Preparation —
ISO 27001 Documentation Essentials
ISO 27001 compliance needs clear policies, risk assessments, SoA, audit records, and updated procedures.
Share this article
ISO 27001 Documentation Essentials
Auditors don't just check whether your documentation exists — they check whether it's traceable: whether a policy statement connects to a real risk assessment, whether a risk treatment plan connects to actual evidence of control operation, whether an audit finding connects to a closed corrective action. Documentation that exists in isolated, disconnected pieces fails this check even when each individual document looks fine on its own.
This page maps the documents ISO 27001 requires and what each one needs to connect to. For implementation depth on any single piece, the linked pages go further than a summary can.
Mandatory Documentation
Information security policy — your organization's top-level commitment to information security, approved by leadership and reviewed on a defined cadence. See Building ISO 27001 Policies with Templates for what this and the other core policies need to contain.
Scope of the ISMS — the documented boundaries of what your management system covers: which business units, systems, and locations are in scope, and what's explicitly excluded. See What Are the ISO 27001 Requirements? for how scope fits into the broader requirement structure.
Statement of Applicability (SoA) — the record mapping every Annex A control to a decision: implemented, partially implemented, or excluded, with justification either way. This is one of the most heavily scrutinized documents in a certification audit, because a missing justification for an excluded control is an immediate finding.
Risk assessment and treatment methodology — your documented approach to identifying, analyzing, and treating risk, applied consistently rather than ad hoc. See Conducting an ISO 27001 Risk Assessment for the mechanics.
Risk treatment plan — the specific actions, owners, and deadlines tied to each identified risk. This document is checked against the SoA: every control marked "implemented" in the SoA should trace back to a risk it's treating.
Evidence of control operation — logs, reports, screenshots, ticket exports, and other artifacts proving controls are functioning, not just documented. This is where most documentation gaps actually surface, since it's easier to write a policy than to maintain ongoing evidence behind it.
Internal audit and management review records — documented findings, minutes, and decisions from both processes, with enough detail to show they were substantive rather than procedural. See Running an ISO 27001 Internal Audit.
Corrective action records — root cause analysis and verification for every logged nonconformity, not just a note that it was "resolved."
Supporting Procedures
Beyond the mandatory documents above, auditors expect documented procedures for the operational processes Annex A controls depend on — access control, incident response, and business continuity chief among them. These procedures get checked for internal consistency: does the access control procedure reference the same roles your org chart actually has? Does the incident response procedure name systems that match your current asset inventory? A procedure that hasn't been updated since it was written, while the underlying systems or org structure changed, is a common source of audit findings — not because the procedure is wrong in isolation, but because it no longer matches reality.
Why Documentation Goes Stale
Documentation tends to drift out of date for a specific reason: it's usually written once, during initial certification push, and then deprioritized once the certificate is issued. But ISO 27001's Clause 10 continual improvement requirement means documentation has to keep pace with the business — new systems, new vendors, organizational changes, and evolving risk all require updates, and a surveillance audit will check for exactly this kind of drift.
Before any audit — internal or external — a documentation review should confirm: version dates are current, named owners are still accurate (not the previous person's name on a policy), and cross-references between documents (policy to risk assessment, SoA to evidence) actually hold up. Preparing for an ISO 27001 Audit covers this review process in more detail.
Documentation Overlap Across Frameworks
Organizations pursuing multiple certifications — ISO 27001 alongside SOC 2, GDPR, or HIPAA — often find significant documentation overlap: risk assessments, access control procedures, and incident response plans can frequently serve more than one framework with light adaptation rather than separate documents built from scratch. ISO 27001 vs. SOC 2 covers where these frameworks align and where they genuinely diverge, which is useful before assuming any one document can be reused as-is across both.
In the Spotlight

Start your ISO 27001 compliance journey with DSALTA's complete checklist.
ISO® 27001 is the international gold standard for information security management systems (ISMS). Certification shows your organization can manage sensitive information securely and reliably.
Although ISO 27001 looks challenging, DSALTA®’s automation makes it easier: mapping risks, collecting evidence, and monitoring controls in real time. This checklist gives you a clear step- by-step roadmap.
Read more about ISO 27001 certificate with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




