Skip to content
360 Cyber Compliance

ISO 27001 · 1 July 2026

ISO 27001 documentation checklist: what you actually need

One of the first questions organisations ask about ISO/IEC 27001:2022 is: “How much do we have to write?” The honest answer is less than most people fear. This guide sets out the documents and records the standard actually requires, and how to keep them lean, consistent and audit-ready.

Documents vs records

ISO/IEC 27001 refers to documented information, which comes in two forms:

  • Documents — things you create and maintain, such as policies and procedures. They describe how you intend to operate.
  • Records — evidence generated as you operate, such as audit reports and training logs. They prove things actually happened.

Auditors want both: documents that describe your ISMS, and records that demonstrate it’s working.

The mandatory documents

These are the core documents ISO/IEC 27001 expects you to have in place.

DocumentPurpose
ISMS scopeDefines what the ISMS covers — systems, sites, information
Information security policyTop-level statement of intent, approved by leadership
Risk assessment processThe defined, repeatable method for assessing risk
Risk assessment resultsThe identified and evaluated risks
Risk treatment planHow each significant risk will be addressed
Statement of Applicability (SoA)Every Annex A control, whether it applies, and why
Information security objectivesMeasurable security goals

The risk assessment and Statement of Applicability are the ones auditors scrutinise most closely, so give them particular care and keep them consistent with each other.

The mandatory records

Records are the evidence that your ISMS operates. Expect to maintain:

  • Evidence of competence — training and awareness records.
  • Monitoring and measurement results — how you check controls work.
  • Internal audit programme and results — see our guide to internal audits.
  • Management review results — minutes, decisions and actions.
  • Evidence of nonconformities and corrective actions — findings and how they were resolved.
  • Results of risk assessments and treatment as they evolve over time.

Supporting policies and procedures

Beyond the mandatory list, most organisations create supporting documents that bring their chosen Annex A controls to life. Which you need depends on your risks and scope, but common examples include:

  • Access control policy.
  • Acceptable use policy.
  • Supplier and cloud security policy.
  • Incident management procedure.
  • Business continuity and backup procedures.
  • Secure development policy (especially for software firms).
  • Data classification and handling policy.
  • Remote and mobile working policy.

The golden rule: only write a policy you’ll actually follow. An auditor would rather see three policies that reflect reality than fifteen that gather dust.

A quick self-check

Ask yourself, for each item:

  1. Does it exist? — the document or record is in place.
  2. Is it approved? — where required, leadership has signed it off.
  3. Is it current? — it’s been reviewed and reflects how you work now.
  4. Is it consistent? — it agrees with the risk assessment, SoA and other documents.
  5. Is it evidenced? — for records, you can show it actually happened.

If you can answer yes to all five, you’re in good shape for a Stage 1 and Stage 2 audit.

Keep it lean

A frequent and costly mistake is over-documentation — producing a mountain of policies nobody reads. ISO/IEC 27001 doesn’t reward volume; it rewards a system that genuinely operates. Aim for:

  • Right-sized documents proportionate to your organisation.
  • Plain language so staff understand and follow them.
  • Version control so you always know which version is current.
  • Regular review so documents don’t drift out of date.

For smaller organisations or those earlier in their journey, schemes such as Cyber Essentials and IASME Cyber Assurance involve lighter documentation and can be a useful stepping stone.

Common documentation pitfalls

  • Templates left generic, so they don’t reflect your organisation.
  • Documents that contradict each other, which auditors will notice.
  • Missing records — the policy exists but there’s no proof it’s followed.
  • No version control, so no one knows which copy is current.
  • Stale documents that were never reviewed after go-live.

If any terms here are unfamiliar, our glossary explains them in plain English.

How we can help

Getting documentation right — complete enough to satisfy an auditor, lean enough to actually use — is where many organisations lose time. We provide practical support throughout, helping you produce right-sized documents and records that reflect how you really work, through a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool will highlight where your documentation stands today.

Learn more about our ISO 27001 service or get in touch to get your documentation audit-ready.

Need help in practice? See our ISO 27001 service.

Need a hand with this?

Book a free, no-obligation readiness check.