ISO 27001 Clause 7.5 requires controlled documented information. The Document Register tracks all ISMS documents and their status.

ISO 27001 mandatory documents

The standard requires specific documents to be maintained. The register tracks which of these you have:

  • Scope of the ISMS (4.3)
  • Information security policy (5.2)
  • Risk assessment process (6.1.2)
  • Risk treatment plan (6.1.3)
  • Statement of Applicability (6.1.3d)
  • Information security objectives (6.2)
  • Evidence of competence (7.2)
  • Operational planning and control (8.1)
  • Results of risk assessments (8.2)
  • Results of risk treatment (8.3)
  • Monitoring and measurement results (9.1)
  • Internal audit programme and results (9.2)
  • Management review results (9.3)
  • Nonconformities and corrective actions (10.2)

For each document, track the title, version, owner, review date, and status (Active, Under Review, Archived).