Documented Information for ISO 27001 Requirement 7.5

What is Required under Clause 7.5 of ISO 27001:2013?

The requirement under this section covers documented information.

One of the main overarching requirements for ISO 27001 is to be able to describe your understanding of information security and then to demonstrate how you achieve it in your organisation. This is why it is incredibly important that everything is documented and maintained in your information security management system.

ISO 27001 Section 7.5 is broken down as follows:

Clause 7.5.1 – General

The contents of any information security management system should hold any documents that are required by the International Standardisation Organisation (ISO), as well as documentation that is essential for the organisation itself. The extent of the documentation will vary depending on the size of the organisation and its complexity.

Clause 7.5.2 – Creating and updating

This is where your information security management system should shine You should be able to demonstrate a clear and robust audit trail. Whenever a document is added to or updated in the ISMS, certain details should be recorded.

  • Document title, date, author, reference number
  • File format and media types
  • Review and approval processes to ensure suitability and adequacy

Clause 7.5.3 – Control of Documented Information

This section discusses the importance of the Confidentiality, Integrity, and Availability (CIA) of your documented ISMS. The information security management system should aim to ensure that the documents held within it are:

  • available when needed;
  • protected from deletion, unauthorised change, or improper use

The documents should be controlled by managing distribution and access, maintain preservation, retain and dispose of appropriately, and implement version control for any changes made.

How to manage documentation in your information security management system?

Your documentation needs to:

  • address the ISO 27001 requirements and cover the Annex A controls as identified through the risk assessment process
  • be structured for easy and fast retrieval by authorised parties
  • be protected against CIA issues
  • demonstrate a clear approval and review process
  • be version controlled with an audit trail and retention of previous versions

It is simple for an organisation to fail in its ISO 27001 certification on this point alone. If they have purchased an off-the-shelf document toolkit, there is still a requirement to store, manage and review documentation, let alone ensure the contents are fit for purpose and describe processes that the organisation can demonstrate are being followed.

Building structured online folders with the required permissions, access and update protocols and audit trails can also be extremely time-consuming and unnecessarily complex.

It’s why many organisations look for a purpose-built ISMS software solution. After all, you wouldn’t waste time constructing your own CRM or Finance system when experts have already spent time developing the right solution that can be delivered straight out-of-the-box.

In we not only provide a structure for all the required documentation, we have also built in roles and permissions for accessing, editing, approving and sharing. It follows exactly the same structure as the standard itself so you and your auditor can easily and quickly navigate to the required documentation. There is also automatic version control and reminders for reviews. We’ve even gone one step further and included policy and control documentation that you can adopt, adapt and add to, straight-out-of-box.

Using the software solution will not only help you manage your documentation but will also give you all the tools to perform the many work processes required by the standard. It’s why we say that the documents we provide are ‘actionable‘. They are more than simple document templates that leave you to interpret and find a way of demonstrating your processes… is a total ISMS solution.

Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives


Need ISO 27001 policies and controls for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 



Ready to take action?

Discover how can help you achieve or improve on your ISMS objectives

ISMS Online Rating: 5 out of 5
Share This