ISO 27001 Policies and Procedures: What You Need and How to Document Them

ISO 27001 Policies

ISO 27001 policies and procedures are the documented backbone of every compliant ISMS — and they are among the most frequently deficient elements in first-time certification audits. ISO 27001 does not simply ask whether security policies exist. It asks whether they are formally approved by appropriate management authority, communicated to all relevant personnel, subject to a documented review and update cycle, and consistent with the organization’s risk assessment output.

According to ISMS.online, documentation deficiencies are among the top three sources of Stage 1 nonconformity findings across first-time ISO 27001 certification audits globally. The ISO/IEC 27001:2022 standard specifies a defined set of mandatory documented information requirements — organizations that understand this list precisely consistently achieve Stage 1 clearance without significant documentation findings.

Tl; DR:

Concern: Many organizations pursuing ISO 27001 certification download policy templates, make minimal edits, and submit them as ISMS documentation — only to discover during Stage 1 audit that generic, context-free policies fail to demonstrate the organization-specific governance that ISO 27001 actually requires.
Overview: ISO 27001 policies and procedures are the documented foundation of the ISMS. They must be organization-specific, formally approved, communicated to relevant personnel, and consistent with the risk assessment output. ISO/IEC 27001:2022 specifies a mandatory set of documented information requirements that every certified organization must maintain.
Solution: Organizations that build ISO 27001 policies and procedures systematically — starting from the mandatory requirements, adding controls-specific procedures referenced in the SoA, and maintaining them through a documented review cycle — produce a documentation set that satisfies Stage 2 auditors and provides genuine governance value. CertPro CPA LLC helps organizations build complete, audit-ready ISMS documentation.

ISO 27001 Mandatory Documents — The Complete List

Document Required By Notes
ISMS Scope Statement Clause 4.3 Must justify boundaries
Information Security Policy Clause 5.2 Top management approved
Risk Assessment Methodology Clause 6.1.2 Documented before assessment is conducted
Risk Assessment Results Clause 6.1.2 Risk register with scores and ownership
Risk Treatment Process Clause 6.1.3 Treatment options and control selection
Statement of Applicability Clause 6.1.3(d) All 93 Annex A controls addressed
Information Security Objectives Clause 6.2 Measurable with plans to achieve them
Competence Evidence Clause 7.2 Training records, qualifications
Operational Planning & Control Evidence Clause 8.1 Evidence controls are being operated
Monitoring and Measurement Results Clause 9.1 ISMS performance metrics and results
Internal Audit Programme Clause 9.2 Schedule, criteria, scope
Internal Audit Results Clause 9.2 Audit reports with findings
Management Review Results Clause 9.3 Inputs reviewed, decisions made
Nonconformity and Corrective Action Records Clause 10.1 Root cause analysis and resolution
Asset Inventory Annex A 5.9 All in-scope information assets
Access Control Policy Annex A 5.15 Rules for granting and revoking access
Incident Management Procedure Annex A 5.24 Detection, response, recovery process
Business Continuity Plan Annex A 5.29/5.30 ICT continuity and recovery plans
Cryptography Policy Annex A 8.24 Cryptographic controls and key management
Secure Development Policy Annex A 8.25 SDLC security requirements

ISO 27001 Information Security Policy — What It Must Contain

The information security policy is the highest-level governance document in the ISMS and the first document Stage 1 auditors review. Under ISO/IEC 27001:2022 Clause 5.2, the information security policy must:

  • Be appropriate to the purpose of the organization
  • Include information security objectives or provide a framework for setting them
  • Include a commitment to satisfy applicable information security requirements
  • Include a commitment to continual improvement of the ISMS
  • Be formally approved by top management — not delegated to the IT department
  • Be communicated within the organization — with evidence of communication
  • Be available to interested parties as appropriate — customers, suppliers, regulators

For a comprehensive deep-dive into information security policy content, structure, and common pitfalls, see information security policy.

ISO 27001 Policies List — Key Policies and Procedures to Build

Access Control Policy

Documents the rules for granting, modifying, reviewing, and revoking access to information systems and data. Must address: user registration and de-registration, privilege management, password requirements, access review cycles, and privileged access controls. For more on access control implementation, see role-based access control.

ISO 27001 Password Policy

Documents minimum password complexity requirements, maximum password age, rotation schedules, password storage and transmission security requirements, multi-factor authentication obligations, and password manager usage guidance.

Asset Management Policy

Documents how the organization identifies, classifies, labels, and manages information assets across their full lifecycle — from acquisition through disposal. For asset inventory building guidance, see how to build an asset inventory for ISO 27001.

Information Classification Policy

Documents the organization’s information classification scheme — typically Public, Internal, Confidential, Restricted or equivalent — with definitions, handling requirements, and labelling standards for each classification level.

Incident Response Policy and Procedure

Documents the full lifecycle of information security incident management — detection, reporting channels, classification criteria, investigation process, escalation thresholds, recovery procedures, and post-incident review.

Supplier Security Policy

Documents the organization’s requirements for third-party suppliers and service providers — including security requirements in supplier agreements, supplier risk assessment process, ongoing monitoring mechanisms, and exit/transition security requirements. Must address the new 2022 controls 5.21 (ICT supply chain) and 5.23 (cloud services).

Data Retention and Disposal Policy

Documents how the organization retains, archives, and securely disposes of information assets and storage media. Must address Annex A control 8.10 (Information Deletion — new in 2022). For organizations managing data privacy obligations, see data retention policy best practices.

Remote Working Policy

Documents the security requirements for personnel accessing organizational information assets from remote locations. Required by Annex A control 6.7 — one of the 11 new controls introduced in the 2022 revision.

Secure Development Policy

Documents the security requirements that apply throughout the software development lifecycle — including secure coding standards, security testing requirements, code review processes, and development environment security. Must address Annex A controls 8.25 through 8.28, including the new 2022 secure coding control (8.28).

ISO 27001 Documentation Standards — What Every Policy Must Meet

  • Organization-specific content: The policy must reflect the organization’s actual operational reality — not generic template language. Auditors recognize template language and will question whether the document reflects genuine governance.
  • Formal approval: Every policy must carry a formal approval record — document title, version number, approval date, and approver name.
  • Version control: Every policy must have a version number, issue date, and document history showing previous versions and changes made.
  • Defined review cycle: Every policy must specify when it will next be reviewed — typically annually — and the review must actually happen with a new version or a documented ‘no change required’ decision.
  • Communication evidence: There must be evidence that the policy has been communicated to all relevant personnel — email distribution records, intranet publication records, training completion records, or signed acknowledgement forms.
  • Consistency with risk assessment: Control-level policies must be consistent with the risk assessment output and the SoA. A policy that contradicts the risk treatment decisions is a red flag for Stage 1 auditors.

Organizations managing large policy libraries benefit significantly from compliance documentation management platforms that automate review reminders, track approval workflows, and maintain document history.

ISO 27001 Documentation — The Annual Review Cycle

All ISO 27001 policies must be reviewed at minimum annually and whenever significant changes occur to the organization’s risk profile, operational environment, regulatory obligations, or ISMS scope. Building internal audit procedures that include annual documentation currency review as a standard audit activity maintains policy compliance sustainably.

Documentation review should check: Is the policy still accurate for current operations? Has the risk profile changed in ways that require policy updates? Are there new regulatory obligations not reflected in current policies? Have incident findings revealed policy gaps? For organizations managing ISO 27001 alongside other compliance frameworks, see IT compliance best practices.

Ready to Get ISO 27001 Certified?

CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.

Schedule your ISO 27001 certification discussion →

FAQ

What ISO 27001 policies are mandatory?

ISO/IEC 27001:2022 mandates specific documented information at both clause level and Annex A control level. Core mandatory documents include the ISMS scope statement, information security policy, risk assessment methodology and results, risk treatment process, Statement of Applicability, information security objectives, competence records, internal audit programme and results, management review results, and nonconformity and corrective action records.

What should an ISO 27001 information security policy contain?

The information security policy must be appropriate to the organization’s purpose, include information security objectives or a framework for setting them, include commitments to satisfy applicable requirements and to continual improvement, be formally approved by top management, be communicated within the organization with evidence of communication, and be available to interested parties.

What is the ISO 27001 password policy?

The ISO 27001 password policy documents minimum password complexity requirements, maximum password age, rotation rules, password storage and transmission security requirements, multi-factor authentication obligations, and password manager usage guidance. It must be consistent with Annex A controls 5.17 (Authentication Information) and 8.5 (Secure Authentication).

How many policies does ISO 27001 require?

ISO 27001 does not specify a fixed number of policies. In practice, a complete ISO 27001 documentation set for a mid-sized organization typically includes twelve to twenty-five core policies and procedures plus supporting operational records. The exact number depends on ISMS scope, risk profile, and the Annex A controls selected in the SoA.

How often should ISO 27001 policies be reviewed?

ISO 27001 policies should be reviewed at minimum annually and whenever significant changes occur to the organization’s risk profile, operational environment, regulatory obligations, or ISMS scope. Review completion must be documented with a new version number or a recorded no-change decision.

Can I use ISO 27001 policy templates?

Policy templates are a useful starting point but must be substantially customized to reflect the organization’s specific operational context, risk profile, regulatory environment, and ISMS scope. Generic template language that has not been adapted to organizational reality is a common source of Stage 1 nonconformity findings.

Schedule A Meeting