Build or upgrade your ISMS on our platform

Documented Information for ISO 27001 Requirement 7.5

What is Required under Clause 7.5 of ISO 27001:2013?

Anyone familiar with operating to a recognised international ISO IEC standard will know the importance of documentation for the management system. One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification from a body like UKAS. ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system. ISO 27001 clause 7.5 is broken down as follows:

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

Clause 7.5.1 – General documentation for ISO 27001

The ISMS needs to clearly include:

  • A description of how it addresses 4.1 to 10.2 of the core requirements, including the risk assessment and treatment which leads onto the selection of the Annex A controls.
  • The relevant Annex A controls that are part of the statement of applicability – which effectively means you need to have all controls listed.  Even if an organisation decides that a control is not relevant it should document that e.g. if it does not have a need for delivery and loading areas in Annex A 11.1.6 because its a purely digital business, then it needs to show the auditor it has considered there is no risk and no need for that control.

Clause 7.5.2 – Creating and updating documented information for ISO 27001

ISO 27001 wants clarity in documentation, looking for identification and description, format, review and approval for suitability and adequacy to serve its purpose. It is easy to miss the nuances of these requirements but practically this means consideration of author, date, title, reference etc, and that approval process is also very important for dovetailing with Annex A 5.1.2 as described below.

Clause 7.5.3 – Control of documented information for ISO 27001

At the heart of the ISMS is the Confidentiality, Integrity and Availability principle for the information. It is the same for the ISMS itself, it needs to be available when required and adequately protected from loss of confidentiality, unauthorised use or potential integrity compromise.

Simply dumping the ISMS contents on the team shared drive and having it uncontrolled or with ineffective permissions for access would almost certainly lead to problems for the organisation in an audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem so consideration needs to be given to numerous areas for effective control. ISO looks for an organisation to address the following aspects:

  • sharing and distribution clarity, controls over access to some or all of the ISMS – bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
  • storage and preservation, including control of changes (showing older versions, historical approvals etc)
  • retention and disposal also needs consideration

This requirement also aligns with the regular review of policies highlighted in Annex A.5.1.2 also touched on below.

How much has to be written for documentation of the information security management system to be considered acceptable by an auditor?

One question that is often asked about information security management documentation is ‘how much is enough’. The short answer is that it is about quality, not quantity. As long as the organisation is complying with the requirements summarised below, and can demonstrate that it does not need lengthy verbose documentation the auditor will no doubt take that into account during an audit – e.g. because it is a small organisation with few participants around the ISMS, stable, clear, well maintained and simple in operation.

Want to find out how you’ll achieve ISO 27001 first time?

Is documentation for the information security management system ‘word style documents’ or are other forms of content allowed?

Queries about what sort of documentation is expected is one of the other frequently asked questions about clause 7.5 documentation for the information security management system.  In fact ISO 27001 does clearly state in its note aside clause 7.5.1:
“The extent of documented information for an information security management system can differ from one organization to another due to:

  • 1)  the size of organization and its type of activities, processes, products and services;
  • 2)  the complexity of processes and their interactions; and
  • 3)  the competence of persons.”

A number of ISO 27001 information security documentation ‘toolkit’ providers have perpetuated the myth that documented information for an ISMS must be word documents and excel spreadsheets. Clearly these documents can have a place in an ISMS (e.g. where pictures or complex processes need to be communicated too) but should be used sparingly given the advent of better online tools.

Online services like facilitate documents in the more traditional manner and also offer more effective ways of managing documentation that can show better control and coordination, better ways for sharing and publishing to audiences and make the whole process of documentation management for the requirements of clause 7.5 below much easier.  It also means the old days of wasting time with front pages of documents showing all the version changes and approvals via email are long gone!

When you consider clause 7.5 requirements also dovetail with the control objectives in the Annexes, it makes even more sense to think about a joined up well coordinated management system instead of old fashioned documents and shared drives for storage.  Examples of where to join up clause 7.5 with the Annex A controls include:

  • Annex A 5.1.1 – In addition to be defined, information security policies need to be approved by management, published and communicated to employees and relevant external parties.  It is not easy to demonstrate approval for documents per se, and publishing heavyweight documents is unlikely to be digested or understood by the stakeholders even if they have been communicated (leaving the organisation at risk of non compliance and threat of loss by ignorance).
  • Annex A 5.1.2 – Review of the policies for information security.  ISO 27001 says that policies should be reviewed regularly at planned intervals (or if significant changes occur) to ensure their ongoing suitability.  Independent ISO auditors will expect to see that review done at least annually for each policy.
  • Annex A 18.2 – This Annex A control is about information security reviews and done well it integrates neatly with clause 7.5 for documentation management of an ISMS including independent reviews, checks for compliance and where appropriate technical compliance as well.Reviewing, version controlling, showing updates and then approving old fashioned documents where they don’t need to be documents per se can really slow down administrators of the ISMS.  It can also delay or lose staff engagement and lead to non compliance.

How to manage documentation in your information security management system?

Clause 7.5 is easy to misunderstand and flail around, leading to an audit failure, or perhaps over engineer a solution for and spend way too long building a management system structure that is too hard to maintain at the first change.  The business case planner looks at the options for build versus buy so do check that out if you are thinking about creating your own solution.

It is really hard to get right and meet all the requirements of clause 7.5 and the related Annex A controls too.  It’s why many organisations look for a purpose-built ISMS software solution and want something with the characteristics of

Multicultural team of experienced male and female architects in

After all, you wouldn’t waste time constructing your own CRM or Finance system when others have already spent time developing the right solution that can be delivered straight out-of-the-box for a fraction of the cost of a DIY solution that is not part of the organisation’s core competences. provides an easy to follow structure for all the required documentation.  It follows exactly the same structure as the standard itself so you and an auditor can easily and quickly navigate to the required documentation.  It has built in roles and permissions for accessing, editing, approving and sharing. There is also automatic version control and reminders for reviews. We’ve even gone one step further and included policy and control documentation that you can adopt, adapt and add to, straight-out-of-box.

Using the software solution will allow you to focus on your ISMS goals. makes light work of the administration, so you can easily create, control, coordinate, manage and share your documentation to stakeholders including through Policy Packs which heightens the end to end confidence for compliance.  It will also give you all the tools to perform the many work processes required by the standard. It’s also why we say that the documents we provide are ‘actionable‘. They are more than simple document templates that leave you to interpret and find a way of demonstrating your processes… is a whole ISMS solution all in one place.

Everyone we helped go for an ISO 27001 audit passed first time. You could too.

How to easily demonstrate 7.5 Documented Information

The platform makes it easy for you to include documented information required by the ISO 27001 and other information determined by the organisation as being necessary for the effectiveness of the system.

Step 1 : Improve your document control will help you to improve your document control and implement a suitable marking scheme, allowing you to detect the differences between public or sensitive materials and manage changes over the life of the management system. Timestamped evidence, auto version control and automated reminders and alerts and system activity make documenting information a major time-saving.
Step 1 : Improve your document control

Step 2 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 7.5 within our platform and easily adapt it to your organisation’s needs. The platform gives you the mechanisms required to effortlessly document information -so all that you need to do is remember to follow the processes and demonstrate you are living and breathing the management system in practice.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 2 : Adopt, adapt and add

Step 3 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 3 : Demonstrate to your auditors

Step 4 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 7.5 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.
Step 4 : A time-saving path to certification

Step 5 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 5 : Extra support whenever you need it

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

Book a demo