← All posts

ISO 27001 Mandatory Documents: The Complete List for Certification

Published 19 April 2026 · Last reviewed 23 February 2026

ISO 27001 mandatory documents are the single biggest source of confusion for UK small businesses preparing for certification. The standard itself never uses the word "mandatory" — it says "documented information" and scatters requirements across Clauses 4–10 and 93 Annex A controls. The result: businesses either under-document and fail their Stage 1, or over-document and spend months producing paperwork nobody reads.

This guide lists every mandatory document for ISO 27001:2022, explains what your auditor actually checks for each one, and describes what "good enough" looks like when you have 5–100 employees and no dedicated compliance team.

How ISO 27001 Documentation Requirements Work

ISO 27001:2022 requires documented information in two ways:

  1. "The organisation shall maintain documented information" — you need a document (policy, procedure, methodology).
  2. "The organisation shall retain documented information" — you need records (evidence that something happened).

The distinction matters. A policy is something you write once and review periodically. A record is evidence generated through operations — audit results, risk assessment outputs, management review minutes. Your auditor checks both. Missing a policy is a nonconformity. Missing a record suggests the process never happened, which is worse.

The mandatory documents split across two areas: the ISMS management system (Clauses 4–10) and the Annex A controls. Let's cover both.

ISO 27001 Mandatory Documents: Clauses 4–10

These are the management system documents every certified organisation needs. No exceptions, regardless of size.

1. ISMS Scope (Clause 4.3)

What it is. A statement defining what the ISMS covers — business units, locations, information systems, and the boundaries of the management system.

What auditors check. That the scope is specific enough to be meaningful and doesn't exclude areas where information risks clearly exist. "Our London office" fails if staff work remotely and data sits in cloud services outside that office. The auditor probes boundaries.

Good enough for a small business. One to two paragraphs. State which legal entity, which sites (including remote working), which systems and services, and which information types. If the scope is the whole business, say so. Most UK SMBs under 50 staff scope the entire organisation and avoid boundary headaches.

2. Information Security Policy (Clause 5.2)

What it is. The top-level policy statement signed by senior management, setting the direction for information security.

What auditors check. That it includes a commitment to satisfying applicable requirements and to continual improvement. That it has been communicated to staff. That staff can describe what it means in practical terms — not recite it word for word, but demonstrate awareness.

Good enough for a small business. One page. State the business context, the commitment to protecting information, the obligation to comply with legal requirements (UK GDPR, DPA 2018), and who is responsible. Get the MD to sign it. Pin it where staff see it. Review annually.

3. Risk Assessment Methodology (Clause 6.1.2)

What it is. A documented approach describing how you identify, analyse, and evaluate information security risks.

What auditors check. That the methodology existed before the risk assessment — not written after the fact. That it defines criteria for risk acceptance. That it produces consistent, comparable results. The auditor will ask: "If two people assessed the same risk, would they reach the same conclusion?"

Good enough for a small business. A 2–3 page document covering: how you identify assets and threats, your likelihood and impact scales (a 3x3 matrix works), how you calculate risk level, and what threshold triggers treatment. Keep scales simple. A 5x5 matrix with elaborate descriptors is harder to apply consistently than a 3x3 with clear definitions.

4. Risk Assessment Results (Clause 8.2)

What it is. The output of your risk assessment — typically a risk register listing identified risks, their scores, and treatment decisions.

What auditors check. That the assessment follows the methodology you documented. That it covers information assets proportionate to your scope. That risk owners are named individuals, not just departments. That the assessment is recent — conducted or reviewed within the last 12 months.

Good enough for a small business. A spreadsheet or register with 20–50 risks is typical for a 10–50 person business. Cover the obvious categories: data breach, ransomware, supplier compromise, insider threat, physical security, business continuity. Each risk needs an owner, a likelihood and impact score, and a treatment decision (mitigate, accept, transfer, avoid).

5. Risk Treatment Plan (Clause 6.1.3)

What it is. The plan for addressing risks that exceed your acceptance threshold — which controls you are implementing, who is responsible, and by when.

What auditors check. That every risk above the acceptance threshold has a treatment action. That actions have named owners and target dates. That there is evidence of progress. The auditor compares the risk treatment plan against the Statement of Applicability to verify consistency.

Good enough for a small business. Can be a tab in your risk register spreadsheet. For each risk being treated: the selected control(s), the action, the owner, the deadline, and the status. Update it monthly during implementation, quarterly once the ISMS is running.

6. Statement of Applicability (Clause 6.1.3d)

What it is. A document listing all 93 Annex A controls, stating whether each applies, and justifying the decision. It is the single most scrutinised document in an ISO 27001 audit.

What auditors check. That all 93 controls appear — not just the ones you selected. That every exclusion has a justified reason traceable to the risk assessment. That implementation status is recorded honestly. The SoA is the auditor's roadmap for your entire Stage 2.

Good enough for a small business. A spreadsheet with columns for: control reference, control name, applicable (yes/no), justification, implementation status, and notes. Excluding 5–10 controls is typical. More than 20 exclusions raises questions. Our guide to the Statement of Applicability covers this in detail, and the ISO 27001 controls checklist helps you work through all 93 systematically.

7. Information Security Objectives (Clause 6.2)

What it is. Measurable objectives for information security, consistent with the policy.

What auditors check. That objectives are specific and measurable — "improve security" fails; "reduce phishing click rate from 12% to under 5% by Q3" works. That progress is monitored. That objectives are reviewed at management review.

Good enough for a small business. Three to five objectives. Examples: complete security awareness training for 100% of staff by a target date, achieve zero critical vulnerabilities unpatched beyond 30 days, complete business continuity testing annually. Track them in a simple table with target, measure, deadline, and status.

8. Competence Evidence (Clause 7.2)

What it is. Records proving that people performing work affecting information security have the necessary competence.

What auditors check. That you have defined what competence is needed for security-relevant roles. That you hold evidence — training certificates, qualifications, experience records. The auditor will ask to see competence evidence for the ISMS manager, IT staff, and anyone with privileged access.

Good enough for a small business. A simple matrix: role, required competence, evidence held. Training completion records, certificates (Cyber Essentials, vendor certifications), and induction records. You do not need everyone to hold CISSP. You need evidence that people in security-relevant roles know what they are doing.

9. Operational Planning and Control (Clause 8.1)

What it is. Evidence that you plan, implement, and control the processes needed to meet information security requirements.

What auditors check. That planned changes are controlled and unintended changes are reviewed. That outsourced processes are identified and controlled. This connects directly to your risk treatment plan — the auditor checks that the controls you said you would implement are actually operational.

Good enough for a small business. This is not a standalone document for most SMBs. It is the combination of your implemented controls, procedures, and the evidence that they run. If you have an access control procedure and evidence of access reviews, that covers the operational planning for access control.

10. Monitoring and Measurement Results (Clause 9.1)

What it is. Records showing that you monitor and measure information security performance and the effectiveness of the ISMS.

What auditors check. That you defined what to monitor (linked to your objectives and risk treatment). That you have actual results. That someone reviews them. Common examples: security incident counts, vulnerability scan results, training completion rates, access review completion.

Good enough for a small business. A quarterly dashboard or summary covering your key metrics. Three to five measures linked to your objectives. The auditor wants evidence of a functioning feedback loop, not enterprise-grade analytics.

11. Internal Audit Programme and Results (Clause 9.2)

What it is. A planned programme of internal audits covering the ISMS, plus the audit reports.

What auditors check. That audits are planned and cover the full ISMS scope over time. That auditors are independent of the area being audited (your IT manager cannot audit their own controls). That findings are documented and acted upon.

Good enough for a small business. Audit the full ISMS annually, splitting across two or three audits if needed. The auditor must be independent — this can be a colleague from a different function, an external auditor, or a consultant. Produce a brief report: scope, findings, nonconformities, observations. Our ISO 9001 audit checklist covers the audit process in detail — the structure is identical for 27001.

12. Management Review Results (Clause 9.3)

What it is. Minutes or records from management review meetings covering information security.

What auditors check. That reviews happen at planned intervals (at least annually). That the standard's required inputs are covered: audit results, feedback, risk assessment changes, opportunities for improvement. That the review produces decisions and actions — not just a discussion.

Good enough for a small business. One meeting per year minimum, with minutes covering each required input. A structured agenda template ensures nothing is missed. Record decisions, action items, and owners. The meeting can be 60–90 minutes if prepared well.

13. Nonconformities and Corrective Actions (Clause 10.1)

What it is. Records of nonconformities identified (from audits, incidents, or reviews) and the corrective actions taken.

What auditors check. That you react to nonconformities. That you investigate root cause, not just symptoms. That corrective actions are implemented and their effectiveness is reviewed. The auditor checks the loop: problem identified, cause analysed, action taken, action verified.

Good enough for a small business. A simple log or register: date, description, root cause, corrective action, owner, deadline, status, effectiveness review. Even five entries showing the process works is better than an empty log. The auditor expects to find nonconformities — what matters is how you handle them.

Annex A Policies and Procedures

Beyond the Clauses 4–10 mandatory documents, several Annex A controls require their own documented policies or procedures. These are not optional if the control is applicable in your Statement of Applicability.

The key ones:

Annex A Control Document Required
A.5.1 Information security policies (the policy framework beyond the top-level policy)
A.5.10 Acceptable use of information and assets policy
A.5.12–5.13 Information classification and labelling procedures
A.5.15 Access control policy
A.5.19–5.22 Supplier security policies and procedures
A.5.23 Cloud services security policy (new in 2022)
A.5.24–5.28 Incident management procedures
A.5.29–5.30 Business continuity and ICT readiness plans
A.5.31 Legal, regulatory, and contractual requirements register
A.5.34 Privacy and PII protection procedures
A.6.1–6.5 HR security — screening, terms, awareness, disciplinary, termination
A.7.1–7.4 Physical security procedures
A.8.1–8.5 Endpoint and access management procedures
A.8.9 Configuration management procedures (new in 2022)
A.8.15–8.16 Logging and monitoring procedures
A.8.24 Cryptography / encryption policy
A.8.25–8.28 Secure development and coding practices (if applicable)

Not every control requires a standalone document. Auditors accept combined policies — an access control policy can cover A.5.15, A.8.2, A.8.3, A.8.4, and A.8.5 in one document. An incident management procedure can address A.5.24 through A.5.28. Combining related controls into single documents is not just acceptable — it is sensible for a small business.

How Many Documents Does a Small Business Actually Need?

The total depends on scope, but a typical UK SMB with 10–50 employees ends up with 25–40 documents for a complete ISMS. That includes the 13 Clauses 4–10 documents above, 8–15 Annex A policies and procedures, plus supporting records and registers.

Common mistake: building 60–80 documents because a consultant's template pack includes one document per Annex A control. More documents means more version control, more review cycles, and more things to go wrong at audit. The standard requires documented information — it does not require one document per clause or control.

Keep it proportionate. Clause 7.5 explicitly states that the extent of documented information depends on the size of the organisation and its activities. A 15-person business with a single office and standard IT infrastructure does not need the same documentation volume as a 500-person organisation with multiple sites and bespoke systems.

Three principles for keeping documentation lean:

  1. Combine related controls into single documents. One access control policy, not five. One incident management procedure covering detection through lessons learned.
  2. Use records, not procedures, where the process is obvious. You do not need a 10-page procedure for management review — you need an agenda template and minutes.
  3. Write for the reader, not the auditor. If staff cannot follow a procedure, it produces no value and generates audit findings when practice diverges from documentation.

For context on overall certification costs — including documentation effort — see our ISO 27001 certification cost breakdown.

What Auditors Actually Check at Stage 1 vs Stage 2

Understanding when documents are checked helps you prioritise.

Stage 1 (documentation review, typically 1 day): The auditor reviews your documented ISMS before visiting your site. They check: ISMS scope, information security policy, risk assessment methodology, SoA, risk treatment plan, internal audit programme, management review records. If any mandatory document is missing, Stage 1 fails and Stage 2 is postponed. Fix the gaps first.

Stage 2 (implementation audit, 2–4 days for SMBs): The auditor verifies that documentation reflects reality. They interview staff, check records, sample evidence. The risk assessment results, competence records, monitoring data, corrective action logs, and operational evidence all get examined here. A policy that exists on paper but is not followed produces a major nonconformity.

The gap between Stage 1 and Stage 2 is typically 1–3 months. Use that time to close any documentation findings from Stage 1 and ensure records are current.

UK-Specific Documentation Considerations

Data Protection Act 2018 / UK GDPR. Several mandatory documents directly support UK GDPR compliance. Your information security policy should reference the DPA 2018. Your risk assessment should include personal data risks. Your incident management procedure must include the ICO's 72-hour breach notification requirement (Article 33). Auditors increasingly expect to see this alignment documented explicitly.

Cyber Essentials mapping. If you hold Cyber Essentials or CE Plus, reference this in your documentation. The five CE control areas (firewalls, secure configuration, access control, malware protection, patch management) overlap with Annex A technological controls. Documenting the mapping avoids duplicating effort and demonstrates a coherent security posture.

NCSC guidance. The NCSC's 10 Steps to Cyber Security and cloud security principles provide practical frameworks that align with ISO 27001 documentation requirements. Referencing them strengthens your documentation and demonstrates awareness of UK-specific threat guidance.

Public sector supply chain. If you supply to UK government, your documentation may need to address the Cabinet Office Security Policy Framework or specific contract security requirements. Build these into your legal and regulatory requirements register (A.5.31) from the start rather than retrofitting.

ISO 27001 Mandatory Documents Checklist

Before your Stage 1 audit, verify you have every item below:

Clauses 4–10 (management system):

  • ISMS scope statement (Clause 4.3)
  • Information security policy, signed by top management (Clause 5.2)
  • Risk assessment methodology (Clause 6.1.2)
  • Statement of Applicability covering all 93 controls (Clause 6.1.3d)
  • Risk treatment plan with owners and deadlines (Clause 6.1.3)
  • Information security objectives with measures (Clause 6.2)
  • Competence records for security-relevant roles (Clause 7.2)
  • Risk assessment results / risk register (Clause 8.2)
  • Risk treatment results and implementation evidence (Clause 8.3)
  • Monitoring and measurement results (Clause 9.1)
  • Internal audit programme, schedule, and reports (Clause 9.2)
  • Management review minutes with required inputs and outputs (Clause 9.3)
  • Nonconformity and corrective action log (Clause 10.1)

Annex A policies and procedures (where applicable):

  • Acceptable use policy (A.5.10)
  • Access control policy (A.5.15, A.8.2–8.5)
  • Information classification and handling procedures (A.5.12–5.13)
  • Supplier security policy (A.5.19–5.22)
  • Incident management procedure (A.5.24–5.28)
  • Business continuity / ICT readiness plans (A.5.29–5.30)
  • Legal and regulatory requirements register (A.5.31)
  • HR security procedures — screening, awareness, termination (A.6.1–6.5)
  • Physical security procedures (A.7.1–7.4)
  • Logging and monitoring procedures (A.8.15–8.16)
  • Cryptography / encryption policy (A.8.24)

Records to have ready:

  • Asset inventory
  • Training and awareness completion records
  • Access review records
  • Security incident log (even if no incidents — document that)
  • Change management records
  • Vulnerability scan or penetration test results

Use the ISO 27001 controls checklist to track implementation status for all 93 Annex A controls alongside this document list. Start with the Clauses 4–10 documents — they take the longest to get right and form the backbone of your Stage 1 review.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 27001 Statement of Applicability: A Plain-English GuideISO 9001 Work Instruction Template: How to Write Instructions That Actually Get UsedISO 9001 vs ISO 27001: Which Does Your Business Need?