ISO 27001 Certification: 22 sets of important documents


Table of Contents

There are 22 sets of document you need to know

If you’re a business owner, then you know that security is of the utmost importance. In today’s world, it’s more important than ever to make sure your data is safe and protected.

But what are the requirements for ISO 27001 certification? And how can you make sure your business meets them? Keep reading to find out!

1.Scope of the Information Security Management System

This document describes the sorts of activities your ISO 27001 Information Security Management System (ISMS) will be used to, as well as the parameters that will be imposed on it.

The management system will apply where your company offers a variety of products and services. It will also explain where they are supplied (e.g., regionally/across the HK/worldwide).

The boundaries must be established. This will necessitate the creation of a list of which parts of your business will be subjected to the ISMS. This includes procedures, locations, departments, divisions, and so on.

In most situations, your ISMS will be applied to the entire company, but there may be circumstances when a process, site, or team cannot fall under the scope of your information security management system.

ISO 27001 Documentation

2.Information security policy and objectives

Your Information Security Policy serves as a declared commitment that your company’s aim is to safeguard information in accordance with applicable legal and ethical standards while also demonstrating evidence of ongoing improvement. Your policy should also demonstrate a dedication to any measures taken to improve the security of the data you possess.

3.Risk assessment and risk treatment methodology

This document explains how you go about identifying information security risks, as well as your methodology for addressing and dealing with them when they occur. In this procedure, you do not need to detail the possible issues; rather, it is your procedure for detecting them that must be described.

4.Statement of Applicability

This document shows which of the ISO 27001 Annex A 114 information security controls you will implement and why. With so many information security controls to address, this paper has the potential to get out of hand, but all you have to do is:

  • Identify which of the measures apply to your company.
  • Outline why these rules are necessary.
  • Explain the controls in your workplace, such as what they do and how they have been implemented.
  • Exclude any that aren’t necessary (known as exclusions).

5.Risk Treatment Plan

Once you’ve decided which controls you’ll use, your Risk Treatment Plan

  • describes how you’ll put them in place and who will be in charge of doing so.
  • What resources will be needed and how much time will it take to implement the controls are all specified.

6.Risk assessment and risk treatment report

This report is on a risk assessment, as well as any risk treatment, conducted in accordance with the approach outlined in the above-mentioned document. It will describe your investigation’s findings, including any risks discovered, and any precautions taken to minimize or avoid them.

ISO 27001 Certification Resource

7.Defining security roles and responsibilities

This document details the tasks and responsibilities of each position involved in information security. You don’t need to provide full job descriptions, and these positions do not have to be filled by people solely responsible for information security. A marketing manager, for example, may have access to the consumer database, thus fulfilling a security function in ensuring that their access is kept secure.

8.Inventory of assets

Any asset that is used to store data must be recorded. Desktop computers, laptops, servers, phones and tablets /iPad, physical papers, financial records, email systems, cloud computing services are all examples of this. ISO 27001 may consider it to be one of the most difficult activities linked with information security risk assessment because it depends on your company’s size.

9.Acceptable use of assets

As the assets you found in your inventory are used to handle sensitive information, they must be handled securely. Establishing appropriate control measure makes it clear to everyone, both permanent and temporary, as well as contractors, how they may utilize a device to keep information security.

Examples of control measure include:

  • Assets must be used for company business purposes
  • Ensure that assets are not left unattended.
  • When moving away from the desk, computers must be secured.
  • Strong passwords must be created with difficult-to-guess combinations of letters, numbers and symbols.
  • All information should not be taken, copied, or changed without permission.
  • Encrypted records must be maintained.

10.Access control policy

This policy will assist your company in ensuring that only appropriate individuals have access to critical information. This policy should show

  • how an individual has right to access to information
  • how they get privileged access
  • how access is permitted and is reviewed
  • how and why access would be withdrawn

11.Operating procedures for IT management

Documented Procedures should be evaluated for businesses where sensitive information is at risk due to faulty IT equipment operation. These domains should be identified as part of your risk assessments, but they might also include:

  • software development
  • financial accounting
  • customer management
  • supplier management.

Every time that IT operates, documented operating processes are not necessary, only where they make sense.

Call ISO 27001 Consultant Now !

Click here

12.Secure system engineering principles

How you’ll use security as you develop new IT projects or apply it to existing infrastructure is known as secure engineering. This security isn’t limited to firewalls or encrypted passwords; it also covers disaster planning and business continuity.

When putting down these foundations, remember that they must take into account criminal human behaviour, accidents, system faults, as well as natural disasters.

13.Logging user activities, exceptions, and security events

User activity logging is an important tool for maintaining security. User activities, exceptions, and security events aren’t only useful in determining how issues occur; they may also assist you with your risk assessments and expose flaws in your data security.

14.Vendor security policy

There’s little point in securing important information if a vendor’s security is going to expose it to theft or loss. As a result, it’s critical to establish a policy regarding the confidentiality of vendors’ information.

It would be better if we developed a collaborative policy that fostered strong working relationships with vendors who have access to, or who might be able to compromise, your data security.

Also, keep in mind that some vendors may have little or no impact on your security; concentrate your attention on those vendors who are identified in your risk assessments.

15.Incident management procedure

The processes outlined above should help you figure out how your company will determine who is in charge of an incident and how they’ll do it.

  • collect evidence after the incident
  • describe the situation, how it evolved and how it got to the incident. It’s critical to figure out what happened, who was involved, and why.
  • ensure that any actions taken in response to the event are recorded for future study.
  • report management the incident
  • escalate the incident with regulators or independent bodies, if necessary
  • find and handle any vulnerabilities caused to the incident

16.Business continuity procedures

Your company must develop formal procedures to ensure that it can continue operating in the wake of a data security incident.

The procedures should also set forth a management structure and generally accepted criteria for forwarding the issue to appropriate authorities or other independent bodies. You’ll also need to decide when your company intends to resume normal operations.

17.Legal, regulatory, and contractual requirements

All three of these forms of requirements will apply to the way you handle information, and this procedures not only shows your awareness of them, but also serves as a quick reference tool for all personnel.

You should clearly define whether a requirement is legal, regulatory, or contractual, as well as how it affects your information security processes.

Naturally, the needs outlined above might change over time, so you must keep an eye on them and make sure that any modifications are reflected in your ISMS.

18.Records of training, skills, experience and qualifications

This procedures will show that every employee has the necessary skill level. It also aids your company in demonstrating its commitment to data security and improvement by revealing the continual training and experience your staff obtain.

19.Monitoring and measurement of results

Another benefit of ISO 27001 is its emphasis on continuous improvement. That’s why a procedure to evaluate and assess the effectiveness of an ISMS is so important. You’ll need a track record of these assessments, as well as evidence that your company considered what to measure, how and when, as well as proof that any outcomes from any decisions were adequate when applying appropriate process control.

20.Internal audit programme and results

An internal audit, like the ISMS itself, is an important component of any ISMS. Internal audits evaluate not just the effectiveness of your ISMS, but also the overall performance of your company in terms of information security. These audits also assist you in demonstrating your adherence to the procedures set out for your ISMS.

21.Results of the management review

Senior management should conduct periodic review of the ISMS to ensure that it is still effective, and a meeting minute with the findings according to the ISO 27001 requirements should be kept.

22.Non-conformities and results of corrective actions

Your company must establish a process for recording any nonconformities in its information security procedures and operations, as well as the actions it took as a result. You’ll need to document how your company made certain that any corrective action was successful in returning the system to conformity.


Don’t worry if your company is not ready for ISO 27001 documentation

The certification process for ISO 27001 can be daunting, but it doesn’t need to be. You don’t need all of these documents in place before you begin the process. We are willing to walk you through every step in the process. 

Reach out today for assistance or make a 30 min Consultation Call 

Call ISO 27001 Consultant Now !

Click here

Schedule FREE 30 Mins Consultation Call
Gabriel Consultant in ISO Consulting
Service with 20 years of experience.
Find Us
© 2024 Gabriel Consultant. All rights reserved
Find Us
© 2024 Gabriel Consultant. All rights reserved

Office Hour: 9:00- 18:00

Tel : +852 23664622

Email :

Free 30 Min Consultation Call

Request an economy and speedy way to get an ISO Certification