/IEC
27001 extracts in the table below explicitly mandate certain documents, while additional documentation requirements may be inferred or
implied from some clauses. Furthermore, in practice, organizations usually produce and use additional documents for their own purposes,
beyond the minimal set stated in ISO/IEC 27001. The interpretation column in the table provide additional guidance based on our experience
but this is not definitive. The titles of documents may vary in practice and in some cases there may be multiple variants ( e.g. risk assessment
reports for different situations, systems etc.).

Purpose
The table below can be used by the organization as a checklist prior to a certification audit to confirm that everything is in order, and to collate
the mandatory documents ready for the auditors to review. It can also be used up front when planning and implementing the ISMS as a guide
to the documentation that will have to be created and produced. We have provided a status column for such purposes.

Copyright

Copyright 2009 ISO27k Implementers Forum

Page 1 of 7

ISO27001security.com

Mandatory ISMS documentation

This work is copyright 2009, ISO27k Implementers' Forum, some rights reserved. It is licensed under the Creative Commons Attribution-NoncommercialShare Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into
a commercial product, (b) it is properly attributed to the ISO27k Implementers Forum at www.ISO27001security.com, and (c) derivative works are shared
under the same terms as this.

Copyright 2009 ISO27k Implementers Forum

Page 2 of 7

ISO27001security.com

Mandatory ISMS documentation

The mandatory ISMS documents

Documents
mandated by ISO/IEC
27001

Status

Interpretation

4.3 Documentation requirements

4.3.1 General
Documentation
records
of
decisions

Designed
shall include Allocated
management
Drafted
Approved

Records of key management decisions regarding the ISMS e.g. minutes of management
meetings, investment decisions, mandating of policies, reports etc. [not individually specified
in the standard apart from the following specific items ]
Information security policy set matching the characteristics of the business, the
organization, its location, [information] assets and technology, being a superset of
(i.e. including) both of the following:

Designed
The ISMS documentation shall
Allocated
include:
Drafted
a) Documented statements of
the ISMS policy (see Approved
4.2.1.b) and objectives;

c) The scope of the ISMS (see

4.2.1.a))

Copyright 2009 ISO27k Implementers Forum

An ISMS policy defining the objective-setting management framework for the ISMS, giving it
an overall sense of direction/purpose and defining key principles. The ISMS policy must:
Take account of information security compliance obligations defined in laws, regulations
and contracts;
Align with the organizations strategic approach to risk management in general;
Establish information security risk evaluation criteria (the risk appetite);
Be approved by management.; and

Designed
Allocated
Drafted
Approved

Information security policy or policies specifying particular information security control

objectives or requirements in one or more documents [these should also be approved by
management to have full effect].

Designed
Allocated
Drafted
Approved

ISMS scope defining the boundaries of the ISMS in relation to the characteristics of the
business, the organization, its location, [information] assets and technology. Any exclusions
from the ISMS scope must be explicitly justified.

Page 3 of 7

ISO27001security.com

Mandatory ISMS documentation

Designed
Allocated
Drafted
d) Procedures and controls in Approved
support of the ISMS
Designed
Allocated
Drafted
Approved
Designed
f) A description of the risk Allocated
assessment methodology
Drafted
(see 4.2.1.c))
Approved

Controls documentation e.g. technical security standards, security architectures/designs

etc. and probably referencing ISO/IEC 27002 (details very between ISMSs).

g) The risk assessment report

(see 4.2.1.c) to 4.2.1.g))

Designed
Allocated
Drafted
Approved

Risk assessment reports documenting the results/outcomes/recommendations of

information security risk assessments using the methods noted above. For identified risks to
information assets, possible treatments are applying appropriate controls; knowing and
objectively accepting the risks (if they fall within the risk appetite); avoiding them; or
transferring them to third parties. The reference to 4.2.1c-g implies that information security
control objectives and controls should be identified in these reports.

h) The risk treatment plan (see

4.2.2.b)

Designed
Allocated
Drafted
Approved

Risk treatment plan i.e. a [project?] plan describing how the identified information security
control objectives are to be satisfied, with notes on funding plus rles and responsibilities.

Designed
Allocated
Drafted
Approved
Designed
Allocated
Drafted
Approved

i)

Documented
procedures
needed by the organization
to ensure the effective
planning, operation and
control of its information
security
process
and
describe how to measure
effectiveness of controls
(see 4.2.3.c)

Copyright 2009 ISO27k Implementers Forum

Page 4 of 7

Information security procedures i.e. written descriptions of information security

processes and activities e.g. procedures for user ID provisioning and password changes,
security testing of application systems, information security incident management response
etc.

Risk assessment methods i.e. policies, procedures and/or standards describing how
information security risks are assessed, probably referencing ISO?IEC TR 1335-3 and/or
ISO/IEC 27005.

ISMS operating procedures i.e. written descriptions of the management processes and
activities necessary to plan, operate and control the ISMS e.g. policy review and approvals
process, continuous ISMS improvement process.
Information security metrics describing how the effectiveness of the ISMS as a whole, plus
key information security controls where relevant, are measured, analyzed, presented to
management and ultimately used to drive ISMS improvements.

ISO27001security.com

Mandatory ISMS documentation

n/a

See 4.3.3 below. Records means information security paperwork such as user ID
authorizations, and electronic documents such as system security logs, that are used
routinely while operating the ISMS and should be retained and made available for the
certification auditors to sample and check. Collectively, these prove that the ISMS has been
properly designed, mandated by management and put into effect by the organization.

Designed
Allocated
Drafted
Approved

Statement of Applicability stating the information security control objectives and controls
that are relevant and applicable to the ISMS, generally a consolidated summary of the results
of the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that
are in scope.

Designed
Allocated
Drafted
Approved

Document control procedure explaining how ISMS documents are approved for use,
reviewed/updated/re-approved as necessary, version managed, disseminated as necessary,
marked etc. (see 4.3.2 for the full list). If the organization already has a Quality Management
System conforming to ISO 9000, the QMS document control procedure (or equivalent from
another management system) may be applied to the ISMS.

Designed
Allocated
Drafted
Approved

Records control procedure explaining how records proving conformity to ISMS

requirements and the effective operation of the ISMS (as described elsewhere in the
standard) are protected against unauthorized changes or destruction. Again, this procedure
may be copied from the QMS or other management systems.

k) Records required by this

International Standard (see
4.3.3)

l)

The
Statement
Applicability

of

4.3.2 Control of Documents

Documents required by the
ISMS shall be protected and
controlled.
A documented
procedure shall be established
to define the management
actions

4.3.3 Control of records

The controls needed for the
identification,
storage,
protection, retrieval, retention
time and disposition of records
shall be documented and
implemented.

5 Management responsibility

Copyright 2009 ISO27k Implementers Forum

Page 5 of 7

ISO27001security.com

Mandatory ISMS documentation

5.2.2 d) The organization shall

maintain records of education,
training, skills, experience and
qualifications (see 4.3.3)
The organization shall also
ensure
that
all
relevant
personnel are aware of the
relevance and importance of
their
information
security
activities
and
how
they
contribute to the achievement
of the ISMS objectives

Designed
Allocated
Drafted
Approved

Security awareness, training and education records documenting the involvement of all
personnel having ISMS responsibilities in appropriate activities (e.g. security awareness
programs and security training courses such as new employee security induction/orientation
classes).

Designed
Allocated
Drafted
Approved

Various other clauses in section 5 mandate management support for information security
awareness activities in general, therefore while not directly stated, the requirement for
information security awareness materials, training evaluation/feedback reports etc.
may be inferred from this section.

Designed
Allocated
Drafted
Approved

Designed
Allocated
Drafted
Approved

While not stated directly, further comments in section 6 re the need for actions arising from
audits to be taken without undue delay could be taken to imply that ISMS audit reports,
agreed action plans and follow-up/verification/closure reports should be retained and
made available to the certification auditors on request.

Designed
Allocated
Drafted
Approved

This implies the need to retain records (such as management review plans and reports)
proving that management does in fact review the ISMS at least once a year.

6 Internal ISMS audits

The organization shall conduct
internal ISMS audits at planned
intervals
The responsibilities and
requirements for planning and
conducting audits, and for
reporting
results
and
maintaining records (see 4.3.3)
shall
be
defined
in
a
documented procedure.

Internal ISMS audit plans and procedures stating the auditors responsibilities in relation to
auditing the ISMS, the audit criteria, scope, frequency and methods.

7 Management review of the ISMS

7.1 Management shall review
the organizations ISMS at
planned intervals (at least once
a year) to ensure its continued

Copyright 2009 ISO27k Implementers Forum

Page 6 of 7

ISO27001security.com
suitability,
adequacy
effectiveness
7.3
The output from
management
review
include and decisions
actions relating to

Mandatory ISMS documentation

and
the
shall
and

8.2 Corrective action

Designed
The documented procedure Allocated
for corrective action shall define
Drafted

Approved

Corrective action procedure documenting the way in which nonconformities which exist are
identified, root-causes are analyzed and evaluated, suitable corrective actions are carried out
and the results thereof are reviewed.

8.3 Preventive Action

Designed
The documented procedure Allocated
for preventive action shall
Drafted
define
Approved

Preventive action procedure similar to the corrective action procedure but focusing more on
preventing the occurrence of nonconformities in the first place, with such activities being
prioritized on the basis of the assessed risk of such nonconformities.
*** End of list ***

Copyright 2009 ISO27k Implementers Forum

Page 7 of 7