Tips on getting documentation right for ISO 27001 certification

By Hannah Kelly

Cyber Security Technologist

When aiming to achieve your ISO 27001 certification, it is important to know what common pitfalls you can fall prey to, so you can effectively avoid them. There are some commonplace hiccups” that could lead to unnecessary delayin your certification.

Below, are three areas look out for: 

Ensure any documentation is recorded effectively in a central place. 

This ensures easy document management for upcoming review dates and version numbers are listed in succession, allowing for easy identification and integration of any new documents created.  

It is expected that all documents follow a similar homestyle, and that this homestyle is recorded within formal documentation. 

Language used within business documentation is to be transparent.  

This ensures that there is ease of use when staff read internal polices and processes, and there is no ambiguity around what their duties are. 

Collaboration between different departments is important when creating new procedures to ensure relevant and accurate information is being presented. 

It is also worth mentioning that changes to documentation must be recorded and also communicated to all staff members- the process of how to notify staff must be formally documented, and  a comprehensive record kept for audit purposes.  


Firstly: Records, including; change requests, security and event logs etc, usually must have a 2-step personnel factor. This means having different staff members responsible for requesting and authorising, or different staff used to report and record (e.g. report a security event and record it on relevant database).  

Secondly: All records must be kept in full and leaving blank spaces must be avoided. It is recommended to use “n/a” where necessary to show all requirements have been considered.  

Lastly: Having a column for “lessons learned” clearly marked where appropriate on records shows continual development and improvement considerations have been thought about wherever necessary. This is usually what an auditor is looking for when incidents and events have been recorded.  

Indelible Data has prepared a comprehensive set of documentation to assist companies in their journey to ISO 27001 certification. These easily customisable templates are available to purchase in our shop