General (Documented information)
Plain English Translation
Clause 7.5.1 establishes the foundation for ISMS documentation. It states that your security program must include two types of written information: documents explicitly required by the ISO 27001 standard (such as the Scope, Policy, and Risk Assessment) and any other documents your organization determines are necessary to ensure security is effective. It allows for flexibility—you do not need to document every single keystroke, but you must have enough documentation to prove the system works, is consistent, and meets your objectives.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Store all core policies in a central Wiki (e.g., Notion) with 'Last Updated' dates
- Maintain a simple list of mandatory documents required for the audit
- Keep documentation lightweight and focused on 'how-to' guides
Required Actions (scaleup)
- Implement a document control register to track owners, versions, and review dates
- Standardize templates for policies and procedures
- Separate 'Policies' (Rules) from 'Procedures' (Steps)
Required Actions (enterprise)
- Use a GRC platform to automate policy review cycles and map documents to controls
- Implement strict Data Loss Prevention (DLP) controls on ISMS documentation
- Automate the retention and disposal of obsolete versions
It is the clause requiring the ISMS to include both the specific documents mandated by the ISO 27001 standard and any additional documentation the organization decides is necessary for the system to be effective.
Key mandatory documents include the Scope, Information Security Policy, Risk Assessment Process, Risk Treatment Plan, Statement of Applicability (SoA), and Information Security Objectives.
Documents are live instructions (like policies or procedures) that can be updated. Records are evidence of past events (like audit logs, training certificates, or meeting minutes) which generally should not be changed.
The extent of documentation depends on the organization's size, complexity, and competence of personnel. ISO 27001 does not require bureaucracy; it requires enough documentation to ensure consistent and effective security.
You must include all documents referenced by 'shall' in the standard (e.g., policy, scope, risk assessment) and operational documents needed to run your security (e.g., network diagrams, onboarding guides).
Control involves ensuring documents are available where needed, protected from loss or unauthorized change, identifying changes (version control), and managing retention and disposition (covered in Clause 7.5.3).
Clause 7.5 covers Documented Information, with 7.5.1 covering 'General' requirements, 7.5.2 covering 'Creating and updating', and 7.5.3 covering 'Control'.
Retention periods are not defined by the standard itself but must be determined by the organization based on legal, regulatory, and business needs (e.g., keeping logs for 1 year for forensics).
A Master Document List is easiest to sustain when ownership, versioning, review dates, and mappings to controls are centralized rather than spread across wikis and shared drives. WatchDog Security's Compliance Center helps by tracking required ISMS documents, linking each document to relevant controls, and highlighting gaps when a required document is missing or overdue for review.
Beyond writing policies, organizations need a repeatable way to publish updates, record who approved changes, and collect acknowledgements from the right audiences. WatchDog Security's Policy Management supports this by providing version control, review workflows, and acceptance tracking so you can demonstrate that current policies were communicated and acknowledged when auditors ask.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
