CompliWiseAI
All guides
·7 min read

ISO 27001 mandatory documents: the complete 2022 checklist

The documented information ISO/IEC 27001:2022 actually requires — the mandatory records, the key Annex A policies, and how to produce them fast.

ISO 27001ISMSdocumentation

Most teams starting ISO 27001 ask the same first question: *which documents do we actually need?* The standard is precise about this, and getting the list right early saves weeks of rework. This is the practical checklist of mandatory documented information under ISO/IEC 27001:2022, plus the Annex A policies auditors expect to see in practice.

What "documented information" means

ISO 27001 uses the phrase "documented information" rather than "documents and records". In plain terms, there are two kinds: documents that define how you work (policies, procedures, the scope) and records that prove you did the work (audit results, review minutes, risk assessments). You need both.

The mandatory documents (clauses 4–10)

These are required by the main body of the standard, regardless of which controls you apply:

  • ISMS scope (clause 4.3) — the boundaries of your management system.
  • Information security policy (clause 5.2) — top management's statement of intent.
  • Risk assessment and risk treatment process (clause 6.1.2–6.1.3) — your methodology.
  • Statement of Applicability (clause 6.1.3 d) — every Annex A control, whether it applies, and why.
  • Risk treatment plan (clause 6.1.3 e) — how selected controls get implemented.
  • Information security objectives (clause 6.2).
  • Evidence of competence (clause 7.2).

The mandatory records

You also need records that demonstrate the ISMS is operating:

  • Results of risk assessments and risk treatment (clauses 8.2–8.3).
  • Monitoring and measurement evidence (clause 9.1).
  • Internal audit programme and results (clause 9.2).
  • Management review minutes (clause 9.3).
  • Nonconformities and corrective actions (clause 10.2).

The Annex A policies you'll need in practice

Annex A controls are selected via your Statement of Applicability, so the exact set depends on your scope. In practice, almost every organization ends up documenting:

  • An access control policy and acceptable use policy.
  • A supplier / third-party security policy.
  • An information security incident response plan.
  • A business continuity and ICT readiness plan.
  • A cryptography and key management policy.
  • A security awareness and training programme.

How long should this take?

Drafting this set by hand — or paying a consultant to — typically runs to several weeks. The content is fairly standardized, though, which is exactly why it lends itself to generation. CompliWiseAI produces the full ISMS document set, tailored to your scope, industry and risk level, in minutes; your team then reviews, edits and approves. See the ISO 27001 documentation generator for the complete list of what it produces.

A note on audits

Documents are necessary but not sufficient. An auditor wants to see that the policies are *implemented and operating*, not just written. Use the document set as the backbone, then make sure the controls it describes are real in your environment.

Ready to skip the blank page? Start a free workspace and generate your first ISO 27001 document today.

Related

Generate your ISO 27001 documents with CompliWiseAI

Build a certifiable Information Security Management System (ISMS).