Sei sulla pagina 1di 3

ISO 27001 Certification Documentation Checklist

List of mandatory documentation for ISO 27001 Compliance

Domain
General Information Security
Management System (ISMS)

Control of Documents

Control of records

Management responsibility

Internal ISMS audits

Management review of the


ISMS
Corrective action

Preventive Action
Certification Documentation Checklist
atory documentation for ISO 27001 Compliance

Description
Records of key management decisions regarding the ISMS e.g. minutes of management
meetings, investment decisions, mandating of policies, reports etc.

Statement of Applicability stating the information security control objectives and controls that
are relevant and applicable to the ISMS, generally a consolidated summary of the results of
the risk assessments, cross-referenced to the control objectives from ISO/IEC 27002 that are
in scope.

Document control procedure explaining how ISMS documents are approved for use,
reviewed/updated/re-approved as necessary, version managed, disseminated as necessary,
marked etc. If the organization already has a Quality Management System conforming to ISO
9000, the QMS document control procedure (or equivalent from another management
system) may be applied to the ISMS.
Records control procedure explaining how records proving conformity to ISMS requirements
and the effective operation of the ISMS (as described elsewhere in the standard) are
protected against unauthorized changes or destruction. Again, this procedure may be copied
from the QMS or other management systems.
Security awareness, training and education records documenting the involvement of all
personnel having ISMS responsibilities in appropriate activities (e.g. security awareness
programs and security training courses such as new employee security induction/orientation
classes).
Internal ISMS audit plans and procedures stating the auditors' responsibilities in relation to
auditing the ISMS, the audit criteria, scope, frequency and methods.
This implies the need to retain records (such as management review plans and reports)
proving that management does in fact review the ISMS at least once a year.
Corrective action procedure documenting the way in which nonconformities which exist are
identified, root-causes are analyzed and evaluated, suitable corrective actions are carried out
and the results thereof are reviewed.
Preventive action procedure similar to the corrective action procedure but focusing more on
preventing the occurrence of nonconformities in the first place, with such activities being
prioritized on the basis of the assessed risk of such nonconformities.
Completion Date Status Notes