To achieve **ISO/IEC 27001 certification**, an organization must develop and maintain a comprehensive

set of documents that demonstrate compliance with the standard's requirements. These documents form
the foundation of the **Information Security Management System (ISMS)** and provide evidence of its
implementation, operation, and continuous improvement. Below is a detailed list of the **mandatory and
supporting documents** required for ISO 27001 certification:

---

### **1. Mandatory Documents (Required by ISO 27001)**

These documents are explicitly required by the standard and must be in place for certification.

#### **a. ISMS Scope (Clause 4.3)**

- Defines the boundaries and applicability of the ISMS.
- Includes details about the organization, locations, departments, systems, and processes covered by the
ISMS.

#### **b. Information Security Policy (Clause 5.2)**

- A high-level document that outlines the organization's commitment to information security.
- Includes objectives, roles, and responsibilities for information security.

#### **c. Risk Assessment and Treatment Process (Clause 6.1.2)**

- Documents the methodology used for identifying, analyzing, and evaluating information security risks.
- Includes a **Risk Treatment Plan (RTP)** that outlines how risks will be mitigated, transferred, avoided, or
accepted.

#### **d. Statement of Applicability (SoA) (Clause 6.1.3)**

- Lists the controls from **Annex A** of ISO 27001 that are applicable to the organization.
- Provides justification for including or excluding specific controls.

#### **e. Risk Treatment Plan (Clause 6.1.3)**

- Details the actions taken to address identified risks, including timelines, responsibilities, and resources.

#### **f. Information Security Objectives (Clause 6.2)**

- Documents the organization's information security objectives, which should be measurable and aligned
with the ISMS policy.

#### **g. Evidence of Competence (Clause 7.2)**

- Records of training, qualifications, and experience of personnel involved in the ISMS.

#### **h. Documented Information (Clause 7.5)**

- Evidence that the organization has established, maintained, and retained documented information
required by the standard.

#### **i. Internal Audit Program (Clause 9.2)**

- Documentation of the internal audit process, including audit plans, schedules, and reports.

#### **j. Management Review Results (Clause 9.3)**

- Records of management reviews, including decisions made and actions taken to improve the ISMS.
#### **k. Nonconformities and Corrective Actions (Clause 10.1)**
- Records of nonconformities, corrective actions, and their outcomes.

---

### **2. Supporting Documents (Recommended for Effective ISMS Implementation)**

While not explicitly mandatory, these documents are essential for demonstrating compliance and ensuring
the ISMS operates effectively.

#### **a. Risk Assessment Report**

- Detailed documentation of the risk assessment process, including identified risks, their likelihood, impact,
and risk levels.

#### **b. Asset Inventory**

- A list of information assets (e.g., hardware, software, data) and their classification based on sensitivity and
criticality.

#### **c. Access Control Policy**

- Defines rules for granting, reviewing, and revoking access to information systems and data.

#### **d. Acceptable Use Policy (AUP)**

- Outlines acceptable and prohibited uses of organizational IT resources.

#### **e. Incident Management Procedure**

- Describes the process for detecting, reporting, and responding to information security incidents.

#### **f. Business Continuity Plan (BCP)**

- Documents the organization's strategy for maintaining operations during and after a disruption.

#### **g. Disaster Recovery Plan (DRP)**

- Specifies procedures for recovering IT systems and data after a disaster.

#### **h. Supplier Security Policy**

- Defines security requirements for third-party suppliers and service providers.

#### **i. Change Management Procedure**

- Describes how changes to systems, processes, and configurations are managed securely.

#### **j. Backup Policy**

- Outlines procedures for backing up critical data and systems.

#### **k. Physical Security Policy**

- Defines controls for securing physical access to facilities and equipment.

#### **l. Monitoring and Logging Policy**

- Describes how security events are monitored, logged, and analyzed.
#### **m. Encryption Policy**
- Specifies when and how encryption should be used to protect sensitive data.

#### **n. Data Classification Policy**

- Defines how data is classified based on sensitivity and the controls applied to each classification level.

#### **o. Employee Awareness Training Records**

- Documentation of training sessions and employee participation in information security awareness
programs.

#### **p. Legal and Regulatory Compliance Checklist**

- A list of applicable laws, regulations, and contractual requirements, along with evidence of compliance.

#### **q. Vulnerability Management Procedure**

- Describes how vulnerabilities are identified, assessed, and remediated.

#### **r. Password Policy**

- Defines requirements for creating, managing, and protecting passwords.

---

### **3. Records (Evidence of Implementation and Operation)**

Records provide proof that the ISMS is being implemented and maintained as planned.
- **Risk Assessment Records**: Evidence of risk assessments conducted.
- **Incident Reports**: Records of security incidents and their resolution.
- **Audit Reports**: Results of internal and external audits.
- **Training Records**: Documentation of employee training and awareness activities.
- **Change Records**: Logs of changes made to systems and processes.
- **Monitoring Logs**: Records of security monitoring activities (e.g., firewall logs, intrusion detection logs).
- **Backup and Recovery Logs**: Evidence of backup and recovery activities.
- **Supplier Agreements**: Contracts with third-party suppliers, including security requirements.

---

### **Summary of Key Documents**

| **Category** | **Examples of Documents** |
|-------------------------------|-----------------------------------------------------------------------------------------|
| **Mandatory Documents** | ISMS scope, Information Security Policy, Risk Assessment, SoA, Risk
Treatment Plan |
| **Supporting Documents** | Asset inventory, Access Control Policy, Incident Management Procedure,
BCP, DRP |
| **Records** | Risk assessment records, incident reports, audit reports, training records |

---

### **Tips for Document Preparation**

1. **Align with ISO 27001 Requirements**: Ensure all documents meet the specific clauses of the standard.
2. **Keep Documents Up-to-Date**: Regularly review and update documents to reflect changes in the
organization or its environment.
3. **Involve Stakeholders**: Collaborate with relevant departments (e.g., IT, HR, legal) to ensure
documents are comprehensive and accurate.
4. **Use Templates**: Leverage ISO 27001 document templates to streamline the documentation process.
5. **Maintain Version Control**: Use a document management system to track revisions and ensure the
latest versions are in use.

---

By preparing and maintaining these documents, organizations can demonstrate compliance with ISO 27001
and successfully achieve certification.