Small organisations often find it challenging to identify which documents ISO 27001 requires. This guide may help SMEs prioritise essential ISMS documentation, document ISMS-related processes, and organise documentation in a streamlined manner.
What documents are typically mandatory for ISO 27001 for SMEs?
Key ISO/IEC 27001:2022 documents and records that SMEs may consider include the ISMS Scope, Information Security Policy, Risk Assessment Methodology and Results (Risk Register), Risk Treatment Plan, Statement of Applicability (SoA), competence and training records, operational procedures, internal audit records, management review outputs, and evidence for applicable Annex A controls.
Optional but commonly expected documents may include an ISMS Manual, Data Classification and Handling Rules, Acceptable Use Policy, Asset Inventory, and Supplier Register.
Typically Mandatory Documented Information for SMEs
|
Clause |
Documented Information |
Requirem-ent Type |
Notes |
|
4.3 |
ISMS Scope |
Explicit |
Defines boundaries, applicability, and justifications for exclusions (locations, teams, systems, and technologies). |
|
5.2 |
Information Security Policy |
Explicit |
High level management direction; may be documented, maintained, and communicated, as appropriate. |
|
6.1.2 |
Risk Assessment Methodology |
Explicit |
Specifies risk identification, analysis, evaluation, and acceptance criteria. |
|
6.1.2 |
Risk Assessment Results |
Explicit |
Captures identified risks and ratings; typically captured in the Risk Register. |
|
6.1.3 |
Risk Treatment Plan |
Explicit |
Documents how risks will be mitigated, accepted, transferred, or avoided, including owners and timelines. |
|
6.1.3(d) |
Statement of Applicability (SoA) |
Explicit |
Lists all Annex A:2022 controls (A.5 – Organisational, A.6 – People, A.7 – Physical, A.8 – Technological), indicates applicability, provides justification, and references supporting evidence. |
|
6.2 |
Information Security Objectives |
Explicit |
May be measurable, documented, and monitored, where applicable. |
|
7.2 |
Competence Records |
Explicit |
Evidence that employees or contractors performing security-related roles are competent (training, qualifications, onboarding). |
|
7.5.1 – 7.5.3 |
Documented Information Control |
Explicit |
Covers creation, updating, retention, approval, access, and versioning of all ISMS documents and records. |
|
8.1 |
Operational Documentation |
Necessary for Operation |
Procedures and process descriptions required to implement and control ISMS processes effectively (e.g. access control, incident management, change management, backup / restore workflows). |
|
9.1 |
Monitoring, Measurement, Analysis Results |
Explicit |
Demonstrates tracking of KPIs, security metrics, and performance results. |
|
9.2 |
Internal Audit Records |
Explicit |
Includes audit plans, reports, findings, and follow-up actions. |
|
9.3 |
Management Review Records |
Explicit |
Captures leadership review of ISMS performance, decisions, and improvement actions. |
|
10.2 |
Nonconformities and Corrective Actions |
Explicit |
Evidence of issues, root cause analysis, actions taken, and verification. |
|
Annex A |
Control Evidence |
Control Driven |
Required only for controls marked “Applicable” in the SoA; examples include backup logs, access reviews, vulnerability assessments, and continuity testing records. |
Key Insight: SMEs may focus on these documents to support a lean ISMS approach, may assist SMEs in organising ISMS documentation and maintaining records of controls.
Optional but Commonly Expected for SMEs
Although not strictly required, these documents may support operational consistency and are often referenced in audits:
- ISMS Manual – Provides an overview of your ISMS and may provide information relevant to audit planning.
- Data Classification and Handling Rules – Guides staff on handling sensitive information and may provide general guidance on privacy practices.
- Acceptable Use Policy – Defines rules for using company systems and assets and may provide reference for staff on security practices.
- Asset Inventory – Documents information assets, which may support risk assessment and control selection.
- Supplier Register – Tracks third-party dependencies and may assist in managing external risks.
Key Insight: These documents often become operationally useful when linked to a specific Annex A control or when needed to support consistent ISMS processes.
Short ISO 27001 Checklist for SMEs
This checklist provides a practical overview of ISMS documentation that is commonly referenced when implementing ISO/IEC 27001:2022, helping SMEs prioritise key records and maintain focus on essential controls.
Commonly Required ISMS Documents
- ISMS Scope – Defines boundaries and applicability
- Information Security Policy – States management intent and direction
- Risk Assessment Methodology – Describes risk evaluation approach
- Risk Assessment Results – Records identified risks and ratings
- Risk Treatment Plan – Documents selected risk treatment actions
- Statement of Applicability (SoA) – Lists applicable Annex A controls
- Information Security Objectives – Documents measurable security goals
- Competence Records – Evidence of relevant skills and training
- Document and Record Control – Defines document lifecycle controls
- Monitoring and Measurement Results – Records performance indicators
- Internal Audit Evidence – Documents internal ISMS review activities
- Management Review Outputs – Records leadership review outcomes
-
Corrective Action Records – Tracks nonconformity resolution
Required When Necessary
- Operational procedures – Describes how key controls operate in practice
- Annex A control evidence – Supports controls marked as applicable in the SoA
- Supplier screening records – Documents third-party risk evaluation activities
-
Asset inventories – Identifies information assets within the ISMS scope
Key Insight: This checklist may assist SMEs in keeping ISMS documentation focused and proportionate, while organising key records in a manner aligned with ISO 27001 terminology and structure.
Avoid Over-Documenting ISO 27001
To maintain a practical ISMS without excess paperwork, SMEs may consider:
- Aligning documentation with actual risks – Focus on processes and controls relevant to your organisation’s risk profile.
- Avoiding unnecessary detail – Keep policies and procedures concise, actionable, and easy to follow.
- Leveraging existing business processes – Use current HR, IT, or operational workflows where applicable.
- Using short, task-focused procedures – Step-by-step documentation may improve clarity and efficiency.
-
Maintaining evidence consistently – Track logs, audit results, and process outputs regularly rather than batching before audits.
Key Insight: Efficient documentation may assist SMEs in maintaining organised records of ISMS controls.
Ready-to-Use ISO 27001 Templates
High-quality, clause-mapped templates may provide a starting point or guidance for developing ISMS documentation and may:
- Help SMEs organise clause mapping and documentation structure.
- Save time on formatting and content creation.
- Help SMEs organise documentation more consistently across processes.
- Assist in maintaining more consistent documentation practices.
Wrapping Up ISO 27001 Documentation for SMEs
ISO 27001 documentation can seem complex for SMEs, but focusing on essential records helps maintain a practical and manageable ISMS. By prioritising mandatory documented information explicitly required by ISO 27001, considering optional but commonly expected documents, and keeping procedures concise and risk-focused, organisations may assist in maintaining ISMS documentation and records of controls.
Using structured templates and checklists may assist SMEs in organising ISMS documentation in line with ISO 27001 terminology and maintaining clarity across operational workflows. While following these guidelines can help SMEs navigate ISO 27001 requirements, organisations remain responsible for determining their own compliance needs and ensuring that documentation reflects their unique risk profile and operational context.
Next Steps: Using our ISO 27001 templates may provide a structured approach for organising documented information and procedures.
Next Article: The 12 ISO 27001 Policies Commonly Adopted by SMEs and Startups – A concise guide to ISO 27001 policies that small businesses often develop to help organise and document their ISMS.
Related Guides
Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:
Start Here: Complete Guide
- ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.
B. Documentation and ISMS Templates – Detailed Guides by Topic
- The 12 ISO 27001 Policies Commonly Adopted by SMEs and Startups – A concise guide to the core ISO 27001 policies small businesses often prepare to help organise and structure their ISMS.
- ISO 27001 Clause 7.5 Explained: Documented Information Requirements for SMEs – Learn how to manage ISMS documents and records efficiently using templates, registers, and clear structures.
- How to Build a Complete ISO 27001 ISMS Manual for SMEs – Step-by-step guide to assembling your main ISMS Manual, using templates and practical examples.
- ISO 27001 Templates vs Consultants vs Platforms – A practical guide to help SMEs choose between templates, consultants, and platforms for efficient ISO 27001 implementation.
Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.