Northwind Logistics
Information Security Policy
3. Policy requirements
Who approves exceptions to this policy? We have suggested the IT Manager based on your roles.
Verified by 3 independent checks
94%ISO/IEC 27001:2022 ยท The document set
A certifiable ISO 27001 set is around 36 documents: a core set plus the topic policies that match your scope. Here is the full list, each mapped to the clause or control it satisfies, and how PolicyMint generates the set for you.
Overview
ISO 27001 documentation is the set of policies, procedures, plans and records that prove your information security management system (ISMS) exists, is run, and works. It is what an auditor reads to decide whether to certify you, and it is the single biggest piece of work in getting certified.
The standard does not hand you a numbered checklist. It specifies documented information by requirement, spread across the management clauses (4 to 10) and Annex A. That is why document counts differ between sources. What matters is that every document ties back to a clause or control, which is how you keep the set defensible instead of padded.
The document list
A core set that sits in every ISMS, plus topic policies and registers you include based on the Annex A controls that apply to you.
| Document | What it is for | Satisfies |
|---|---|---|
| ISMS Scope Statement | Defines the boundaries of your ISMS: which parts of the business, systems and locations are in scope. | 4.3 |
| Information Security Policy | Your top-level statement of intent and direction for information security, approved by leadership. | 5.2, A.5.1 |
| Information Security Objectives and Plan | The measurable security objectives you set, and the plan to achieve them. | 6.2 |
| Risk Management Policy | How the organisation identifies, owns and treats information security risk. | 5.3, 6.1.1 |
| Risk Assessment and Treatment Methodology | The repeatable method you use to assess and treat risk, so results stay consistent. | 6.1.2, 6.1.3 |
| Information Security Risk Register | The live record of identified risks, their owners, treatment and current status. | 6.1.2, 6.1.3, 8.2, 8.3 |
| Statement of Applicability | The controlling document that lists every Annex A control and records whether it applies and why. | 6.1.3 |
| Internal Audit Programme and Report | Your programme for auditing the ISMS, and the reports it produces. | 9.2 |
| Management Review Record | The record of leadership reviewing the ISMS at planned intervals. | 9.3 |
| Nonconformity and Corrective Action Register | The register of nonconformities and the corrective actions taken to close them. | 10.2 |
| Monitoring and Measurement Record | What you measure to show the ISMS is working, and the results. | 9.1 |
| Competence and Training Record | Evidence that the people running the ISMS are competent and trained. | 7.2, 7.3 |
| Document Control Procedure | How documented information is approved, versioned and kept current. | 7.5 |
| Document | What it is for | Annex A |
|---|---|---|
| Access Control Policy | Rules for granting, reviewing and removing access to systems and information. | A.5, A.8 (7 controls) |
| Acceptable Use Policy | What staff may and may not do with company information and assets. | A.5.10 |
| Information Classification and Handling Policy | How information is classified, labelled and handled at each level. | A.5.12, A.5.13, A.5.14 |
| Cryptography and Key Management Policy | When and how encryption and key management are used. | A.8.24 |
| Backup Policy | What is backed up, how often, and how restores are tested. | A.8.13 |
| Logging and Monitoring Policy | What events are logged, how logs are protected, and how they are reviewed. | A.8.15, A.8.16, A.8.17 |
| Information Security Incident Management Policy | How security events are reported, triaged and responded to. | A.5, A.6 (6 controls) |
| Supplier and Third-Party Security Policy | Security expectations for suppliers, and how they are managed. | A.5.19, A.5.20, A.5.21, A.5.22 |
| Information Asset Inventory | The register of information assets and who owns them. | A.5.9 |
| Legal and Regulatory Requirements Register | The record of legal, regulatory and contractual requirements you must meet. | A.5.31 |
| IT Operating Procedures | Documented procedures for running IT operations consistently. | A.5.37 |
| Confidentiality and NDA Standard | The confidentiality and non-disclosure terms people agree to. | A.6.6 |
| Configuration Management Standard | The baseline secure configuration for systems and devices. | A.8.9 |
| Secure Development Policy | Security requirements across the software development life cycle. | A.8 (7 controls) |
| ICT Continuity and Disaster Recovery Plan | How ICT services recover after disruption, with redundancy where needed. | A.5.29, A.5.30, A.8.14 |
| Physical and Environmental Security Policy | Protecting facilities, secure areas and equipment. | A.7 (14 controls) |
| Human Resources Security Policy | Security through the employment life cycle, from screening to exit. | A.6 (5 controls) |
| Network Security Policy | How networks are secured, segregated and filtered. | A.8.20, A.8.21, A.8.22, A.8.23 |
| Malware Protection and Vulnerability Management Policy | Protection against malware, and how vulnerabilities are managed. | A.8.7, A.8.8, A.8.19 |
| Privacy and Data Protection Policy | How personal data and records are protected and handled. | A.5, A.8 (5 controls) |
| Endpoint and Remote Working Security Policy | Securing laptops, devices and remote working. | A.8.1, A.6.7 |
| Change Management Policy | How changes to systems are requested, reviewed and released. | A.8.32 |
| Cloud Services Security Policy | How cloud services are selected, configured and secured. | A.5.23 |
Scope
The core set is common to every ISMS. The topic policies are where scope decides. If you do not run your own network, a network security policy may not apply. If you build software, secure development does. Those decisions are recorded, control by control, in your Statement of Applicability.
The Statement of Applicability is the spine of the whole set: it lists every Annex A control and records whether it applies, why, and which document covers it. You can see the full list on our ISO 27001 controls list.
The two things you would otherwise do
Both get you a pile of words. Neither gets you a document set an auditor will accept, and neither tells you when it is wrong.
Template pack
A folder of Word files
Prompting an LLM
You, ChatGPT and a deadline
PolicyMint
Purpose-built for the standards
Tells you which documents you actually need
You get everything, applicable or not
It does not know your scope
Every document tiered required, required-if-applicable, or optional, with your progress tracked
Has actually read the standard
It was written from one, once
It recalls the shape of it and fills the rest in
Drafting is grounded in the licensed clause text for the exact clauses your document maps to
Writes it for your business, not a placeholder
[INSERT COMPANY NAME], 40 times
Only as well as you can describe yourself, every time
Built from your company profile, and it asks in plain English when it needs something it cannot know
Keeps documents consistent with each other
You reconcile 30 documents by hand
Fresh context each chat, so it contradicts itself
Each document is written against what your other documents already committed to
Checks the work before you see it
Nothing to check, it is a blank
It is confident either way
Three independent verifiers on a different AI model, plus a repair pass, and you see the marks
Refuses to invent controls you do not have
It claims controls generically
It will happily describe a SIEM you never bought
It flags what it does not know instead of guessing, and asks you
Comes out in your branding, ready to issue
You format all of it
You get raw prose to paste and style
Your logo and colours, in Word and PDF, identical to what you previewed
See it
Every document comes out in your branding, cites the control it satisfies, and marks anything the AI could not know rather than inventing it.
Northwind Logistics
Information Security Policy
3. Policy requirements
Who approves exceptions to this policy? We have suggested the IT Manager based on your roles.
Verified by 3 independent checks
94%How it works
PolicyMint selects the documents and controls that apply from your business profile, drafts each one grounded in the relevant clauses, checks its own work with three independent verifiers running on a different AI model, and then exports the whole set in your branding.
36
ISO 27001 documents
tiered by what you actually need
21
ISO 42001 documents
for AI management systems
182
Clauses and controls mapped
every document cites the ones it satisfies
3
Verifiers per section
on a different model to the writer
Be clear
Producing the documents is the job PolicyMint does. The audit, the training and the exam are separate. For training, the Mindset Cyber family runs PECB-accredited ISO 27001 courses, and MindsetPrep covers exam preparation. For what certification costs, Mindset Cyber publishes a cost breakdown.
PolicyMint produces the documentation you are audited against, not the certificate itself.
ISO 27001 documentation FAQ
The questions people ask before they start on the document set.
A certifiable ISO 27001 set is around 36 documents: a core set (scope, the top-level policy, objectives, the risk documents, the Statement of Applicability, and the operate-audit-improve records) plus topic policies and registers you include based on which Annex A controls apply to you.
ISO 27001 mandates documented information rather than a fixed list, but a core of around 13 documents sits in every ISMS: scope, the security policy, objectives, the risk documents, the Statement of Applicability, and the audit, review and improvement records. On top of that, a topic policy becomes necessary for you when the Annex A control it covers applies to your scope, so the real number depends on your business.
No. ISO 27001 specifies documented information by requirement, not as a numbered checklist, which is why counts vary between sources. We map each document to the clause or Annex A control it satisfies, so the set is defensible in an audit.
It is the controlling document that lists every Annex A control and records whether it applies, the justification, and the linked policy. It is the spine an auditor works from. You can see the full list of controls it covers on our ISO 27001 controls list.
You can, but a template pack hands you blank files with placeholders to fill in and does not know your business. PolicyMint generates the same documents written for how you actually operate, in your branding, and checked before you see them.
No. Every organisation keeps the core set. The topic policies apply based on your scope: if you do not run your own network, you may not need a network security policy. Your Statement of Applicability records those decisions.
The documentation is what you are audited against, but certification also involves implementing the controls and passing a two-stage audit by an accredited body. PolicyMint produces the documents; the audit, training and exam are separate.
It reads your business profile, selects the documents and controls that apply, drafts each one grounded in the relevant clauses, checks the draft with independent verifiers, and exports the whole set in your branding.
Set up your business once. Get the documents you actually need, written for how you really operate, in your branding, checked before you see them.
When we launch, your first documents are on us. No credit card, no sales call.