On this page
Documented information requirements for ISO 27001
The term "Documented information" is used within ISO 27001:2022 27 times. There is no one correct way to manage your documented information but the following are some key documents you would be expected to maintain.
| Document | Description | Notes |
| ISMS Manual | A document for defining the scope of the ISMS, who relevant stakeholders are, their needs, and who is responsible for what within the ISMS. | This is ideal for holding documented information pertaining to:
|
| Information Security Policy | A high-level document outlining the organization's approach to information security. | Pertains to:
|
| Risk Assessment and Treatment Methodology | A defined process to ensure that information security risk assessments are consistent, valid, and comparable. | Pertains to:
|
| Statement of Applicability (SoA) | A document listing necessary controls, justifications for their inclusion or exclusion, and their current implementation status. | Pertains to:
|
| Information Security Objectives | Documented goals that are consistent with the Information Security Policy. | Pertains to:
|
| Risk Assessment and Treatment Results | Evidence that risk assessments and treatment plans have been performed and implemented as planned. | Pertains to:
|
| Internal Audit Programme and Results | Documentation of the audit schedule and evidence of the audit results to prove the ISMS is effectively maintained. | Pertains to:
|
| Management Review Results | Evidence of the outcomes from top management's reviews of the ISMS, including decisions on improvements. | Pertains to:
|
| Nonconformity and Corrective Action Logs | Records detailing the nature of nonconformities, actions taken to correct them, and the results of those actions. | Pertains to:
|