The ISO 27001 required documents are the paperwork an auditor expects to see before granting certification — a defined set of policies, procedures, and records that prove your management system exists and operates. Knowing exactly which ISO 27001 required documents are mandatory, and which are merely common practice, saves weeks of guesswork. This guide lists them all and shows how to produce them efficiently.

Mandatory documents vs. records — what’s the difference?
ISO 27001 distinguishes two kinds of “documented information”:
- Documents — what you write before you operate: policies, procedures, scopes, plans. They define how your ISMS works.
- Records — the evidence you generate while operating: audit results, meeting minutes, logs. They prove the ISMS is actually running.
Auditors want both. Documents show intent; records show reality.
The mandatory documents (Clauses 4–10)
These are explicitly required by the main clauses of ISO/IEC 27001:2022 for every certified organization:
- Scope of the ISMS (Clause 4.3) — what your ISMS covers (sites, systems, teams).
- Information Security Policy (5.2) — top management’s high-level commitment.
- Risk Assessment Process (6.1.2) — your methodology for identifying and rating risk.
- Risk Treatment Process (6.1.3) — how you decide what to do about each risk.
- Statement of Applicability (SoA) (6.1.3 d) — the master list of Annex A controls, marked applicable or not, with justifications. The single most scrutinized document in your audit.
- Risk Treatment Plan (6.1.3 e / 6.2) — who does what, by when, to treat each risk.
- Information Security Objectives (6.2) — measurable security goals.
The mandatory records
Generated as your ISMS operates:
- Evidence of competence (7.2) — training records, certifications
- Results of risk assessment and treatment (8.2 / 8.3)
- Monitoring and measurement results (9.1)
- Internal audit programme and results (9.2)
- Management review minutes (9.3)
- Nonconformities and corrective actions (10.2)
The Annex A documents most organizations also need
Beyond the clause-mandated set, ISO 27001:2022’s Annex A lists 93 controls across four themes. You only document those your SoA marks as applicable — but in practice most organizations need policies and procedures such as:
- Acceptable Use Policy
- Access Control Policy
- Incident Management Procedure
- Business Continuity Plan
- Supplier / Third-Party Security Policy
- Asset Inventory and classification
- Secure Development Policy
- Cryptography and data-protection controls
Important: Your exact document set depends on your scope and your Statement of Applicability — there’s no universal list beyond the mandatory items above. Always confirm against the current text of ISO/IEC 27001:2022 and your certification body’s expectations.
How to produce your ISO 27001 required documents
Writing 25–40 policies, procedures, and registers from scratch can take months of specialist effort. That’s exactly why pre-built, auditor-written templates exist: you start from a complete, correctly-structured set and simply tailor it to your organization.
Skip the blank page.
The ISO 27001 Toolkit includes every mandatory document above — plus the Annex A policies and registers — as fully editable, auditor-written Word & Excel files, mapped to ISO/IEC 27001:2022.
Keeping your ISO 27001 required documents current
Certification is not the finish line. Auditors return for annual surveillance audits and expect your ISO 27001 required documents to be living artefacts — reviewed on a schedule, updated when the business changes, and version-controlled so history is clear. Assign an owner to each document, set a review cadence (at least annually), and keep dated evidence of those reviews. The standard itself is maintained by ISO, and treating documentation as an ongoing programme rather than a one-off project is what keeps re-certification painless.
Frequently asked questions
Is the Statement of Applicability really mandatory?
Yes — it’s one of the most important required documents and a core focus of your audit. We explain it fully in the Statement of Applicability guide.
How many documents does ISO 27001 require?
Around 13 mandatory documents and records from the clauses, plus however many Annex A controls your SoA marks applicable (often another 15–25).
Do we need every Annex A control documented?
No — only those you’ve deemed applicable in your SoA. Justify any exclusions.
New to the standard? Start with our complete guide to ISO 27001 certification.
