Mandatory Documents for ISO 27001

ISO 27001: Mandatory Documents vs. Good-to-Have Policies

When organizations start their ISO/IEC 27001 journey, one of the first questions that comes up is: “What documents are actually required for certification, and which ones are just nice to have?”

Let’s break it down.

The Mandatory Documents

ISO 27001 doesn’t demand binders full of policies. Instead, it requires key documents that prove your Information Security Management System (ISMS) is defined, risk-based, and continually improved. These include:

ISMS Scope (Clause 4.3) – what areas of the business are covered.
Information Security Policy (Clause 5.2) – your high-level security intent.
Risk Assessment & Risk Treatment Processes (Clauses 6.1.2 & 6.1.3) – how you identify and address risks.
Statement of Applicability (SoA) (Clause 6.1.3 d) – the famous Annex A control list, with justification for what’s in or out.
Information Security Objectives (Clause 6.2) – measurable goals.
Evidence of Competence (Clause 7.2) – proof your people have the skills to protect information.
Monitoring & Measurement Records (Clause 9.1) – data showing how you track performance.
Audit & Management Review Results (Clauses 9.2 & 9.3) – your ISMS isn’t static, so you need evidence of regular checks.
Corrective Actions (Clause 10.1) – how you address nonconformities and improve.

These documents are non-negotiable. An auditor will expect to see them, and noncompliance can result in a nonconformity (NC) being raised during your audit.

A nonconformity doesn’t automatically mean failure, but it does mean you’ll need to take corrective action.

Minor NCs may be cleared with additional evidence or process improvements, while major NCs can delay or even prevent certification until they’re resolved.

The Good-to-Have (But Not Mandatory)

Here’s where many organizations get tripped up. ISO 27001 does not explicitly require detailed technical or operational policies such as:

Asset Inventory → supports A.5.9 Inventory of information and other associated assets
Password or Access Control Policy → supports A.8.2 Privileged access rights and A.8.3 Management of secret authentication information
Backup and Restore Procedures → supports A.8.12 Data backup
Disaster Recovery & Business Continuity Playbooks → supports A.5.29 Information security during disruption and A.5.30 ICT readiness for business continuity
Change Management Steps → supports A.8.32 Change management
Supplier Security Policies → supports A.5.19 Supplier relationships and A.5.20 Addressing information security within supplier agreements

    Do you need these for certification? Strictly speaking, no.

    But in practice, they strengthen your ISMS and show alignment with Annex A controls.

    They also reduce audit headaches, because documented policies make it easier to demonstrate that your processes are consistent, repeatable, and effective.

    In summary, the mandatory documents form the essential foundation for ISO 27001 certification. While the additional policies are not compulsory, they serve as valuable enablers that demonstrate practical alignment with Annex A controls and provide clearer evidence of consistent, effective information security management to both auditors and internal stakeholders.

    Related Posts

    Have any questions?
    0330 133 3606