ISO 27001 Documentation: What’s required for Compliance in 2025?

ISO 27001 certifications are increasing by 20% each year. For modern businesses, demonstrating ISO 27001 compliance builds customer trust and opens doors to global partnerships. 

To get certified to ISO 27001, organizations must clear a two-stage audit process. The Stage 1 audit—the documentation review—requires you to submit mandatory documents. And here’s the catch: incomplete or missing documentation is still one of the common reasons for failing an ISO 27001 audit, often leading to serious consequences.

From physical records and digital files to email trails and evidence logs, every document must be in order. Yet compliance teams still rely on manual processes—scattered spreadsheets, siloed tools, outdated templates—making version control and audit readiness a nightmare. 

In this article, we explain ISO 27001 documentation requirements and show how automation tools and templates can simplify your audit preparation.

List of ISO 27001 mandatory documents

The following ISO 27001 documents are required for certification. Together, they help demonstrate that your ISMS is properly implemented, maintained, and audit-ready.

Mandatory documents

1. Scope of the ISMS (Clause 4.3)

This document defines the boundaries and applicability of your ISMS within your organization. It outlines which locations, assets, and technologies fall within scope, ensuring clarity for the implementation and maintenance of your ISMS.

The scope must also take into account external and internal issues (Clause 4.1) and requirements of interested parties (Clause 4.2)

2. Statement of Applicability (SoA) - The most critical document

The Statement of Applicability is the most crucial document in your ISO 27001 implementation. This document serves as the bridge between your risk assessment and your security controls.

The SoA is a living document and must be updated whenever risk assessments or ISMS scope changes.

What should be included?

Complete Annex A control listing: Your SoA must list all 93 Annex A controls from ISO 27001:2022. For each control, you must clearly state whether it's:

• Applicable (included in your ISMS)
• Not applicable (excluded from your ISMS)

Justification for each decision: This is where many organizations fail. You must provide clear reasoning for why each control is included or excluded:

• For applicable controls: Explain how they address specific risks identified in your risk assessment
• For excluded controls: Provide legitimate business reasons (e.g., "Control A.7.4 - Physical security monitoring is not applicable as our organization operates entirely remotely with no physical offices")

Risk mapping: Link applicable controls to specific risks from your risk assessment. This demonstrates that your control selection is risk-based, not arbitrary.

3. Information security policy (Clause 5.2)

Approved by top management, this policy outlines an organization’s commitment to managing information security. It defines the principles and framework for establishing security objectives. 

What should be included?

Policy scope and applicability: Define to whom the policy applies: employees, contractors, third parties. You must also mention which information assets are covered.

Information security principles: Outline your organization's approach to confidentiality, integrity, and availability of information.

Roles and responsibilities: High-level assignment of information security responsibilities within the organization.

Compliance requirements: Reference to legal, regulatory, and contractual obligations your organization must meet.

Review and update process: How often the policy will be reviewed and under what circumstances it will be updated.

4. Risk assessment & treatment document (Clause 6.1.2 and 6.1.3)

The risk assessment and treatment document defines how an organization identifies, analyzes, and evaluates information security risks. 

What should be included?

Risk identification methodology: How you systematically identify threats, vulnerabilities, and assets within your ISMS scope.

Risk analysis criteria: Your method for evaluating likelihood and impact, including:

• Risk scoring scales (e.g., 1-5 for both likelihood and impact)
• Risk level calculations (e.g., likelihood × impact)
• Risk tolerance levels and acceptance criteria

Threat and vulnerability assessment: Your process for identifying relevant threats and existing vulnerabilities.

The treatment document should outline approaches for treating risks based on severity and through appropriate controls. It helps organizations prioritize actions to protect information assets based on their risk exposure, ensuring consistent and objective decision-making.

5. Information security objectives (Clause 6.2)

Security objectives need to be measurable, achievable, and time-bound. This document links your ISMS strategy to business goals, outlining who owns what and how progress will be tracked.

Objective characteristics:

SMART criteria: Objectives should be Specific, Measurable, Achievable, Relevant, and Time-bound.

Business alignment: Clear connection to organizational strategy and business objectives.

Risk-based: Objectives should address your most significant information security risks.

Tracking and reporting: Define how progress will be measured, who will monitor objectives, and the reporting frequency.

6. Evidence of competence (Clause 7.2)

To assess your team’s competencies to manage the ISMS, auditors look for proof—skills, training, education, or on-the-job experience. Certifications, training logs, job descriptions, and even performance reviews demonstrate your team’s capabilities to perform their security-related roles effectively in compliance with ISO 27001. 

What should be included?

Competence requirements: Skills and knowledge needed for each security-related role.

Current competence assessment: Gap analysis between required and current competencies.

Training and development records: Completed training programs, certifications, and professional development activities.

Experience documentation: Relevant work experience, project involvement, and on-the-job learning.

Competence evaluation: Regular assessment of whether personnel maintain required competencies.

7. Operational planning (Clause 8.1)

Clause 8.1 requires you to document how you plan, implement, and control the operational processes needed to meet your information security requirements and implement the actions determined in Clause 6 (particularly your risk treatment plans). 

This is about translating your ISMS policies and objectives into actual day-to-day operations and ensuring these operations run consistently and effectively. 

The operational planning and control documentation should encompass the fundamental structure of how security operations are executed within your organization. This includes: 

• Clearly defined processes and procedures for routine security operations, such as user access management, incident response, backup operations, vulnerability management, change management, and system monitoring.
• Control mechanisms that include specific control points and checkpoints within processes, verification and validation activities, criteria for process acceptance, and methods for ensuring processes operate within defined parameters. 
• Detailed resource plan that explains required competencies and skills for operational roles, necessary tools and technologies, budget allocations for operational activities, and scheduling of operational tasks and maintenance windows.

8. Results of the information security risk assessment (Clause 8.2)

The documented results of the information security risk assessment capture identified risks, their likelihood, impact, and risk levels. This record directly informs which controls to apply and how to treat each risk. They bring transparency, traceability, and alignment with your organization's defined risk tolerance level and overall information security strategy.

What should be included?

Risk register: A comprehensive list of identified risks with their assessments.

Risk analysis details: Threat sources, vulnerabilities exploited, and potential business impacts.

Risk evaluation: Comparison against risk acceptance criteria and prioritization.

Assumptions and limitations: Key assumptions made during the assessment and any limitations in scope or methodology.

Outstanding issues: Any implementation challenges or delays that need management attention.

9. Results of the information security risk treatment (Clause 8.3)

Clause 8.3 requires you to maintain documented evidence showing how you've actually implemented your risk treatment plan.

While Clause 6.1.3 is about creating the risk treatment plan (the "what we will do"), Clause 8.3 is about documenting the execution and outcomes (the "what we did and what happened").

This is essentially the record that proves you didn't just plan to treat risks—you actually followed through and can show the results. 

The documented information for risk treatment results should comprehensively capture the entire treatment implementation lifecycle. This includes fundamental treatment implementation details such as which specific risks were treated, what controls or measures were implemented, implementation dates and timelines, responsible parties who carried out the treatment, and resources used, including budget, tools, and personnel. 

The documentation must also incorporate effectiveness measures that demonstrate the actual impact of treatments, including residual risk levels after treatment, comparisons of actual versus expected risk reduction, key performance indicators or metrics showing control effectiveness, and testing or validation results of implemented controls. Clause 8.3 requires that residual risks be approved by risk owners and/or management in line with acceptance criteria.

10. Evidence of ISMS monitoring and tracking metrics (Clause 9.1)

Clause 9.1 requires organizations to evaluate the ISMS performance and effectiveness using appropriate methods, including monitoring, measurement, analysis, and evaluation.

The document showcases the effectiveness of your controls and incident trends, highlighting the overall health of your ISMS. Auditors use it to see if you're measuring what matters to stay secure.

11. Evidence of the implementation of the audit program(s) (Clause 9.2)

Internal audit documentation includes the audit schedule, scope, criteria, and assigned responsibilities, along with detailed reports highlighting findings, non-conformities, and areas for improvement. Together, they show that you’re evaluating and strengthening your ISMS to protect critical information. 

What should be included?

Audit schedule: Annual audit calendar covering all ISMS areas.

Audit scope and criteria: What will be examined and against which requirements.

Auditor competence: Qualifications and training of internal auditors.

Audit findings: Non-conformities, observations, and opportunities for improvement.

Evidence collection: Documentation supporting audit findings and conclusions.

Audit reports: Formal reports communicating audit results to management.

Follow-up activities: Tracking corrective actions and verification of effectiveness.

12. Results of management reviews (Clause 9.3)

Documented management reviews typically cover the following:

• Key decisions on ISMS performance
• Updates on risk status
• Responses to internal audit findings

The document demonstrates to auditors that your leadership is actively committed to providing tangible decisions, recommendations and guiding the ISMS.

What should be included?

ISMS performance data: Metrics demonstrating how well the ISMS is performing.

Risk status updates: Changes in the risk environment and treatment progress.

Audit results: Findings from internal and external audits.

Stakeholder feedback: Input from customers, regulators, and other interested parties.

Resource allocation: Commitments for additional resources or budget.

Improvement actions: Specific actions to enhance ISMS effectiveness.

Policy and objective changes: Updates to information security policy or objectives.

13. Evidence of any non-conformities and corrective actions taken (Clause 10.1)

Any deviations from the ISMS must be recorded alongside their root causes and corrective actions. This ensures transparency, continuous learning, and readiness for future audits.

What should be included?

Issue description: Clear description of what went wrong and how it was discovered.

Root cause analysis: Investigation into underlying causes, not just symptoms.

Impact assessment: Business impact and potential consequences if not addressed.

Immediate actions: Short-term measures to contain the problem.

Long-term solutions: Permanent fixes to prevent recurrence.

Implementation timeline: Realistic schedule for corrective action completion.

Effectiveness verification: How you'll confirm that corrective actions worked.

List of ISO 27001 Annex A documents

In addition to the core mandatory documents, organizations must also document any Annex A controls they’ve marked as applicable in their SoA. What does that mean in practice? 

If you’ve declared a control as relevant to your ISMS, you need to show supporting documentation—whether that’s a policy, procedure, guideline, or technical instruction.

Below is a list of commonly selected Annex A controls that often require documented proof:

• Annex A.5: Organizational controls

A.5.1: Information security policy 

A.5.15: Access control policy 

• Annex A.6: People controls

A. 6.3: Security awareness and training records

• Annex A.7: Physical controls

A.7.7: Clear desk and clear screen policy 

• Annex A.8: Technological controls

A.8.7: Malware protection policy 

A.8.12: Backup policy and procedures 

A.8.24: Cryptographic controls policy 

Consequences of missing ISO 27001 documentation

The stage 1 audit in ISO 27001—also known as the documentation review—is where it all begins. The auditor evaluates the organization's ISMS documentation by reviewing policies, procedures, risk assessments, and other foundational elements. To proceed to stage 2 audit—or the implementation review—you need to ensure there are no gaps or inconsistencies in the documents. 

Missing mandatory documents or inconsistencies indicate ineffective risk management capabilities. Other negative consequences include delayed certifications, high costs, and loss of business.

Ineffective risk management

Missing ISO 27001 documentation signals process deficiency and inconsistent risk practices. Your organization’s credibility is undermined when risks aren’t systematically identified, evaluated, or mitigated.

Incomplete or missing incident logs and corrective action records can delay response times and reduce the effectiveness of containment and recovery efforts. Missing documents can also compromise compliance with regulations like GDPR and HIPAA, exposing you to fines and regulatory scrutiny.

Delayed certifications 

Without complete ISO 27001 documentation, auditors can’t verify compliance with key clauses. This results in nonconformities that must be corrected before proceeding to the next stage.

The rework involved—gathering evidence, revisiting processes, and coordinating with your auditor—can significantly push your certification timeline.

Limited decision-making

Lack of documentation hinders visibility into security control performance, user behavior, and system weaknesses, limiting informed decision-making.

Cost escalations

Delays in certification often result in higher costs, more internal effort, extended consultant hours, and auditor contract extensions.

Additionally, organizations lacking ISO 27001 certifications may be perceived unfavorably by prospects. The prospects may not be convinced of the organization's ability to maintain data security and privacy, causing them to lose business opportunities. Maintaining all mandatory ISO 27001 documents is critical for effective, secure, and resilient operations.

Get ISO 27001 documentation ready with Scrut

ISO 27001 documentation is one of the most time-consuming and error-prone parts of ISO 27001 compliance. Gathering, analyzing, and presenting data to leadership and auditors is another challenging and effort-intensive task in compliance programs. 

Scrut, a compliance and risk management platform, helps organizations automate and streamline ISO 27001 documentation. Its dashboards and reports centralize and visualize data from different departments for a streamlined monitoring and verification process. 

Here’s how Scrut simplifies the ISO 27001 documentation process:

Centralized ISO 27001 documentation management

Instead of managing documents across spreadsheets or folders, Scrut provides a single platform to store, update, and track all ISO 27001 documents with version control, ownership, and approval workflows.

The platform organizes and securely stores ISO 27001 documentation, simplifying the process of presenting evidence during audits. It also offers checklists to ensure all requirements, from defining the ISMS scope to conducting risk assessments, are covered.

Pre-built ISO 27001 document templates

Scrut offers a library of ready-to-use, auditor-approved templates for all the mandatory policies and procedures required under ISO 27001. Pre-built templates and frameworks help organizations compile necessary documentation, ensuring they’re always prepared for audits. 

Audit-ready documentation

The platform helps you maintain audit-ready documentation, ensuring your ISMS policies, procedures, and records are always up-to-date. Automation helps to identify policies impacted by regulatory changes and recommends updates to reflect new requirements. The platform reduces back-and-forth with auditors, accelerating the audit and certification process.

Automated evidence collection

The platform's extensive integration with third-party systems automates evidence collection, and simplifies control verification. The automation reduces manual effort, making the certification process simpler and more efficient.

Continuous compliance

Scrut maps security controls directly to ISO 27001 clauses and Annex A requirements, enabling seamless implementation and monitoring. This ensures your ISO 27001 documentation stays aligned with implemented controls and updates—supporting continuous compliance with the standard.

Centralized control management

Scrut consolidates all your policies, controls, and evidence into a single platform, eliminating the need for manual tracking across multiple tools. This unified view ensures you stay organized and audit-ready. With real-time visibility into document status and gaps, teams don’t have to scramble for documents and instead can stay continuously audit-ready.

The dashboard and reports enable you to communicate your real-time security posture and metrics, allowing auditors to expedite certification. Scrut reduces the time and resources required for ISO 27001 certification, making it a cost-effective solution specifically for small and medium-sized enterprises pursuing certification. 

Schedule a Scrut demo today to learn how to simplify the ISO 27001 documentation process. 

FAQs

What documentation is required for ISO 27001?

ISO 27001 requires documentation to demonstrate a well-managed ISMS. The key document includes the ISMS scope, information security policy, risk assessment, and treatment methodology. Organizations also require an SoA, risk treatment plan, monitoring and measurement results, internal audit reports, management review results, and corrective actions. They must provide evidence of control implementation for applicable Annex A controls. 

What are the mandatory ISO 27001 policies?

ISO 27001 requires organizations to define and maintain key policies for a robust ISMS. Some key policies include those related to information security, risk assessment, access control, information classification and handling, and asset management. Organizations may require additional policies based on selected Annex A controls, such as cryptographic policies. 

How do I organize ISO 27001 documentation?

Organizing ISO 27001 documentation requires creating a structured system for all policies, procedures, and records related to your ISMS. 

You can organize ISO 27001 documents by grouping them into key categories: policies, controls (linked to Annex A), operational procedures, monitoring records, audits, and continual improvement. You should maintain a central repository to ensure accessibility.

Can I use templates for ISO 27001 documents?

You can use templates for ISO 27001 documents. Templates help you align documents with ISO 27001 requirements, ensure consistency, and save time. You can customize templates to reflect your organization's specific context, risks, and processes.