ISO 27001: What documentation is required for certification?


ISO 27001 certification is one of the most important standards in ensuring a sustainable information security management system (ISMS). However, a complex catalog of requirements makes the certification process very time-consuming and deters many companies.

Fact is that the documentation requirements imposed by the standard can be quite intimidating. The challenge lies in sometimes unclear phrases as well as in false assumptions.

So, what does the standard really require?

First, we need to look at the corresponding requirements from ISO 27001 (7.5.1). There are two types of documented information.

  • Formal documentation: this is the documented information directly required by ISO 27001.
  • Company specific documentation: this is documented information that the company itself has determined to be necessary for the effectiveness of its own ISMS. This point could be briefly referred to as the company's own requirements.

Although the standard is very broad and vague, let’s be clear about one thing: in addition to the mandatory formal documentation required directly by the standard - such as the scope (4.3) or the information security policy (5.2.e) - companies can and must determine for themselves what documentation is necessary for their ISMS to function. Contrary to what may be assumed at first, it is not a matter of meeting rigid documentation requirements, but rather of individual decisions made by each company.

But what is meant by "documented information"?

Normally when we implement ISMS, we usually talk a lot about classic documents in the conventional sense. These are, for example, policies or process descriptions. However, this is by no means enough to completely cover the documented information. Documented information means any information that must be managed and maintained in the company. This is not limited to the usual office applications such as Word and Excel but can be created and stored anywhere - regardless of the medium. In addition to classic policies, documented information also includes, for example, video recordings, visitor logs, incident logs, NDAs, criminal records, contracts, organizational charts, personnel files, evidence of the safe disposal/destruction/deletion of media, log files, information about updates and possibly even cab invoices. This is because the standard gives each company the freedom and opportunity to determine for itself what needs to be documented.

Ask the right question

Accordingly, the initial question - How much documentation does certification really require? - is perhaps not optimal and needs to be rephrased:

How much documentation is required to operate an effective ISMS?

This question highlights what is at stake: an effective information security management system tailored to the organization. As soon as this is achieved (in compliance with the formal requirements), every company will pass the certification audit without any problems.

The following example shows how it works:

  1. Imagine you are writing a policy for secured areas in your company. The purpose of these special areas is to ensure a protected environment for safe working. Normally access to such areas must be strictly regulated and the names of visitors must be logged.
  2. Consider whether you need documented information to enable or support the fulfillment of this certain requirement. If not, no documented information is needed.
  3. If yes, this information must be available in documented form. To stick with the example: to trace whether visitors have been received in the secured area, their presence must be recorded in a visitor log (= documented information) or a record of access (= documented information) must be available.
  4. Document the documented information in the last chapter of the policy. You call this last chapter "Records" and it can look like this, for example:
Description Type Storage place Responsible Retention period
Visitor log Paper Archive Facility Manager 3 years
Record of access Digital server for access control Facility Manager 3 years

With the help of this list, you also make the auditor's job easier. Instead of working his way through the policy to find out for himself which documentation should be available, he only must check these records for presence and completeness.

Clear and standardized documentation of all processes and regulations is the basis of a successful ISMS. It is important to understand that each company can and must determine for itself what information should necessarily be documented, and at the same time does not lose sight of the fact that documentation is not the end, but the means. The goal of any documentation is to optimize processes and procedures and thus ultimately information security.

More On The Topic

About the author

Amir Salkic
SEC Consult
Principal Security Consultant

Amir studied computer scientist with over 13 years of professional experience and a certified NIS auditor. He is responsible for the area of "Information Security Management" and advises national as well as international companies on all aspects of organizational information security. Together with his team, he has already implemented over 350 projects in more than 20 countries on three continents for various industries and different company sizes.