Chat with Experta

User
Which documents are mandatory for Annex A?
Experta
ISO 27001:2022 specifies the following Annex A documents and records as required as a minimum (no matter if a company is large or small, or which industry it is in) - the auditor will ask for all of these documents:
- Inventory of assets—Control A.5.9 (usually documented as Inventory of Assets or List of Assets in the Risk Register)
- Acceptable use of assets—Control A.5.10 (usually documented as IT Security Policy)
- Incident response procedure—Control A.5.26 (usually documented as Incident Management Procedure)
- Statutory, regulatory, and contractual requirements—Control A.5.3 (usually documented as List of Legal, Regulatory, and Contractual Requirements)
- Security operating procedures for IT management—Control A.5.37 (usually documented as Security Procedures for IT Department)
- Definition of security roles and responsibilities—Controls A.6.2 and A.6.6 (usually documented as agreements, NDAs, and specifying responsibilities in each security policy and procedure)
- Definition of security configurations—Control A.8.9 (usually documented as Security Procedures for IT Department)
- Secure system engineering principles—Control A.8.27 (usually documented as Secure Development Policy)
- Logs of user activities, exceptions, and security events—Control A.8.15 (usually documented as automatic logs in information systems)

Note: ISO 27001 documents or records required by Annex A controls are mandatory only if you select related controls as applicable in the Statement of Applicability.