4/16/2020 List of ISO 27001 mandatory documents and records


ISO 27001 Internal Auditor Online Training
Take the exam and get an Internal Audit Checklist for FREE

LEARN MORE 

EU GDPR ISO 27001 / ISO 22301 ISO 9001 ISO 14001 ISO 45001 AS9100 ISO 13485 / MDR

IATF 16949 ISO / IEC 17025 ISO 20000 / ITIL  Advisera Store

 CALL US 1-888-553-2256  ABOUT US CONTACT US English 

HOME DOCUMENTATION  PRICING BOOKS  FREE DOWNLOADS LEARNING CENTER 

TESTIMONIALS SECURITY AWARENESS TOOLS  eTRAINING 

ISO 27001/ISO 22301 Knowledge base

Home / Knowledge base / ISO 27001 Implementation / List of

mandatory documents required by ISO 27001 (2013 revision) FREE ISO 27001/22301
CONSULTATION
List of mandatory
documents Dejan Kosutic
required by ISO Lead ISO
27001/22301 Expert,
27001 (2013 revision) Advisera

Author: Dejan Kosutic

GET FREE ADVICE
   

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 1/11
4/16/2020 List of ISO 27001 mandatory documents and records

With the new revision of ISO/IEC 27001 published only a

couple of days ago, many people are wondering what Popular posts Recent posts
documents are mandatory in this new 2013 revision. Are
there more or fewer documents required? List of mandatory documents
required by ISO 27001 (2013
Here is the list of ISO 27001 mandatory documents – below
revision)
you’ll see not only the mandatory documents, but also the
most commonly used documents for ISO 27001 ISO 27001 risk assessment &
implementation. treatment – 6 basic steps

Information classi cation according

Mandatory documents and records to ISO 27001

required by ISO 27001:2013 ISO 27001 implementation checklist

Here are the documents you need to produce if you want to Catalogue of threats & vulnerabilities
be compliant with ISO 27001: (Please note that documents
from Annex A are mandatory only if there are risks which
would require their implementation.)

Scope of the ISMS (clause 4.3)

Information security policy and objectives (clauses
5.2 and 6.2)
Risk assessment and risk treatment methodology
(clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e and 6.2)
Risk assessment report (clause 8.2)
De nition of security roles and responsibilities
(clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)

Operating procedures for IT management (clause

A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements
(clause A.18.1.1)

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 2/11
4/16/2020 List of ISO 27001 mandatory documents and records

And here are the mandatory records:

Records of training, skills, experience and quali cations

(clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security events
(clauses A.12.4.1 and A.12.4.3)

Non-mandatory documents
There are numerous non-mandatory documents that can be
used for ISO 27001 implementation, especially for the
security controls from Annex A. However, I nd these non-
mandatory documents to be most commonly used:

Procedure for document control (clause 7.5)

Controls for managing records (clause 7.5)
Procedure for internal audit (clause 9.2)
Procedure for corrective action (clause 10.1)
Bring your own device (BYOD) policy (clause A.6.2.1)
Mobile device and teleworking policy (clause A.6.2.1)
Information classi cation policy (clauses A.8.2.1, A.8.2.2,
and A.8.2.3)
Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,
and A.9.4.3)
Disposal and destruction policy (clauses A.8.3.2 and
A.11.2.7)
Procedures for working in secure areas (clause A.11.1.5)
Clear desk and clear screen policy (clause A.11.2.9)
Change management policy (clauses A.12.1.2 and
A.14.2.4)
Backup policy (clause A.12.3.1)
Information transfer policy (clauses A.13.2.1, A.13.2.2,
and A.13.2.3)
Business impact analysis (clause A.17.1.1)
Exercising and testing plan (clause A.17.1.3)
Maintenance and review plan (clause A.17.1.3)
Business continuity strategy (clause A.17.2.1)

So this is it – what do you think? Is this too much to write? Do

these documents cover all aspects of information security?

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 3/11
4/16/2020 List of ISO 27001 mandatory documents and records

Click here to download the white paper Checklist of

Mandatory Documentation Required by ISO 27001 (2013
Revision). It has more detailed information on the most
common ways for structuring and implementing mandatory
documents and records.

« ISO 27001 implementation check...

How to identify interested par... »

If you enjoyed this article,

subscribe for updates
Improve your knowledge with our free resources on ISO
27001/ISO 22301 standards.

Email *

UPDATE ME BY EMAIL

You may unsubscribe at any time.

For more information on what personal data we collect,

why we need it, what we do with it, how long we keep it,
and what are your rights, see this Privacy Notice.

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 4/11
4/16/2020 List of ISO 27001 mandatory documents and records

Comments Community 🔒 
1 Login

 Recommend 1 t Tweet f Share

Sort by Best

Join the discussion…

LOG IN WITH

OR SIGN UP WITH DISQUS ?

Name

Harshit Soni • 6 months ago

Hello!

I am working with a US based tech company, US

office is complied with ISO27001 and they have
requested India office to start process of the same,
they have appointed IS, CIO, CISO and all
required committees in the US and they have
asked India office not appoint anyone on these
positions.

Today we had discussion with consultants and they

said that at least you would require IS and CIO
who will be responsible to execute your ISO27001
program, internal audits and external audits. US
management is not keen to do so.

Please guide what can be a practical solution for

this situation.

Many Thanks!
△ ▽ • Reply • Share ›

Rhand Leal Mod > Harshit Soni

• 6 months ago • edited
ISO 27001 does not prescribe which
organizational structure regarding
information security an organization has to
have, so you can adopt the structure that
best fit your needs:
- information security personnel in India
Offi ill h b tt d t di f
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 5/11
4/16/2020 List of ISO 27001 mandatory documents and records
Office will have a better understanding of
local issues like culture and laws, ensuring
better adaptation of security controls, and
will have a quicker response time during
incident events, but will require more
investment in terms of salary
- centralizing security personnel in US
Office will ensure more standardized
practices, and has lower staff costs, but will
have more difficult to adapt security
controls to specific local situations, and will
have lower response time to incidents.

A middle term solution would be to

designate only a person to assume some
responsibilities for information security in
India Office, like adaptation of general
solutions to local situations and provide
local information for decision makers. Such
responsibilities would normally not take full
time, and could be allocated as part time
activity. The Main responsible could still be
the CIO from the US Office.

For further information, please read:

- RACI matrix for ISO 27001
implementation project
△ ▽ • Reply • Share ›

Sush Gupta • a year ago

Hi,

My team has assigned me to perform internal audit

only reviewing the Risk management process
against ISO 27001. So in my audit plan I have to
cover all areas where risk management needs to
be done.

So can anyone please help me in selecting the

areas (from mandatory clauses 4-10) that need to
be audited fulfilling the requirement of the audit. I
will be creating the audit plan based on the the
input you give me.
△ ▽ • Reply • Share ›

Rhand Leal Mod > Sush Gupta

• a year ago • edited
The risk management process is covered
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 6/11
4/16/2020 List of ISO 27001 mandatory documents and records

by clauses 6.1.2, 6.1.3, 8.2 and 8.3 of the

ISO 27001 standard. It is important to note
that, because of clause 6.1.3 d) (related to
the Statement of Applicability), you also will
have to audit applicable controls (from
those listed in ISO 27001 Annex A as well
as any other controls you have
implemented).

This article will provide you further

explanation about elaborating checklists:
- How to make an Internal Audit checklist
for ISO 27001 / ISO 22301
https://advisera.com/27001a...

This material will also help you regarding

internal audit:
- ISO 27001:2013 Internal Auditor Course
https://training.advisera.c...
△ ▽ • Reply • Share ›

vineet aggarwal • 2 years ago

Pls tell me which evidences comes under
"Documents of external origin" other than the 1.
vendor prescribed technical specifications
documents 2. VA and PT reports 3. NDAs
△ ▽ • Reply • Share ›

Rhand Leal Mod > vineet aggarwal

• 2 years ago • edited
For ISO 27001, documents of external
origin are any documents that are required
for the planning, implementation, operation,
evaluation and improvement of information
security.

Considering that, besides the documents

you mentioned we can include others such
as laws (e.g., copy of EU GDPR), contracts
(e.g., customer contract), service
agreements (e.g., supplier service
agreement), and standards (e.g., the ISO
27001 itself or a regulation adopted by your
industry).
△ ▽ • Reply • Share ›

Karolina Wrona • 2 years ago

H ll ! )
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 7/11
4/16/2020 List of ISO 27001 mandatory documents and records
Hello! :)

Please help me with answer to the question: Is the

above list of mandatory documents and records
compatible with and required by ISO27001:2017
△ ▽ • Reply • Share ›

Rhand Leal Mod > Karolina Wrona

• 2 years ago
ISO 27001:2017 brings no changes
regarding mandatory documents and
records, so the above list is compatible with
documents and records required by
ISO27001:2017.

This article will provide you further

explanation about ISO 27001:2017:
- European 2017 Revision of ISO/IEC
27001: What has changed?

OUR CLIENTS

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 8/11
4/16/2020 List of ISO 27001 mandatory documents and records

OUR PARTNERS

Advisera is Exemplar Global Certi ed TPECS Provider for the ITIL® is a registered trade mark of AXELOS Limited. Used
IS, QM, EM, TL and AU Competency Units. under licence of AXELOS Limited. All rights reserved.

DNV GL Business Assurance is one of the leading providers

of accredited management systems certi cation.

EXPLORE ADVISERA

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 9/11
4/16/2020 List of ISO 27001 mandatory documents and records

EU GDPR Online ISO 27001 and ISO 22301 ISO 9001 Online ISO 14001 Online
Consultation Center Online Consultation Center Consultation Center
Consultation Center

ISO 45001 Online ISO 13485 Online AS9100 Online

Consultation Center Consultation Center Consultation Center

IATF 16949 Online ISO/IEC 17025 Online ITIL and ISO 20000 Online ISO Compliance & Company
Consultation Center Consultation Center Consultation Center Management

ISO online courses Leading books on

ISO standards

DOCUMENTATION LEARNING CENTER ABOUT SUPPORT

Product Tour What is ISO 27001? About us ISO 27001 Where to

EU GDPR & ISO 27001 What is ISO 22301? Contact us start

ISO 27001 Tools Newsletter Free Consultation

ISO 22301 Free Downloads Testimonials Community

Consultant Toolkit ISO 27001 Webinars Privacy and Terms

Free Preview Knowledgebase FAQs BLOG
Download Security Awareness We are hiring
Training ISO 27001 & ISO 22301
Blog

  

Copyright © 2020 Advisera Expert 

Solutions Ltd

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 10/11
4/16/2020 List of ISO 27001 mandatory documents and records

https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 11/11