ISO 27001:2022 specifies the following records as required (no matter if a company is large or small, or which industry it is in) - if you go for the certification audit, the auditor will ask for all of these records:
- Trainings, skills, experience, and qualifications—Clause 7.2 (usually documented as Training certificates and CVs)
- Monitoring and measurement results—Clause 9.1 (usually documented as Measurement Report)
- Internal audit program—Clause 9.2 (usually documented as Internal Audit Program)
- Results of internal audits—Clause 9.2 (usually documented as Internal Audit Report)
- Results of the management review—Clause 9.3 (usually documented as Management Review Minutes)
- Results of corrective actions—Clause 10.2 (usually documented as Corrective Action Form)
- Logs of user activities, exceptions, and security events—Control A.8.15 (usually documented as automatic logs in information systems)