The Document Register and Certification section combines two essential components of ISO 27001 compliance: managing the mandatory documented information required by the standard (Clause 7.5), and tracking your certification lifecycle from initial certification through surveillance and recertification audits.
Document Register
ISO 27001 requires specific documented information to be created and maintained. The Document Register provides a centralised repository to track the status, ownership, and review cycles of all ISMS documents.
Mandatory Documents List
The following documents are required by ISO 27001:2022. The Document Register includes these as pre-populated entries that you can update with your organisation's specific document details:
| Document | ISO 27001 Reference | Description |
|---|---|---|
| Information Security Policy | Clause 5.2 | The top-level policy that establishes management direction and support for information security. Must be appropriate to the purpose of the organisation, include objectives or a framework for setting objectives, include a commitment to satisfy applicable requirements, and include a commitment to continual improvement. |
| Risk Assessment Methodology | Clause 6.1.2 | Documents the risk assessment process including criteria for risk acceptance, criteria for performing risk assessments, and how results will be consistent, valid, and comparable. |
| Risk Treatment Plan | Clause 6.1.3 | Documents the decisions made on risk treatment options, selected controls, and implementation plan. Links to the Statement of Applicability. |
| Statement of Applicability | Clause 6.1.3(d) | Lists all Annex A controls, states applicability with justification, and records implementation status. Managed in the dedicated SoA module within Venvera. |
| Information Security Objectives | Clause 6.2 | Documented security objectives that are consistent with the policy, measurable, take into account applicable requirements and risk assessment results, and are communicated and updated as appropriate. |
| Competence Evidence | Clause 7.2 | Evidence of the competence of persons performing work that affects information security. Includes training records, qualifications, experience records, and skills assessments. Managed through the Training and Awareness module. |
| Operational Planning and Control | Clause 8.1 | Documentation of processes needed to meet information security requirements and implement risk treatment actions. Includes procedures, work instructions, and operational guidelines. |
| Risk Assessment Results | Clause 8.2 | Results of information security risk assessments performed at planned intervals or when significant changes occur. Includes identified risks, risk owners, risk levels, and treatment decisions. |
| Internal Audit Programme and Results | Clause 9.2 | The planned audit schedule and results of internal audits conducted. Includes audit plans, reports, findings, and corrective actions. Managed through the Internal Audits module. |
| Management Review Results | Clause 9.3 | Results of management reviews including decisions, action items, and resource allocations. Managed through the Management Reviews module. |
| Corrective Actions | Clause 10.2 | Evidence of nonconformities identified and corrective actions taken, including root cause analysis and effectiveness verification. Managed through the Nonconformity Register module. |
Document Fields
Each document in the register is tracked with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| Title | Text input | Required | The document title. Example: "Information Security Policy", "IS-POL-001 Acceptable Use Policy" |
| Document ID | Text input | Optional | Your internal document reference number or ID. Example: "IS-POL-001", "RA-PROC-003", "SoA-v2.1" |
| Version | Text input | Optional | Current version number. Example: "1.0", "2.3", "3.0-DRAFT" |
| Category | Select dropdown | Optional | Document category for organisation and filtering. Options align with the mandatory documents categories (Policy, Procedure, Record, Plan, Report, Other) |
| Status | Select dropdown | Optional | Current document lifecycle status: Draft (being written or revised), Under Review (submitted for approval), Approved (current, authorised version), Superseded (replaced by a newer version), Archived (no longer in active use, retained for records) |
| Author | Text input / User select | Optional | The person who authored or last revised the document |
| Approver | Text input / User select | Optional | The person who approved the current version. Must have appropriate authority (typically management). |
| Effective Date | Date picker | Optional | The date from which the current version is effective and applicable |
| Review Date | Date picker | Optional | The date by which the document must be reviewed. Typically annually, or upon significant change. Used for review reminder alerts. |
| File Upload | File upload | Optional | Upload the actual document file (PDF, Word, etc.). Venvera stores the document securely and provides download access to authorised users. |
Document Status Workflow
| Status | Description | Actions |
|---|---|---|
| Draft | Document is being created or revised. Not yet authorised for use. | Edit content, circulate for comment |
| Under Review | Document has been submitted for formal review and approval. Awaiting sign-off. | Review, provide feedback, approve or reject |
| Approved | Document has been formally approved and is the current authoritative version. This is the version that should be referenced and followed. | Distribute, implement, monitor compliance |
| Superseded | A newer version has been approved. This version is no longer current but is retained for reference and audit trail. | Reference only — do not use for current operations |
| Archived | Document is no longer in active use. Retained for historical reference and compliance with document retention requirements. | Reference only — access restricted to authorised users |
Certification Tracker
The Certification Tracker manages the full ISO 27001 certification lifecycle, from initial Stage 1 and Stage 2 audits through surveillance and recertification. This provides a clear timeline and status view of your certification journey.
Certification Tracker Fields
| Field | Type | Required | Description |
|---|---|---|---|
| Certification Body | Text input | Optional | Name of the accredited certification body. Example: "BSI Group", "Bureau Veritas", "DNV GL", "TUV SUD", "SGS" |
| Certificate Number | Text input | Optional | The unique certificate reference number once certification is awarded |
| Standard Version | Text input | Optional | The version of the standard you are certified against. Example: "ISO/IEC 27001:2022", "ISO/IEC 27001:2013 (transition to 2022 by Oct 2025)" |
| Scope | Textarea | Optional | The certified scope as stated on the certificate. Example: "The provision of cloud-based GRC platform services including development, hosting, and support from the London office." |
| Stage 1 Date | Date picker | Optional | Date of the Stage 1 (document review) audit. This is a readiness review where the auditor assesses your documentation and ISMS design. |
| Stage 1 Result | Select dropdown | Optional | Outcome of Stage 1 audit: Pass (ready for Stage 2), Conditional (proceed to Stage 2 after addressing specific concerns), Fail (significant gaps, Stage 2 cannot proceed) |
| Stage 2 Date | Date picker | Optional | Date of the Stage 2 (certification) audit. This is the full assessment of ISMS implementation and effectiveness. |
| Stage 2 Result | Select dropdown | Optional | Outcome of Stage 2 audit: Pass (certification recommended), Conditional (certification pending resolution of minor NCs), Fail (major NCs prevent certification) |
| Certification Date | Date picker | Optional | The date the ISO 27001 certificate was officially issued |
| Expiry Date | Date picker | Optional | Certificate expiry date (typically 3 years from certification date). Used for expiry countdown on the dashboard. |
| Surveillance Audit 1 Date | Date picker | Optional | Date of the first annual surveillance audit (typically 12 months after certification) |
| Surveillance Audit 1 Result | Select dropdown | Optional | Outcome: Pass, Conditional, Fail |
| Surveillance Audit 2 Date | Date picker | Optional | Date of the second annual surveillance audit (typically 24 months after certification) |
| Surveillance Audit 2 Result | Select dropdown | Optional | Outcome: Pass, Conditional, Fail |
| Recertification Date | Date picker | Optional | Date of the recertification audit (before the 3-year certificate expires). A full reassessment of the ISMS. |
Certification Lifecycle
The ISO 27001 certification follows a 3-year cycle:
Stage 1 Audit: The certification body reviews your ISMS documentation, scope, SoA, risk assessment methodology, and overall readiness. They confirm that the ISMS design meets the standard's requirements and identify any areas of concern before Stage 2. Typically 1–2 days on-site or remote.
Stage 2 Audit: A comprehensive assessment of your ISMS implementation and effectiveness. The auditors verify that policies and procedures are actually followed, controls are operational, and evidence is maintained. They interview staff, observe processes, and review records. Duration depends on scope and organisation size (typically 3–10 days).
If Stage 2 is successful, the certification body recommends certification and issues the certificate.
A shorter audit (typically 2–4 days) conducted approximately 12 months after initial certification. The auditors verify that the ISMS continues to operate effectively, corrective actions from previous audits have been implemented, and continual improvement is evident. They do not reassess the entire ISMS but sample key areas.
Second annual surveillance audit, similar in scope to Surveillance 1. By the end of the two surveillance audits, all ISMS clauses and a representative sample of Annex A controls should have been covered across the initial certification and surveillance audits.
Before the certificate expires (typically scheduled 2–3 months before expiry), a full recertification audit is conducted. This is similar in scope to the original Stage 2 audit and reassesses the entire ISMS. If successful, a new 3-year certificate is issued and the cycle repeats.
Status Badges and Expiry Countdown
The Certification Tracker displays:
- Green badge — Active certification, more than 90 days until expiry
- Amber badge — Certification expiring within 90 days, recertification should be scheduled
- Red badge — Certification expired or suspended
- Blue badge — Certification in progress (Stage 1 or Stage 2 pending)
- Expiry countdown — Days remaining until certificate expiry, displayed prominently
Document Attachments
Attach relevant documents to the certification record:
- Certificate copy (PDF)
- Stage 1 and Stage 2 audit reports
- Surveillance audit reports
- Corrective action evidence submitted to the certification body
- Scope statement and any scope changes