ISO 27001:2022 Mandatory Documents for Certification
Here are the mandatory documents required by ISO/IEC 27001:2022 (the 2022 revision) for implementing and certifying an ISMS. This is a summary; depending on your organization’s context, some items may or may not apply (especially Annex A controls are only mandatory if relevant).
Mandatory Documents / Documented Information (Core Requirements)
These are explicitly required by clauses in ISO 27001:2022
| Document / Information | ISO 27001:2022 Clause | Purpose / Why It’s Required |
| ISMS Scope Statement | 4.3 | To define the boundaries and applicability of the ISMS. |
| Information Security Policy | 5.2 | Top management commitment; sets direction and principles for ISMS. |
| Risk Assessment Methodology | 6.1.2 | How risks are identified, assessed; scales etc. |
| Risk Treatment Process / Methodology | 6.1.3 | To define how identified risks will be treated. |
| Statement of Applicability (SoA) | 6.1.3(d) | Lists which Annex A controls are applicable / not, and why. |
| Information Security Objectives | 6.2 | Specific measurable objectives aligned to policy. |
| Evidence of Competence | 7.2 | Records of skills, experience, qualifications of persons who influence ISMS. |
| Operational Planning and Control | 8.1 | Documented information to ensure operations are planned, and controlled. |
| Risk Assessment & Risk Treatment Reports / Results | 8.2 & 8.3 | Show outcomes of risk assessments and treatments. |
| Monitoring and Measurement Results | 9.1 | Metrics, measurements to show performance. |
| Internal Audit Program & Results | 9.2 | Schedule, reports of internal audits. |
| Management Review Results | 9.3 | Records from top management reviewing the ISMS. |
| Records of Nonconformities and Corrective Actions | 10.1 | Showing that issues are identified, corrective actions taken.) |