What does Clause 7.5 involve?

One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented, well maintained and easy to find if the organisation wants to achieve an independent ISO 27001 certification from a body like UKAS.

ISO 27001 clause 7.5 is broken down as follows:

Clause 7.5.1 – General documentation for ISO 27001

The ISMS needs to clearly include:

  • A description of how it addresses 4.1 to 10.2 of the core requirements, including the risk assessment and treatment which leads onto the selection of the Annex A controls.
  • The relevant Annex A controls that are part of the statement of applicability – which effectively means you need to have all controls listed. Even if an organisation decides that a control is not relevant it should document that e.g. if it does not have a need for delivery and loading areas in Annex A 11.1.6 because its a purely digital business, then it needs to show the auditor it has considered there is no risk and no need for that control.

Clause 7.5.2 – Creating and updating documented information for ISO 27001

ISO 27001 wants clarity in documentation, looking for identification and description, format, review and approval for suitability and adequacy to serve its purpose. It is easy to miss the nuances of these requirements but practically this means consideration of author, date, title, reference etc, and that approval process is also very important for dovetailing with Annex A 5.1.2 as described below.

Clause 7.5.3 – Control of documented information for ISO 27001

At the heart of the ISMS is the Confidentiality, Integrity and Availability principle for the information. It is the same for the ISMS itself, it needs to be available when required and adequately protected from loss of confidentiality, unauthorised use or potential integrity compromise.

Simply dumping the ISMS contents on the team shared drive and having it uncontrolled or with ineffective permissions for access would almost certainly lead to problems for the organisation in an audit. Similarly, leaving it on a personal drive inaccessible to those who need to know about the ISMS would equally be a problem so consideration needs to be given to numerous areas for effective control. ISO looks for an organisation to address the following aspects:

  • sharing and distribution clarity, controls over access to some or all of the ISMS – bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
  • storage and preservation, including control of changes (showing older versions, historical approvals etc)
  • retention and disposal also needs consideration

This requirement also aligns with the regular review of policies highlighted in Annex A.5.1.2 also touched on below.

We'll guide you every step of the way

Our built-in tool takes you from set-up to certification with a 100% success rate.

Book a demo

How much has to be written for documentation of the ISMS to be considered acceptable by an auditor?

One question that is often asked about information security management documentation is ‘how much is enough’. The short answer is that it is about quality, not quantity. As long as the organisation is complying with the requirements summarised below, and can demonstrate that it does not need lengthy verbose documentation the auditor will no doubt take that into account during an audit – e.g. because it is a small organisation with few participants around the ISMS, stable, clear, well maintained and simple in operation.

Is documentation for the information security management system ‘word style documents’ or are other forms of content allowed?

Queries about what sort of documentation is expected is one of the other frequently asked questions about clause 7.5 documentation for the information security management system. In fact ISO 27001 does clearly state in its note aside clause 7.5.1:

“The extent of documented information for an information security management system can differ from one organization to another due to:”

  • the size of organization and its type of activities, processes, products and services;
  • the complexity of processes and their interactions; and
  • the competence of persons.

A number of ISO 27001 information security documentation ‘toolkit’ providers have perpetuated the myth that documented information for an ISMS must be word documents and excel spreadsheets. Clearly these documents can have a place in an ISMS (e.g. where pictures or complex processes need to be communicated too) but should be used sparingly given the advent of better online tools.

Online services like ISMS.online facilitate documents in the more traditional manner and also offer more effective ways of managing documentation that can show better control and coordination, better ways for sharing and publishing to audiences and make the whole process of documentation management for the requirements of clause 7.5 below much easier. It also means the old days of wasting time with front pages of documents showing all the version changes and approvals via email are long gone!


Joining 7.5 with Annex A Controls

When you consider clause 7.5 requirements also dovetail with the control objectives in the Annexes, it makes even more sense to think about a joined up well coordinated management system instead of old fashioned documents and shared drives for storage. Examples of where to join up clause 7.5 with the Annex A controls include:

Annex A 5.1.1

In addition to be defined, information security policies need to be approved by management, published and communicated to employees and relevant external parties. It is not easy to demonstrate approval for documents per se, and publishing heavyweight documents is unlikely to be digested or understood by the stakeholders even if they have been communicated (leaving the organisation at risk of non compliance and threat of loss by ignorance).

Annex A 5.1.2

Review of the policies for information security. ISO 27001 says that policies should be reviewed regularly at planned intervals (or if significant changes occur) to ensure their ongoing suitability. Independent ISO auditors will expect to see that review done at least annually for each policy.

Annex A 18.2

This Annex A control is about information security reviews and done well it integrates neatly with clause 7.5 for documentation management of an ISMS including independent reviews, checks for compliance and where appropriate technical compliance as well.Reviewing, version controlling, showing updates and then approving old fashioned documents where they don’t need to be documents per se can really slow down administrators of the ISMS. It can also delay or lose staff engagement and lead to non compliance.


How to manage documentation in your ISMS?

Clause 7.5 is easy to misunderstand and flail around, leading to an audit failure, or perhaps over engineer a solution for and spend way too long building a management system structure that is too hard to maintain at the first change. The ISMS.online business case planner looks at the options for build versus buy so do check that out if you are thinking about creating your own solution.

It is really hard to get right and meet all the requirements of clause 7.5 and the related Annex A controls too. It’s why many organisations look for a purpose-built ISMS software solution and want something with the characteristics of ISMS.online.

After all, you wouldn’t waste time constructing your own CRM or Finance system when others have already spent time developing the right solution that can be delivered straight out-of-the-box for a fraction of the cost of a DIY solution that is not part of the organisation’s core competences.

ISMS.online provides an easy to follow structure for all the required documentation. It follows exactly the same structure as the standard itself so you and an auditor can easily and quickly navigate to the required documentation. It has built in roles and permissions for accessing, editing, approving and sharing. There is also automatic version control and reminders for reviews. We’ve even gone one step further and included policy and control documentation that you can adopt, adapt and add to, straight-out-of-box.

Using the ISMS.online software solution will allow you to focus on your ISMS goals. ISMS.online makes light work of the administration, so you can easily create, control, coordinate, manage and share your documentation to stakeholders including through Policy Packs which heightens the end to end confidence for compliance. It will also give you all the tools to perform the many work processes required by the standard. It’s also why we say that the documents we provide are ‘actionable‘. They are more than simple document templates that leave you to interpret and find a way of demonstrating your processes…ISMS.online is a whole ISMS solution all in one place.

See ISMS.online for yourself

Book a demo with a product expert and get a live look at the powerful tools that will help you manage and streamline your compliance, all based on your requirements

Book a platform demo

Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Jump to topic

Mark Sharron

Mark works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001 and compliance.

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


Streamline your workflow with our new Jira integration! Learn more here.