ISO 27001: ISMS Manual vs Policy Pack for SMEs and Startups

December 13, 2025

Illustration comparing the roles of an ISO 27001 ISMS Manual (Structure and Governance) versus a Policy Pack (Rules and Controls) for SME documentation.

For SMEs and startups working toward ISO 27001, questions about documentation often arise early.

“Do you need an ISMS Manual?”
“Is a Policy Pack enough?”
“Are they simply different names for the same thing?”

They are generally not interchangeable, though organisations may adapt their documentation based on context. An ISMS Manual defines how the Information Security Management System (ISMS) is governed (Clauses 4-10), while a Policy Pack defines what security rules staff must follow (Annex A controls). An ISMS Manual and a Policy Pack serve distinct but complementary roles within an ISO 27001 Information Security Management System.

Understanding these differences may help organisations structure their ISO 27001 documentation, support consistent implementation, and could reduce unnecessary or duplicative documentation effort, though effectiveness depends on organisational adoption and context.

ISO 27001 Documentation Explained for SMEs

ISO 27001 is not primarily about producing large volumes of documents. For SMEs and startups, it is about showing that an organisation:

Understands its information security risks
Has selected controls that are appropriate to those risks
Applies those controls consistently where practical
Keeps records that may serve as supporting evidence over time

Documents function as containers for evidence, rather than being the main objective of an ISO 27001 programme.

ISO 27001: ISMS Manual vs Policy Pack Explained

What Is an ISMS Manual?

An ISMS Manual is a document that provides the structural framework of an organisation’s Information Security Management System. It typically covers the scope, governance approach, risk management methodology, and continual improvement practices that align with ISO 27001 Clauses 4 to 10.

The ISMS Manual usually explains:

ISMS scope and boundaries
Governance and leadership responsibilities
Risk assessment and treatment approach
How policies, controls, and supporting evidence relate
How the ISMS may be reviewed and improved over time

You can think of it as a high-level document used to describe the system’s structure to stakeholders and auditors.

What Is a Policy Pack?

A Policy Pack is generally a collection of documented security policies that outline rules, responsibilities, and behavioural expectations related to applicable Annex A controls.

A typical security policy suite may include, but not limited to:

Access control
Asset management
Incident management
Supplier security
Acceptable use
Business continuity
Remote work
Cryptography

Policies describe the rules your team may follow in day-to-day operations, providing guidance and consistency across the organisation.

ISMS Manual vs Policy Pack: Side-by-Side Comparison

Core Distinction

The ISMS Manual generally describes how the system is managed, while the Policy Pack covers the security rules that apply. Both serve complementary roles in an ISO 27001 ISMS.

Aspect	ISMS Manual	Policy Pack
Core Function	Describes how the ISMS is governed	Applies to selected security rules
Purpose	Provides an overview of ISMS structure	Defines expected security behaviours
Audience	Auditors, leadership, ISMS owners	Staff, contractors, suppliers
ISO Coverage	Clauses 4 to 10	Applicable Annex A controls selected for the SoA
Risk Linkage	Outlines organisation's adopted risk management criteria and methodology	Supports implementation of selected controls
Commonly Referenced In	Typically Stage 1 audit	Typically Stage 2 audit
System Inter-dependency	Governs the system; requires the SoA, Risk Register, and Procedures for verification.	Defines the rules; requires ISMS Manual for scope and Procedures / Logs for evidence of implementation.

How the ISMS Manual and Policy Pack Work Together

The ISMS Manual generally serves as the “Why and How” document, describing the structure, governance, and oversight of the ISMS. The Policy Pack is the “What” document, outlining the operational rules and security expectations.

Neither document generally replaces the other, and both can be used together to provide a clearer understanding of information security responsibilities, control application, and supporting processes.

What Auditors Typically Look for in ISO 27001 Documentation

ISO 27001 does not mandate specific documents by name. During an audit, auditors generally review whether:

The ISMS scope is clearly defined
Risks and controls are logically linked
Responsibilities are assigned and understood
Governance and review processes are in place

An ISMS Manual is often used to provide a structured overview of these elements for auditors. Similarly, while ISO 27001 does not explicitly require a “Policy Pack,” auditors often look for documented policies that support applicable Annex A controls and reflect operational practices.

Why a Policy Pack Alone May Not Be Sufficient

Policies generally answer the question, “What does the organisation aim to achieve?” It is generally the role of the ISMS Manual to document:

Why certain controls were selected
How risks were assessed
How the ISMS is structured or governed

In practice, common Stage 1 audit observations for SMEs include:

Lack of documented ISMS scope
Limited or missing risk assessment methodology
Unclear control selection rationale
Ambiguous ownership or review responsibilities

An ISMS Manual may provide additional context and structure, and could help clarify documentation of the organisation’s approach to information security if implemented appropriately.

Why an ISMS Manual Alone May Not Be Sufficient

The opposite mistake is also relatively common. Some teams develop a clean ISMS Manual but may experience gaps such as:

Policies not being documented
Staff being unclear on security rules
Inconsistent application of controls
Limited or incomplete evidence of implementation

In practice, auditors may raise findings in Stage 2 when documentation exists but operational policies or evidence are limited. Policies may help translate the ISMS framework into operational practices and support consistency and clarity in information security processes when applied, but effectiveness depends on proper adoption and organisational context.

Common Audit Practices

During ISO 27001 audits, Stage 1 reviews often identify gaps related to structural documentation, such as scope, risk methodology, and governance. Stage 2 audits frequently highlight issues when operational evidence – such as policies, procedures, and logs – is incomplete or outdated.

In practice:

The ISMS Manual is generally referenced to demonstrate structural and governance elements during Stage 1.
The Policy Pack, together with operational evidence, is typically referenced during Stage 2 to show how controls are applied in practice.

How the Two Documents Work Together (Practical Structure)

A structured ISO 27001 ISMS for SMEs and startups may be organised as follows:

ISMS Manual – Outlines scope, governance, risk approach, and continual improvement cycle →
Risk Register – Identifies information security risks and records treatment decisions →
Statement of Applicability (SoA) – Maps identified risks to selected Annex A controls →
Policy Pack – Documents the operational rules supporting applicable controls →
Procedures, Logs, and Records – Capture day-to-day implementation and provide evidence of applied controls

Omitting or skipping any of these layers may make it more challenging to demonstrate ISMS structure and applied controls, depending on audit approach.

Policy vs Procedure: Understanding the Difference

First-time ISO 27001 implementers often confuse policies and procedures. Here is a practical distinction:

Policies define the rules or expectations for behaviour. Example: “All users often require the use of multi-factor authentication which organisations may implement as appropriate to organisational risk and context.”
Procedures describe the steps to follow to meet those rules. Example: “To enable MFA in your cloud email system, follow your admin console’s security settings to enable two-factor authentication.”

Policies provide a framework for actions, while procedures capture how those actions are performed in practice. A Policy Pack provides the rules but does not replace the need for procedures; procedures support operational consistency and help demonstrate how policies are applied.

Documentation Maintenance and Ownership

For an effective Information Security Management System (ISMS), documents must be governed by clear ownership and review cycles. These cycles often differ based on the document's function, reflecting its audience and audit importance.

Aspect of Governance	ISMS Manual	Policy Pack	Procedures and Logs
Primary Owner	Typically overseen by the ISMS owner, compliance lead, or leadership team	Typically managed by functional managers (IT, Engineering, Operations, HR)	Typically managed by process owners and system administrators
Review Cycle	May be reviewed annually or after significant organisational or scope changes	May be reviewed more often (e.g. quarterly or when tools, suppliers, or regulations change)	May be reviewed continually, as processes are updated or evidence is captured
Update Focus	Updates tend to be structural and less frequent	Updates reflect day-to-day operational adjustments	Reflects real-time process documentation and evidence capture

Practical Notes for Auditing SMEs

These distinctions are critical for managing audit risk:

Outdated Policies Risk: A common Stage 2 audit finding is that the Policy Pack is outdated even when the ISMS Manual is current. Auditors may look for evidence that operational policies reflect the organisation's current tools and practices.
Accountability in Small Teams: In small teams where one person may hold multiple roles, auditors may look for clear evidence that responsibilities are formally assigned to understand who is accountable for the maintenance and implementation of each type of documentation.

Suggested Sequence for SMEs and Startups

For lean teams, a suggested sequence for ISO 27001 documentation may be:

First: ISMS Manual – Establishes the overall structure, governance, and rationale for the system
Second: Risk Register + Statement of Applicability (SoA) – Supports decisions about which controls may be relevant
Third: Policy Pack – Focuses on controls that are actually applicable

Potential Benefits: Though outcomes will vary by organisation, following this approach may help SMEs:

Avoid unnecessary or overly complex documentation
Reduce creation of unused or low-value policies
Focus on controls that the team can realistically implement

Common SME Myths (Reality-Checked)

Some common misconceptions about ISO 27001 documentation in SMEs include:

Myth	Reality
Auditors only care about policies.	Auditors generally focus on traceability and whether your ISMS supports risk management and control implementation.
Templates replace the ISMS Manual.	Templates may reduce drafting effort but do not replace structural documentation explaining your ISMS approach.
More documents mean a safer audit.	Unused or irrelevant documents could make demonstrating ISMS structure and controls during an audit more challenging.
A Policy Pack is sufficient documentation for a Stage 1 Audit.	The ISMS Manual is essential for the Stage 1 audit, as it documents the structural elements (scope, context, governance, and risk approach) required by Clauses 4 to 10.
An ISMS Manual alone is sufficient to pass an audit.	An ISMS Manual should be supported by the Policy Pack, Procedures, and Logs to provide evidence of operational controls, which is the focus of the Stage 2 audit.

TL;DR for Founders and Busy Teams

ISMS Manual: The “How” – provides the scope, governance, and system structure (Clauses 4 to 10).
Policy Pack: The “What” – outlines operational rules and security controls that staff may follow (Annex A).
Use both together: One provides structural context (ISMS Manual), the other outlines operational guidance (Policy Pack).
Common approach: Organisations often start with structure, then document applicable rules based on their risk assessment.
Keep documentation lean and practical: Focus on relevance, applicability, and capturing evidence where needed.
ISO 27001 tends to favour clarity and consistency over large volumes of documentation.

ISO 27001 Templates and Tools for SMEs

ISMS Manual Template – Structured framework aligned to Clauses 4 to 10.
Policy Pack – Concise, SME-friendly policies mapped to Annex A.
Risk Register Template – Supports consistent risk scoring and documentation.
Statement of Applicability (SoA) Template – Provides justification for selected controls and traceable evidence.

Note: Templates may reduce drafting effort, but effective certification preparation is generally associated with proper implementation, ownership, and supporting evidence.

Key Takeaways: Structure First, Then Rules

ISO 27001 does not reward documentation volume – it emphasises clarity, traceability, and consistency. The ISMS Manual describes how the information security system is structured, governed, and maintained. The Policy Pack defines the operational rules that put those controls into practice.

Using one without the other could make it more challenging to show how the ISMS is structured and how controls are applied during an audit. When created in a logical sequence and kept current, these two document types can provide a foundation for a structured, manageable ISMS, particularly for SMEs and startups.

Next Step: Explore our ISO 27001 template collection to access structured ISMS Manual and Policies that may assist your team in defining system structure, implementing practical controls, and organising supporting evidence.

Next Article: In ISO 27001 for SaaS Startups: The Lean and Practical Implementation Guide, we provide step-by-step guidance for building a lean ISMS, managing key risks, and streamlining documentation in cloud-based, multi-tenant, and fast-moving SaaS environments.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:

Start Here: Complete Guide

ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

Templates, Tools, and Service Comparisons – Detailed Guides by Topic

ISO 27001 Strategic Evaluation: How to Choose Your Implementation Solution – A strategic framework to evaluate implementation approaches based on your budget, team size, and long-term scalability needs.
ISO 27001 Automation Tools vs Templates: The SME and Startup Review (2026) – Analysis of compliance platforms vs. templates, examining cost, efficiency, and long-term manageability for lean teams.
How to Choose Tools for ISO 27001: Logging, Access, Asset Tracking, Training, Ticketing – Practical guidance for SMEs and startups on selecting lightweight tools, structuring processes, and capturing evidence efficiently.
ISO 27001 Scope Statement Guide: Practical Templates for SMEs, SaaS, and Remote Teams – Step-by-step examples and ready-to-use templates to define ISMS boundaries, document exclusions, and align scope with risk assessment and Annex A controls.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.