Mandatory requirements for ISO/IEC 27001:2013 certification

Mandatory requirements for certification

ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:

  1. It lays out, at a fairly high level, what an organization can do in order to implement an ISMS;
  2. It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization.

The following mandatory documentation (or rather “documented information” in the curiously stilted language of the standard) is explicitly required for certification:

  1. ISMS scope (as per clause 4.3)
  2. Information security policy (clause 5.2)
  3. Information security risk assessment process (clause 6.1.2)
  4. Information security risk treatment process (clause 6.1.3)
  5. Information security objectives (clause 6.2)
  6. Evidence of the competence of the people working in information security (clause 7.2)
  7. Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
  8. Operational planning and control documents (clause 8.1)
  9. The results of the risk assessments (clause 8.2)
  10. The decisions regarding risk treatment (clause 8.3)
  11. Evidence of the monitoring and measurement of information security (clause 9.1)
  12. The ISMS internal audit program and the results of audits conducted (clause 9.2)
  13. Evidence of top management reviews of the ISMS (clause 9.3)
  14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)
  15. Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.

Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.  The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach.