ISO 27001 Policies and Procedures: What You Need and How to Document Them
ISO 27001 policies and procedures are the documented backbone of every compliant ISMS — and they are among the most frequently deficient elements in first-time certification audits. ISO 27001 does not simply ask whether security policies exist. It asks whether they are formally approved by appropriate management authority, communicated to all relevant personnel, subject to a documented review and update cycle, and consistent with the organization’s risk assessment output.
According to ISMS.online, documentation deficiencies are among the top three sources of Stage 1 nonconformity findings across first-time ISO 27001 certification audits globally. The ISO/IEC 27001:2022 standard specifies a defined set of mandatory documented information requirements — organizations that understand this list precisely consistently achieve Stage 1 clearance without significant documentation findings.
Tl; DR:
Concern: Many organizations pursuing ISO 27001 certification download policy templates, make minimal edits, and submit them as ISMS documentation — only to discover during Stage 1 audit that generic, context-free policies fail to demonstrate the organization-specific governance that ISO 27001 actually requires.
Overview: ISO 27001 policies and procedures are the documented foundation of the ISMS. They must be organization-specific, formally approved, communicated to relevant personnel, and consistent with the risk assessment output. ISO/IEC 27001:2022 specifies a mandatory set of documented information requirements that every certified organization must maintain.
Solution: Organizations that build ISO 27001 policies and procedures systematically — starting from the mandatory requirements, adding controls-specific procedures referenced in the SoA, and maintaining them through a documented review cycle — produce a documentation set that satisfies Stage 2 auditors and provides genuine governance value. CertPro CPA LLC helps organizations build complete, audit-ready ISMS documentation.
ISO 27001 Mandatory Documents — The Complete List
| Document | Required By | Notes |
|---|---|---|
| ISMS Scope Statement | Clause 4.3 | Must justify boundaries |
| Information Security Policy | Clause 5.2 | Top management approved |
| Risk Assessment Methodology | Clause 6.1.2 | Documented before assessment is conducted |
| Risk Assessment Results | Clause 6.1.2 | Risk register with scores and ownership |
| Risk Treatment Process | Clause 6.1.3 | Treatment options and control selection |
| Statement of Applicability | Clause 6.1.3(d) | All 93 Annex A controls addressed |
| Information Security Objectives | Clause 6.2 | Measurable with plans to achieve them |
| Competence Evidence | Clause 7.2 | Training records, qualifications |
| Operational Planning & Control Evidence | Clause 8.1 | Evidence controls are being operated |
| Monitoring and Measurement Results | Clause 9.1 | ISMS performance metrics and results |
| Internal Audit Programme | Clause 9.2 | Schedule, criteria, scope |
| Internal Audit Results | Clause 9.2 | Audit reports with findings |
| Management Review Results | Clause 9.3 | Inputs reviewed, decisions made |
| Nonconformity and Corrective Action Records | Clause 10.1 | Root cause analysis and resolution |
| Asset Inventory | Annex A 5.9 | All in-scope information assets |
| Access Control Policy | Annex A 5.15 | Rules for granting and revoking access |
| Incident Management Procedure | Annex A 5.24 | Detection, response, recovery process |
| Business Continuity Plan | Annex A 5.29/5.30 | ICT continuity and recovery plans |
| Cryptography Policy | Annex A 8.24 | Cryptographic controls and key management |
| Secure Development Policy | Annex A 8.25 | SDLC security requirements |
ISO 27001 Information Security Policy — What It Must Contain
The information security policy is the highest-level governance document in the ISMS and the first document Stage 1 auditors review. Under ISO/IEC 27001:2022 Clause 5.2, the information security policy must:
- Be appropriate to the purpose of the organization
- Include information security objectives or provide a framework for setting them
- Include a commitment to satisfy applicable information security requirements
- Include a commitment to continual improvement of the ISMS
- Be formally approved by top management — not delegated to the IT department
- Be communicated within the organization — with evidence of communication
- Be available to interested parties as appropriate — customers, suppliers, regulators
For a comprehensive deep-dive into information security policy content, structure, and common pitfalls, see information security policy.
ISO 27001 Policies List — Key Policies and Procedures to Build
Access Control Policy
Documents the rules for granting, modifying, reviewing, and revoking access to information systems and data. Must address: user registration and de-registration, privilege management, password requirements, access review cycles, and privileged access controls. For more on access control implementation, see role-based access control.
ISO 27001 Password Policy
Documents minimum password complexity requirements, maximum password age, rotation schedules, password storage and transmission security requirements, multi-factor authentication obligations, and password manager usage guidance.
Asset Management Policy
Documents how the organization identifies, classifies, labels, and manages information assets across their full lifecycle — from acquisition through disposal. For asset inventory building guidance, see how to build an asset inventory for ISO 27001.
Information Classification Policy
Documents the organization’s information classification scheme — typically Public, Internal, Confidential, Restricted or equivalent — with definitions, handling requirements, and labelling standards for each classification level.
Incident Response Policy and Procedure
Documents the full lifecycle of information security incident management — detection, reporting channels, classification criteria, investigation process, escalation thresholds, recovery procedures, and post-incident review.
Supplier Security Policy
Documents the organization’s requirements for third-party suppliers and service providers — including security requirements in supplier agreements, supplier risk assessment process, ongoing monitoring mechanisms, and exit/transition security requirements. Must address the new 2022 controls 5.21 (ICT supply chain) and 5.23 (cloud services).
Data Retention and Disposal Policy
Documents how the organization retains, archives, and securely disposes of information assets and storage media. Must address Annex A control 8.10 (Information Deletion — new in 2022). For organizations managing data privacy obligations, see data retention policy best practices.
Remote Working Policy
Documents the security requirements for personnel accessing organizational information assets from remote locations. Required by Annex A control 6.7 — one of the 11 new controls introduced in the 2022 revision.
Secure Development Policy
Documents the security requirements that apply throughout the software development lifecycle — including secure coding standards, security testing requirements, code review processes, and development environment security. Must address Annex A controls 8.25 through 8.28, including the new 2022 secure coding control (8.28).
ISO 27001 Documentation Standards — What Every Policy Must Meet
- Organization-specific content: The policy must reflect the organization’s actual operational reality — not generic template language. Auditors recognize template language and will question whether the document reflects genuine governance.
- Formal approval: Every policy must carry a formal approval record — document title, version number, approval date, and approver name.
- Version control: Every policy must have a version number, issue date, and document history showing previous versions and changes made.
- Defined review cycle: Every policy must specify when it will next be reviewed — typically annually — and the review must actually happen with a new version or a documented ‘no change required’ decision.
- Communication evidence: There must be evidence that the policy has been communicated to all relevant personnel — email distribution records, intranet publication records, training completion records, or signed acknowledgement forms.
- Consistency with risk assessment: Control-level policies must be consistent with the risk assessment output and the SoA. A policy that contradicts the risk treatment decisions is a red flag for Stage 1 auditors.
Organizations managing large policy libraries benefit significantly from compliance documentation management platforms that automate review reminders, track approval workflows, and maintain document history.
ISO 27001 Documentation — The Annual Review Cycle
All ISO 27001 policies must be reviewed at minimum annually and whenever significant changes occur to the organization’s risk profile, operational environment, regulatory obligations, or ISMS scope. Building internal audit procedures that include annual documentation currency review as a standard audit activity maintains policy compliance sustainably.
Documentation review should check: Is the policy still accurate for current operations? Has the risk profile changed in ways that require policy updates? Are there new regulatory obligations not reflected in current policies? Have incident findings revealed policy gaps? For organizations managing ISO 27001 alongside other compliance frameworks, see IT compliance best practices.
Ready to Get ISO 27001 Certified?
CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.
FAQ
What ISO 27001 policies are mandatory?
ISO/IEC 27001:2022 mandates specific documented information at both clause level and Annex A control level. Core mandatory documents include the ISMS scope statement, information security policy, risk assessment methodology and results, risk treatment process, Statement of Applicability, information security objectives, competence records, internal audit programme and results, management review results, and nonconformity and corrective action records.
What should an ISO 27001 information security policy contain?
The information security policy must be appropriate to the organization’s purpose, include information security objectives or a framework for setting them, include commitments to satisfy applicable requirements and to continual improvement, be formally approved by top management, be communicated within the organization with evidence of communication, and be available to interested parties.
What is the ISO 27001 password policy?
The ISO 27001 password policy documents minimum password complexity requirements, maximum password age, rotation rules, password storage and transmission security requirements, multi-factor authentication obligations, and password manager usage guidance. It must be consistent with Annex A controls 5.17 (Authentication Information) and 8.5 (Secure Authentication).
How many policies does ISO 27001 require?
ISO 27001 does not specify a fixed number of policies. In practice, a complete ISO 27001 documentation set for a mid-sized organization typically includes twelve to twenty-five core policies and procedures plus supporting operational records. The exact number depends on ISMS scope, risk profile, and the Annex A controls selected in the SoA.
How often should ISO 27001 policies be reviewed?
ISO 27001 policies should be reviewed at minimum annually and whenever significant changes occur to the organization’s risk profile, operational environment, regulatory obligations, or ISMS scope. Review completion must be documented with a new version number or a recorded no-change decision.
Can I use ISO 27001 policy templates?
Policy templates are a useful starting point but must be substantially customized to reflect the organization’s specific operational context, risk profile, regulatory environment, and ISMS scope. Generic template language that has not been adapted to organizational reality is a common source of Stage 1 nonconformity findings.


