Documented Information for ISO 27001 Information Security
ISO 27001 Clause 7.5
This sub-clause requires the organisation to maintain the documented information required by the standard and control it for availability, distribution, change and retention.
ISO 27001 Clause 7.5 - Documented Information
Documented information is the term ISO 27001 uses for both documents (policies, procedures, plans) and records (evidence of activities, completed forms, audit results). Clause 7.5 covers what documented information the ISMS needs to have, how it should be created and updated, and how it should be controlled.
What ISO 27001 Clause 7.5 Requires
The clause has three parts. Clause 7.5.1 General requires the ISMS to include the documented information required by ISO 27001 and any additional documented information the organisation determines is needed for the effectiveness of the ISMS.
Clause 7.5.2 Creating and updating requires that when creating or updating documented information the organisation makes sure of appropriate identification and description (such as title, date, author or reference number), format and media, and review and approval for suitability and adequacy.
Clause 7.5.3 Control of documented information requires the documented information to be controlled to make sure it is available and suitable for use where and when needed, and adequately protected. The control activities must address distribution, access, retrieval and use, storage and preservation, control of changes, and retention and disposition. Documented information of external origin that the organisation has determined to be necessary for the planning and operation of the ISMS must be identified and controlled.
What Documented Information Does ISO 27001 Require
The standard names some documented information explicitly. The scope of the ISMS, the information security policy, the information security objectives, the risk assessment process, the risk treatment process, the Statement of Applicability, the risk treatment plan, evidence of competence, evidence of monitoring and measurement, evidence of internal audits and management reviews, evidence of nonconformities and corrective actions. These are the items the auditor will look for at a certification audit.
Beyond this, the organisation decides what additional documented information it needs. Most ISMS implementations include supporting policies for the major Annex A control areas, procedures for key activities like incident response and access management, and registers covering assets, suppliers, personal data and so on.
How to Control Documented Information
Most organisations use a document register as the central tool for controlling documented information. The register lists each controlled document, its owner, its current version, when it was last reviewed and when the next review is due. New documents are added to the register, and obsolete ones are removed.
The control of documents of external origin - things like supplier contracts, regulatory guidance, customer requirements documents - usually means a section in the document register or a separate external documents register. The control is about being able to find the right version when it is needed, not about owning the content.
Examples Are Examples, Not Requirements
The standard gives examples of identification methods - title, date, author, reference number. These are examples, not individual requirements. The organisation is not required to have all of them on every document. What is required is that the organisation has chosen an approach to identification that works and applies it consistently.
Most organisations over-document at first. They produce policies for everything, procedures for everything and forms for everything. Two years later half of it is out of date and nobody is using it. Better to start with what is genuinely needed and add as you go than to drown in paper from day one.
The document register is the first place I go to check this clause. I sample a few entries, check that the version on the register matches the version in use, and check that the review dates are being kept up. If the register is out of date or hard to find, the rest of the system is usually struggling too.
Practical Compliance Guidance
The document register is the central control for documented information. The ISO 27001:2022 Documentation Checklist provides a complete list of the documents and records the standard expects to see, useful both for setting up the ISMS and for checking it before audit.
The documents below support the creation, control and review of documented information for an ISO 27001 management system.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the document register and the documentation checklist. |
| F-IMS20 Document Register | Master register of controlled documents with owners, versions, review dates and locations. Used as the central control for Clause 7.5. |
| A-C ISO 27001:2022 Documentation Checklist | Checklist of the documented information that ISO 27001:2022 expects, used during set-up and as a pre-audit check. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation creates specific obligations around the retention and protection of documented information that influences how Clause 7.5 is implemented.
