ISO 27001 Mandatory Documents - The Full List
ISO/IEC 27001:2022 requires fewer documents than most toolkits suggest. The mandatory documented information sits in clauses 4 to 10 of the standard, and it amounts to a defined scope, a top-level policy, a risk method with its outputs, the Statement of Applicability, and a set of operating records.
Everything else is conditional. Annex A documents are only required where the related control applies to you, and many familiar documents, such as a password policy or an ISMS manual, are not named by any clause at all.
ISO/IEC 27001 is an internationally recognised standard for establishing and certifying an information security management system (ISMS), as the NCSC's board toolkit describes. Certification is carried out by commercial certification bodies, and the NCSC advises that only bodies accredited by UKAS can ensure the assessment is truly independent.
This guide lists the documents the standard requires, clause by clause, then covers the Annex A documents auditors routinely expect and the ones that are genuinely optional.
Where the Mandatory List Comes From
Clauses 4 to 10 contain the management system requirements every certified organisation must meet. Several of those clauses name specific documented information, and that is the mandatory list.
Annex A works differently. It lists 93 reference controls in four themes (37 organisational, 8 people, 14 physical and 34 technological), and you apply them selectively through your Statement of Applicability, as described in the UKAS transition bulletin for the 2022 edition.
The 2022 edition is now the only one that counts. All certificates against the 2013 edition had to transition by 31 October 2025, so documents that still reference the old 114 controls in 14 domains are out of date.
One recent amendment is worth knowing about. Amendment 1:2024 added a requirement to clause 4.1 to determine whether climate change is a relevant issue; this feeds the context analysis behind your scope document but creates no new mandatory document.
The Mandatory Documents, Clause by Clause
These are the items of documented information that clauses 4 to 10 require. Auditors review most of them at Stage 1, before they examine implementation at Stage 2.
- ISMS scope (clause 4.3). Defines the boundaries of the system: locations, business units, services and their interfaces and dependencies. The certificate scope is drawn from it, so it must match reality.
- Information security policy (clause 5.2). The top-level policy approved by top management, committing the organisation to applicable requirements and continual improvement, and communicated to staff.
- Risk assessment process (clause 6.1.2). Your documented method, including risk acceptance criteria and how risks are identified, analysed and evaluated so repeated assessments give comparable results.
- Risk treatment process (clause 6.1.3). How you select treatment options, determine controls, compare them against Annex A and produce a treatment plan approved by risk owners.
- Statement of Applicability (clause 6.1.3 d). The master list of necessary controls, with justifications for inclusion, implementation status and justification for any Annex A exclusions. It is the most scrutinised document in the set.
- Information security objectives (clause 6.2). Measurable objectives with plans covering actions, resources, responsibility, timescale and how results are evaluated.
- Evidence of competence (clause 7.2). Training records, certificates and skills matrices showing the people running the ISMS are competent.
- Operational planning and control (clause 8.1). Process documentation kept to the extent necessary to show processes run as planned, including control of changes and outsourced processes.
- Risk assessment results (clause 8.2). Records of each assessment, typically a risk register, with dates that match the planned cycle.
- Risk treatment results (clause 8.3). Evidence the treatment plan was implemented, with status, owners and residual risk sign-off.
- Monitoring and measurement results (clause 9.1). What you measure, how, by whom and when, and the evaluated results tied to your objectives.
- Internal audit programme and results (clause 9.2). An audit programme covering the whole ISMS over time, plus the resulting audit reports.
- Management review results (clause 9.3). Minutes showing top management reviewed the required inputs and made decisions on improvement.
- Nonconformities and corrective actions (clause 10.2). A log recording each nonconformity, the action taken, the root cause and whether the action worked.
Annex A Documents Auditors Expect
Annex A controls only require documents where your Statement of Applicability says the control applies. In practice almost every organisation has most of them in scope, so auditors routinely expect the documents behind them.
The usual set includes topic-specific security policies (A.5.1), an inventory of assets (A.5.9), acceptable use rules (A.5.10), incident management procedures (A.5.24 and A.5.26), a register of legal, regulatory and contractual requirements (A.5.31), documented operating procedures (A.5.37), security terms in employment contracts (A.6.2), configuration baselines (A.8.9), activity logs (A.8.15) and, where you build software, a secure development policy (A.8.27).
Other familiar documents are common but genuinely optional. No clause names an ISMS manual, access control policy, password policy, classification policy, BYOD policy, disaster recovery plan or change management policy; they are often sensible to hold, but an auditor cannot demand them by clause number.
For UK organisations the legal register will usually include UK GDPR. The ICO's security principle guidance requires appropriate technical and organisational measures for personal data, so a well-run ISMS document set also supports data protection compliance.
Building the Document Set
The mandatory documents have a natural order, because the later ones depend on the earlier ones. A workable sequence looks like this.
1. Define the Scope and Top-Level Policy
Start with the clause 4 context analysis, including whether climate change is a relevant issue, and write the scope statement. Then draft the information security policy and have top management approve it.
2. Document the Risk Method and Run the First Assessment
Write the risk assessment and treatment processes before you assess anything, so the criteria exist first. Then run the assessment and record the results in a risk register.
3. Produce the Statement of Applicability and Treatment Plan
Work through the 93 Annex A controls, justify every inclusion and exclusion, and record implementation status. Build the treatment plan from the same analysis and have risk owners sign off the residual risk.
4. Generate the Operating Records
Competence records, monitoring results, internal audits, management reviews and corrective actions cannot be written in advance. Schedule them and let the records accumulate; auditors want evidence of operation, not templates.
Quick Reference
| Document | Clause | Status |
|---|---|---|
| ISMS scope | 4.3 | Mandatory |
| Information security policy | 5.2 | Mandatory |
| Risk assessment and treatment processes | 6.1.2 and 6.1.3 | Mandatory |
| Statement of Applicability | 6.1.3 d | Mandatory |
| Information security objectives | 6.2 | Mandatory |
| Competence records | 7.2 | Mandatory |
| Operational planning and control | 8.1 | Mandatory |
| Risk assessment and treatment results | 8.2 and 8.3 | Mandatory |
| Monitoring and measurement results | 9.1 | Mandatory |
| Internal audit programme and reports | 9.2 | Mandatory |
| Management review records | 9.3 | Mandatory |
| Nonconformity and corrective action records | 10.2 | Mandatory |
| Annex A documents (asset inventory, incident procedures, logs) | Per the SoA | Mandatory where the control applies |
| ISMS manual, password policy, BYOD policy, DR plan | None | Optional |
Common Mistakes
- Treating Annex A as 93 mandatory policies instead of selecting controls through the Statement of Applicability.
- Buying a large toolkit of documents nobody maintains, which auditors read as a paper exercise.
- A Statement of Applicability that does not match the risk assessment or the scope on the certificate.
- Still using the 2013 edition's control numbering and 14 domains, which became obsolete at the transition deadline of 31 October 2025.
- Holding the documents but not the records: missed internal audits, no management review minutes, an empty corrective action log.
- A scope statement written to look impressive rather than to describe how the business actually operates.
How Policy Pros Can Help
We write ISO 27001 documentation that fits how your organisation actually works, from the scope and information security policy through to the Statement of Applicability. Our ISO policy writing service covers the full mandatory set, and our IT security policies service covers the Annex A topic-specific policies and supporting procedures.
If you also hold or are working towards Cyber Essentials, the two schemes overlap but are not interchangeable. The NCSC notes that an ISO 27001 certificate cannot simply be declared equivalent to Cyber Essentials, so see our guide to the documents Cyber Essentials requires for that scheme's much shorter list.
Whichever route you take, choose a UKAS-accredited certification body and keep the document set lean enough to maintain. A small, current set of documents passes audits more comfortably than a large, stale one.
Frequently Asked Questions
How many documents does ISO 27001 actually require?
Clauses 4 to 10 of ISO/IEC 27001:2022 name around fourteen items of documented information, from the ISMS scope and information security policy through to internal audit, management review and corrective action records. On top of that, you need documents for each Annex A control your Statement of Applicability declares applicable.
Is the Statement of Applicability mandatory?
Yes. Clause 6.1.3 d requires a Statement of Applicability listing the necessary controls, the justification for including them, whether they are implemented, and the justification for excluding any of the 93 Annex A controls. It is usually the most heavily scrutinised document at audit.
Do I need a password policy for ISO 27001?
No clause of ISO 27001:2022 names a password policy, so it is not a mandatory document. Many organisations keep one because it is a convenient way to evidence authentication-related Annex A controls, but you can satisfy those controls through other documented rules and configuration evidence.
Are all 93 Annex A controls mandatory?
No. Annex A is a reference list, and you apply controls selectively based on your risk assessment. Every exclusion must be justified in the Statement of Applicability, and documents tied to a control are only required where that control applies to your organisation.
