Mandatory Documents You Can't Forget For Your ISO Certification

April 22, 2021 / by Frederid Palacios

It’s well known that information security is increasing in cruciality for every organization. Protecting the sensitive information held by your company is vital to your success and reputation. For this reason, many companies are looking to earn their ISO 27001 certification. This certificate represents the highest standard of compliance with your information security management system (ISMS). But, because the process of earning this certificate is a long and thorough one, it can be daunting. Your organization will have to undergo an internal audit and collect several documents in addition to procuring a list of risks and treatment plans. To ensure that you have completed each of these steps and documents, we will take you through the mandatory documents you need to complete to earn your ISO 27001 certification and enhance your organization’s information security.

close up of businessman hand working on laptop computer with business graph information diagram on wooden desk as concept


List of Documents

There are 16 mandatory documents that you will need to produce if you want to be compliant with ISO 27001. It’s important to note that documents from Annex A are only mandatory if there are risks requiring their implementation.


Scope of the ISMS. It is a good practice to complete this document first. Defining the scope of your ISMS is a huge factor in improving your information security because it determines what components of your company will be covered by the certification. Essentially, this document should outline the information that you intend to protect, so your scope should cover any applicable departments and networks.

Information security policy and objectives. Your security policy should define objectives and operations for mitigating risks in your organization. This will make it evident to all in your organization what you are looking to achieve with your information security, ensuring that all parties are in agreement with security protocols.

Risk assessment and risk treatment methodology. These documents will serve as a compilation of your audit plan, identified risks, and treatment plan. To complete this, you will review, assess, and correct your security systems to create a safer infrastructure and prepare you for your certification.

Statement of Applicability. The Statement of Applicability is a vital document and should be treated as such. It is a critical document that defines how you will implement a large portion of your information security plan. In this, you will determine which controls from Annex A best suit your ISMS. This will ensure that your ISO certification serves as a holistic plan, providing company-wide protection and compliance.

Risk treatment plan. This document serves to control the risks identified during the risk assessment. There are three primary options for you to mitigate each identified risk; decrease the risk, share the risk, or retain the risk. For each risk you face, you should apply one of these options and detail it in the risk treatment plan.

Risk assessment report. The risk assessment report provides a detailed overview of the processes and documents used during risk assessment and treatment.

Definition of security roles and responsibilities. This document should assign top-level responsibilities and authorities for two main aspects; responsibilities for ensuring that the ISMS fulfills the requirements of ISO 27001 and the responsibilities for monitoring the performance of the ISMS and reporting to top management.

Cyber Security as a Competitive Advantage

Inventory of assets. Your asset inventory should include hardware, software, information (both physical and electronic), infrastructure, outsourced services, and people. All of these assets can impact the confidentiality, integrity, and availability of information, so it is essential to identify all applicable assets and detail them in this document.

Acceptable use of assets. In this document you will identify, document, and implement rules for the acceptable use of information, informational assets, and information processing facilities.

Access control policy. Following the previous document, the access control policy is documentation of the access control rules, rights, and restrictions of information and assets in your organization. This should reflect the information security risks present in your organization and your plan for mitigating them.

Operating procedures for IT management. Documenting operating procedures helps to ensure a consistent and effective operation of systems, especially concerning IT management, as that department is in charge of large volumes of sensitive information

Secure system engineering principles. Principles for engineering secure systems must be established, documented, maintained, and applied to any ISMS implementation efforts. This will ensure that an auditor can see that system engineering principles are considered against identified risks. 

Supplier security policy. A supplier security policy will ensure that your suppliers are in compliance with the security standards of your organization. In this document, you will create a policy that verifies that you and your supplier will adhere to determined information security practices.

Incident management procedure. This document will clearly define the individual responsible for restoring a normal level of security should an incident occur. You should include the procedure for collecting evidence after the occurrence, conducting an analysis, the potential for escalation, communicating the incident, and dealing with weaknesses surrounding the incident.

Business continuity procedures. You will need to establish, document, implement, and maintain processes to ensure the required level of continuity for information security. This will ensure that you continue to follow set security controls through the lifecycle of your company to guarantee consistent security.

Statutory, regulatory, and contractual requirements. In the final mandatory document, you will need to describe all requirements that must be followed by your organization, in addition to your approach to meeting these requirements. Each requirement should be explicitly identified, documented, and kept up to date to ensure continuous compliance in order to avoid possible fines and penalties.

In addition to these mandatory documents, there are also mandatory records that you will need to produce:

  • Records of training, skills, experience, and qualifications
  • Monitoring and measurement results
  • Internal audit program
  • Results of internal audits
  • Results of the management review
  • Results of corrective actions
  • Logs of user activities, exceptions, and security events

Once you have completed each ISO 27001 mandated document and record, your organization will be ready to submit it. In submitting and verifying these documents, it will be highly evident that your organization is in compliance with the highest security standards, which will be reflected in your certificate. With the ISO 27001 certification in your toolbox, you will hold an internationally recognized ISMS compliance, demonstrating your company's quality of security. With an enhanced level of security in your organization, you will maintain constant compliance while significantly minimizing the number of security risks you face. Should you encounter a security risk, you will be well equipped to handle it quickly and efficiently, ensuring that you resume business operations with minimal losses. Information security should be a top priority for every company, and the ISO 27001 certification will lead you to achieve the most efficient information security practices possible.

contact us

Tags: Cyber Security

Frederid Palacios

Written by Frederid Palacios

Fred Palacios is a seasoned software architect with more than 20 years of experience participating in the entire software development cycle across a host of different industries--from automotive and services to petroleum, financial, and supply chain. In that time, his experience working closely with high-level stakeholders has provided him with a strategic vision for developing the right solutions to flexibly meet critical business needs. As CTO of Intertec, he's continuing to focus on the creation of business-critical applications for large enterprise projects, particularly those that handle high concurrency and large datasets. He is passionate about using technology as a tool to solve real-world problems and also mentoring technical teams to achieve their maximum potential and deliver quality software.

Leave A Comment