Skip to content

ISO/IEC 27001:2022 ยท The document set

Every ISO 27001 document you need, generated for your business

A certifiable ISO 27001 set is around 36 documents: a core set plus the topic policies that match your scope. Here is the full list, each mapped to the clause or control it satisfies, and how PolicyMint generates the set for you.

Overview

What is ISO 27001 documentation?

ISO 27001 documentation is the set of policies, procedures, plans and records that prove your information security management system (ISMS) exists, is run, and works. It is what an auditor reads to decide whether to certify you, and it is the single biggest piece of work in getting certified.

The standard does not hand you a numbered checklist. It specifies documented information by requirement, spread across the management clauses (4 to 10) and Annex A. That is why document counts differ between sources. What matters is that every document ties back to a clause or control, which is how you keep the set defensible instead of padded.

The document list

Every ISO 27001 document, mapped to what it satisfies

A core set that sits in every ISMS, plus topic policies and registers you include based on the Annex A controls that apply to you.

The core set 13 documents in every ISMS

Document What it is for Satisfies
ISMS Scope Statement Defines the boundaries of your ISMS: which parts of the business, systems and locations are in scope. 4.3
Information Security Policy Your top-level statement of intent and direction for information security, approved by leadership. 5.2, A.5.1
Information Security Objectives and Plan The measurable security objectives you set, and the plan to achieve them. 6.2
Risk Management Policy How the organisation identifies, owns and treats information security risk. 5.3, 6.1.1
Risk Assessment and Treatment Methodology The repeatable method you use to assess and treat risk, so results stay consistent. 6.1.2, 6.1.3
Information Security Risk Register The live record of identified risks, their owners, treatment and current status. 6.1.2, 6.1.3, 8.2, 8.3
Statement of Applicability The controlling document that lists every Annex A control and records whether it applies and why. 6.1.3
Internal Audit Programme and Report Your programme for auditing the ISMS, and the reports it produces. 9.2
Management Review Record The record of leadership reviewing the ISMS at planned intervals. 9.3
Nonconformity and Corrective Action Register The register of nonconformities and the corrective actions taken to close them. 10.2
Monitoring and Measurement Record What you measure to show the ISMS is working, and the results. 9.1
Competence and Training Record Evidence that the people running the ISMS are competent and trained. 7.2, 7.3
Document Control Procedure How documented information is approved, versioned and kept current. 7.5

Topic policies and registers 23 you include for your scope

Document What it is for Annex A
Access Control Policy Rules for granting, reviewing and removing access to systems and information. A.5, A.8 (7 controls)
Acceptable Use Policy What staff may and may not do with company information and assets. A.5.10
Information Classification and Handling Policy How information is classified, labelled and handled at each level. A.5.12, A.5.13, A.5.14
Cryptography and Key Management Policy When and how encryption and key management are used. A.8.24
Backup Policy What is backed up, how often, and how restores are tested. A.8.13
Logging and Monitoring Policy What events are logged, how logs are protected, and how they are reviewed. A.8.15, A.8.16, A.8.17
Information Security Incident Management Policy How security events are reported, triaged and responded to. A.5, A.6 (6 controls)
Supplier and Third-Party Security Policy Security expectations for suppliers, and how they are managed. A.5.19, A.5.20, A.5.21, A.5.22
Information Asset Inventory The register of information assets and who owns them. A.5.9
Legal and Regulatory Requirements Register The record of legal, regulatory and contractual requirements you must meet. A.5.31
IT Operating Procedures Documented procedures for running IT operations consistently. A.5.37
Confidentiality and NDA Standard The confidentiality and non-disclosure terms people agree to. A.6.6
Configuration Management Standard The baseline secure configuration for systems and devices. A.8.9
Secure Development Policy Security requirements across the software development life cycle. A.8 (7 controls)
ICT Continuity and Disaster Recovery Plan How ICT services recover after disruption, with redundancy where needed. A.5.29, A.5.30, A.8.14
Physical and Environmental Security Policy Protecting facilities, secure areas and equipment. A.7 (14 controls)
Human Resources Security Policy Security through the employment life cycle, from screening to exit. A.6 (5 controls)
Network Security Policy How networks are secured, segregated and filtered. A.8.20, A.8.21, A.8.22, A.8.23
Malware Protection and Vulnerability Management Policy Protection against malware, and how vulnerabilities are managed. A.8.7, A.8.8, A.8.19
Privacy and Data Protection Policy How personal data and records are protected and handled. A.5, A.8 (5 controls)
Endpoint and Remote Working Security Policy Securing laptops, devices and remote working. A.8.1, A.6.7
Change Management Policy How changes to systems are requested, reviewed and released. A.8.32
Cloud Services Security Policy How cloud services are selected, configured and secured. A.5.23

Scope

Which documents do you actually need?

The core set is common to every ISMS. The topic policies are where scope decides. If you do not run your own network, a network security policy may not apply. If you build software, secure development does. Those decisions are recorded, control by control, in your Statement of Applicability.

The Statement of Applicability is the spine of the whole set: it lists every Annex A control and records whether it applies, why, and which document covers it. You can see the full list on our ISO 27001 controls list.

The two things you would otherwise do

Buy a template pack, or argue with a chatbot

Both get you a pile of words. Neither gets you a document set an auditor will accept, and neither tells you when it is wrong.

Tells you which documents you actually need

No

You get everything, applicable or not

No

It does not know your scope

Yes

Every document tiered required, required-if-applicable, or optional, with your progress tracked

Has actually read the standard

Partly

It was written from one, once

No

It recalls the shape of it and fills the rest in

Yes

Drafting is grounded in the licensed clause text for the exact clauses your document maps to

Writes it for your business, not a placeholder

No

[INSERT COMPANY NAME], 40 times

Partly

Only as well as you can describe yourself, every time

Yes

Built from your company profile, and it asks in plain English when it needs something it cannot know

Keeps documents consistent with each other

No

You reconcile 30 documents by hand

No

Fresh context each chat, so it contradicts itself

Yes

Each document is written against what your other documents already committed to

Checks the work before you see it

No

Nothing to check, it is a blank

No

It is confident either way

Yes

Three independent verifiers on a different AI model, plus a repair pass, and you see the marks

Refuses to invent controls you do not have

No

It claims controls generically

No

It will happily describe a SIEM you never bought

Yes

It flags what it does not know instead of guessing, and asks you

Comes out in your branding, ready to issue

No

You format all of it

No

You get raw prose to paste and style

Yes

Your logo and colours, in Word and PDF, identical to what you previewed

See it

What a generated document looks like

Every document comes out in your branding, cites the control it satisfies, and marks anything the AI could not know rather than inventing it.

Northwind Logistics

Information Security Policy

Internal
Mapped controls A.5.1 A.5.9 A.8.2

3. Policy requirements

Needs input

Who approves exceptions to this policy? We have suggested the IT Manager based on your roles.

Verified by 3 independent checks

94%

How it works

How PolicyMint builds your document set

PolicyMint selects the documents and controls that apply from your business profile, drafts each one grounded in the relevant clauses, checks its own work with three independent verifiers running on a different AI model, and then exports the whole set in your branding.

ISO 27001 documents

36

ISO 27001 documents

tiered by what you actually need

ISO 42001 documents

21

ISO 42001 documents

for AI management systems

Clauses and controls mapped

182

Clauses and controls mapped

every document cites the ones it satisfies

Verifiers per section

3

Verifiers per section

on a different model to the writer

Be clear

Documentation is not certification

Producing the documents is the job PolicyMint does. The audit, the training and the exam are separate. For training, the Mindset Cyber family runs PECB-accredited ISO 27001 courses, and MindsetPrep covers exam preparation. For what certification costs, Mindset Cyber publishes a cost breakdown.

PolicyMint produces the documentation you are audited against, not the certificate itself.

ISO 27001 documentation FAQ

ISO 27001 documentation, answered

The questions people ask before they start on the document set.

What documents do I need for ISO 27001?

A certifiable ISO 27001 set is around 36 documents: a core set (scope, the top-level policy, objectives, the risk documents, the Statement of Applicability, and the operate-audit-improve records) plus topic policies and registers you include based on which Annex A controls apply to you.

How many documents are mandatory for ISO 27001?

ISO 27001 mandates documented information rather than a fixed list, but a core of around 13 documents sits in every ISMS: scope, the security policy, objectives, the risk documents, the Statement of Applicability, and the audit, review and improvement records. On top of that, a topic policy becomes necessary for you when the Annex A control it covers applies to your scope, so the real number depends on your business.

Does ISO 27001 have an official document list?

No. ISO 27001 specifies documented information by requirement, not as a numbered checklist, which is why counts vary between sources. We map each document to the clause or Annex A control it satisfies, so the set is defensible in an audit.

What is the Statement of Applicability?

It is the controlling document that lists every Annex A control and records whether it applies, the justification, and the linked policy. It is the spine an auditor works from. You can see the full list of controls it covers on our ISO 27001 controls list.

Can I just use ISO 27001 templates?

You can, but a template pack hands you blank files with placeholders to fill in and does not know your business. PolicyMint generates the same documents written for how you actually operate, in your branding, and checked before you see them.

Do I need all 36 documents?

No. Every organisation keeps the core set. The topic policies apply based on your scope: if you do not run your own network, you may not need a network security policy. Your Statement of Applicability records those decisions.

Is the documentation enough to get certified?

The documentation is what you are audited against, but certification also involves implementing the controls and passing a two-stage audit by an accredited body. PolicyMint produces the documents; the audit, training and exam are separate.

How does PolicyMint generate the documents?

It reads your business profile, selects the documents and controls that apply, drafts each one grounded in the relevant clauses, checks the draft with independent verifiers, and exports the whole set in your branding.

Stop staring at an empty document set

Set up your business once. Get the documents you actually need, written for how you really operate, in your branding, checked before you see them.

Coming soon

When we launch, your first documents are on us. No credit card, no sales call.