Here are the items you must document if you want to be compliant with ISO 27001, and the most common ways to title those documents:
| What must be documented | ISO 27001 reference | Usually documented through |
|---|---|---|
| Scope of the ISMS | Clause 4.3 | ISMS Scope document |
| Information security policy | Clause 5.2 | Information Security Policy |
| Risk assessment and risk treatment process | Clause 6.1.2 | Risk Management Framework |
| Statement of Applicability | Clause 6.1.3 d) | Statement of Applicability |
| Risk treatment plan | Clauses 6.1.3 e, 6.2, and 8.3 | Risk Treatment Plan |
| Information security objectives | Clause 6.2 | List of Security Objectives |
| Risk assessment and treatment report | Clauses 8.2 and 8.3 | Risk Assessment & Treatment Report |
| Inventory of assets | Control A.5.9* | Inventory of Assets, or List of Assets in the Risk Register |
| Acceptable use of assets | Control A.5.10* | IT Security Policy |
| Incident response procedure | Control A.5.26* | Incident Management Procedure |
| Statutory, regulatory, and contractual requirements | Control A.5.31* | List of Legal, Regulatory, and Contractual Requirements |
| Security operating procedures for IT management | Control A.5.37* | Security Procedures for IT Department |
| Definition of security roles and responsibilities | Controls A.6.2 and A.6.6* | Agreements, NDAs, and specifying responsibilities in each security policy and procedure |
| Definition of security configurations | Control A.8.9* | Security Procedures for IT Department |
| Secure system engineering principles | Control A.8.27* | Secure Development Policy |