checklist
ISO 27001 Documentation Checklist
The mandatory documented information and key records auditors expect for ISO/IEC 27001:2022, from ISMS scope and SoA through to Stage 1 and Stage 2.
Related service: ISO 27001
Use this checklist to confirm your Information Security Management System (ISMS) holds the documented information required by ISO/IEC 27001:2022 before your certification audit. The standard names specific documents as mandatory; others are records that demonstrate the ISMS is actually operating. If you are new to the concept, our guide on what an ISMS is sets the scene.
Mandatory documented information (clauses 4–10)
- Scope of the ISMS (clause 4.3) — what is and is not covered
- Information security policy (clause 5.2)
- Information security objectives (clause 6.2), with plans to achieve them
- Information security risk assessment process (clause 6.1.2)
- Information security risk treatment process (clause 6.1.3)
- Statement of Applicability (SoA) — the Annex A controls you apply, justification for inclusion and any exclusions (clause 6.1.3 d)
- Risk treatment plan, with owners and target dates
- Evidence of competence of people doing security work (clause 7.2)
Operational records (evidence the ISMS runs)
- Results of information security risk assessments (clause 8.2)
- Results of information security risk treatment (clause 8.3)
- Monitoring and measurement results (clause 9.1)
- Internal audit programme and audit results (clause 9.2)
- Management review minutes and outputs (clause 9.3)
- Records of nonconformities and corrective actions (clause 10.2)
Supporting policies and procedures (commonly expected)
- Access control policy
- Acceptable use / asset handling policy
- Cryptography and key management policy
- Physical and environmental security procedures
- Operations security (backup, logging, malware protection, change management)
- Supplier and third-party security policy
- Information security incident management procedure
- Business continuity and ICT continuity arrangements
- Secure development policy where you build or configure software
Annex A control evidence (2022 edition)
The 2022 edition organises Annex A into 93 controls across four themes. Hold evidence that each control listed as applicable in your SoA is implemented:
- Organisational controls (Annex A.5)
- People controls (Annex A.6)
- Physical controls (Annex A.7)
- Technological controls (Annex A.8)
Our Annex A controls explained guide breaks these down in plain English.
Readiness for the audit stages
- Documentation complete and internally consistent, ready for Stage 1 (documentation review and readiness assessment)
- At least one full cycle of internal audit and management review completed
- Records showing controls operating over time, ready for Stage 2 (implementation and effectiveness audit)
- Corrective actions from internal audit closed or in progress with evidence
Building your ISMS from scratch or tidying it up before Stage 1? We can help you produce and align this documentation as part of a fixed-fee engagement — see our ISO 27001 support service.