Implementing an ISMS is only half the battle; proving it works is the other. During certification we auditors begin with paperwork, because every requirement in Clauses 4-10 and each of the 93 Annex A controls must be anchored to a signed, version-controlled document or verifiable record. Miss one item and the visit turns into a remediation project. Use the checklist below to make sure that can’t happen.
Why We Start With Documents
- Completeness – If a required file is absent, it’s a major non-conformity and certification pauses.
- Consistency – Names, asset IDs and risk ratings must match from scope to logs.
- Traceability – Each risk links to a control, each control to monitoring evidence.
- Freshness – We expect every document to have been reviewed inside the current cycle (usually 12 months).
Mandatory Documents (Clauses 4-10)
| ✔/☐ | Document | Clause | Why We Care |
|---|---|---|---|
| ☐ | ISMS Scope Statement | 4.3 | Defines exactly what we audit—people, tech, locations, suppliers. |
| ☐ | Information-Security Policy | 5.2 | Shows executive sponsorship and overall direction. |
| ☐ | Risk-Assessment Methodology | 6.1.2 | Locks in likelihood/impact scales so risk scores are defensible. |
| ☐ | Operational Planning & Control | 8.1 | High-level SOP that connects risks, controls and resources; now mandatory in 2022. |
| ☐ | Statement of Applicability (SoA) | 6.1.3 | Lists all 93 controls, marking each as adopted or excluded with a business reason. |
| ☐ | Risk-Treatment Plan | 6.1.3 & 8.3 | Maps every significant risk to mitigate/transfer/avoid/accept actions, owners and deadlines. |
| ☐ | Information-Security Objectives | 6.2 | Converts policy aims into measurable KPIs (e.g., “critical patches ≤ 14 days”). |
| ☐ | Monitoring & Measurement Results (document) | 9.1 | Demonstrates those KPIs are tracked and met. |
| ☐ | Internal-Audit Programme & Reports | 9.2 | Proves you test yourself before we arrive. |
| ☐ | Management-Review Minutes | 9.3 | Evidence the leadership team reviewed performance, risks and resources. |
| ☐ | Corrective-Action Procedure & Records | 10.2 | Shows findings were fixed at root cause, not just patched. |
Mandatory Retained Records
| ✔/☐ | Record | Clause / Control | What We Look For |
|---|---|---|---|
| ☐ | Results of Risk Assessment | 6.1.2 | Completed risk register with evaluated likelihood & impact. |
| ☐ | Results of Risk Treatment | 6.1.3 & 8.3 | Post-treatment register showing residual risk ratings. |
| ☐ | Evidence of Competence (Training Logs) | 7.2 | Role-based security training, exams, sign-offs. |
| ☐ | Asset Inventory | A 5.9 | Every asset tagged with owner, classification, location. |
| ☐ | User / Exception / Security-Event Logs | A 8.15 | Tamper-evident, time-synchronised, retained per policy. |
| ☐ | Evidence of Monitoring & Measurement | 9.1 | Dashboards, sample reports, alerts—all retained, not overwritten. |
| ☐ | Results of Internal Audit | 9.2 | Findings, sampling sheets, follow-up actions, closure evidence. |
| ☐ | Results of Management Review | 9.3 | Agenda, metrics reviewed, decisions taken, budget approved. |
| ☐ | Results of Corrective Actions | 10.2 | Root-cause analysis, action owner, verification date. |
Retention tip: keep every record for the full three-year certification cycle plus one audit period—in practice, four years.
Optional but High-Value Policies
While not required by the Standard, these documents reduce interview time and demonstrate maturity. Note them in the SoA if you use them.
- Document-Control Procedure
- Information-Classification Standard
- BYOD & Mobile-Working Policy
- Backup & Disaster-Recovery Plan
How We Verify Your Package
- Open the Scope – Confirms we’re looking at the right assets.
- Trace a Sample Risk – From the register to its control, to evidence the control is monitored and effective.
- Check Review Dates – Any document older than its scheduled review is flagged.
- Cross-Check Numbers – Risk scores in the treatment plan must match those in the risk register and SoA.
Next Steps & Free Resources
Ready to fill the gaps? Download our Annex A Control Catalogue and document templates bundle, or try the ISMS-Builder to generate policy drafts in minutes. These resources align to the 2022 structure, so you’ll start with the paperwork auditors expect to see.
Key Takeaways
- Clause 8.1’s Operational Planning & Control document is new in the 2022 edition—don’t skip it.
- Store two separate registers: one for initial risk assessment results, one for post-treatment residual risks.
- Monitoring data isn’t just a dashboard; it’s a retained record that must survive the full certification cycle.
- A tidy, version-controlled library turns the audit from interrogation into confirmation.
Master this paperwork, and the site visit becomes a formality rather than a scramble.