Cybernion
← Insights

ISO 27001

ISO 27001 Mandatory Documents Explained

3 July 2026 · Updated 3 July 2026

Short answer: ISO 27001:2022 names specific documented information across clauses 4 to 10: the ISMS scope, the information security policy, the risk assessment and treatment processes, the Statement of Applicability, the objectives, and records such as internal audit and management review results. It does not fix a document count or template. The 2022 revision requires fewer named documents than 2013.

“How many documents do we need?” is the wrong first question about ISO 27001, and it sends teams building binders of policies nobody reads. The standard names a specific set of documented information and leaves the packaging to you. This walks through what the standard actually requires, the difference between documents and records, and where Annex A fits.

What documents does ISO 27001 actually require?

ISO 27001:2022 names documented information across clauses 4 to 10. The core set is the Information Security Management System (ISMS) scope (clause 4.3), the information security policy (5.2), the risk assessment process and its results (6.1.2 and 8.2), the risk treatment process and its results (6.1.3 and 8.3), the Statement of Applicability (SoA) (6.1.3 d), and the information security objectives (6.2).

Alongside these, required records include evidence of competence (7.2), monitoring and measurement results (9.1), internal audit programme and results (9.2), and management review results (9.3), plus records from nonconformities and corrective actions (10.2). The standard names what must exist, not how to format it. You can hold the scope in its own document or fold it into a manual; what matters is that the information exists, is controlled, and is available at audit. This is the backbone of the ISO 27001 management system.

What is the difference between a document and a record in ISO 27001?

The 2022 standard uses one term, documented information, for both, but the old distinction still helps in practice. A document says what you intend to do: a policy, a procedure, the scope, the Statement of Applicability. A record shows you did it: an audit result, review minutes, a risk assessment output, a training log.

TypeAnswersExamples
DocumentsWhat we will doScope, policy, risk assessment method, Statement of Applicability, objectives
RecordsWhat we didInternal audit results, management review minutes, competence evidence, monitoring results

The reason it matters at audit is that documents alone prove nothing. An auditor reading a slick policy will immediately ask for the records that show it operates. Both are required; a certification built on documents with no records is exactly the paper ISMS that comes apart at Stage 2.

How does ISO 27001 clause 7.5 govern documented information?

Clause 7.5 sets the rules for documented information itself: creating and updating it, and controlling it. When you create or update a document, it must be identified, in a suitable format, and reviewed and approved for adequacy. When you control it, it must be available where needed, protected, and managed for distribution, storage, retention and disposal.

This is the control that catches teams who treat documents as write once artefacts. Version control, approval, and a defined retention approach are not optional extras; clause 7.5 requires them. It also gives you latitude: the standard says the extent of documented information can differ by organisation size, activities and competence, so a small team is not expected to match a large enterprise document by document. What clause 7.5 will not tolerate is uncontrolled documents, the policy nobody approved, the procedure three versions out of date, the record with no retention rule.

Do the 11 new ISO 27001 controls require new documents?

No, and this is a common transition worry. The 11 new Annex A controls in the 2022 revision do not require any new mandatory documents. You extend the documented information you already hold to cover them rather than writing separate documents for each.

Threat intelligence, data leakage prevention, secure coding and the rest are woven into existing policies, procedures and the Statement of Applicability, which already accounts for every Annex A control. The 2022 revision in fact requires fewer named documents than 2013, not more. Annex A control documentation is only mandatory where your risk treatment requires the control: a control you exclude needs only its recorded justification, not a procedure. So the document set follows your risk, not a fixed list of all 93 controls.

How much ISO 27001 documentation is enough?

Enough to run the ISMS and evidence it, and no more. The instinct to over document is as damaging as under documenting, because every document you write is a document you must keep controlled, reviewed and current under clause 7.5. A wall of unread policies is not conformance; it is maintenance debt.

The test is operational: does the document help someone do the work, and can you evidence the work happened? If a procedure exists only to satisfy a perceived requirement and nobody follows it, it is a liability at audit, because the auditor will find the gap between the document and reality. Aim for a lean set that maps to the named requirements, is genuinely used, and is backed by records. The readiness checklist and the mandatory documents for startups both lean toward the minimum viable set. If you want the document set built lean and audit ready, Cybernion runs ISO 27001 readiness and documentation.

Frequently asked questions

What documents does ISO 27001 require?

The standard names the ISMS scope, the information security policy, the risk assessment and risk treatment processes, the Statement of Applicability and the information security objectives, plus a set of records such as internal audit and management review results. It does not prescribe a fixed template for any of them.

How many mandatory documents does ISO 27001 have?

The standard does not fix a single number. It names specific documented information across clauses 4 to 10, but how you package it, one document or several, is up to you. The 2022 revision requires fewer named documents than 2013.

Do the 11 new ISO 27001 controls need new documents?

No. The 11 new Annex A controls do not require any new mandatory documents. You extend the documents you already hold, such as policies and the Statement of Applicability, to cover them, rather than writing separate documents.

What is the difference between a document and a record in ISO 27001?

Loosely, a document says what you will do, a policy or procedure, and a record shows you did it, an audit result or review minutes. The 2022 standard uses the single term documented information for both, but the distinction still helps in practice.

Are ISO 27001 Annex A control procedures mandatory documents?

Only where your risk treatment requires the control. Annex A documentation is mandatory when a risk or an interested party requirement demands that control. Controls you exclude in the Statement of Applicability need no procedure, only the recorded justification.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. ISO/IEC 27001:2022, clause 7.5 (Documented information) and clauses 4 to 10, iso.org, 2022
  2. ISO/IEC 27002:2022, Information security controls, iso.org, 2022

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.