Open most ISO 27001 ISMS document libraries and you will find the same pattern: a SharePoint folder bloated with seventeen versions of an Acceptable Use Policy, three "FINAL_v2" variants, conflicting approval dates, and a Statement of Applicability that contradicts the access control policy it references. The certification body arrives, samples five documents, and the nonconformities write themselves.
This is not an ISO 27001 problem. It is a document control problem dressed up in compliance language. Clause 7.5 of ISO/IEC 27001:2022 sets a low bar — documented information must be identifiable, available, and protected — yet it is the most consistent source of major nonconformities our consultants encounter during Stage 1 audits.
With the 2022 revision now mandatory for all new certifications and the transition deadline for organisations on the 2013 standard having passed on 31 October 2025 (per IAF Resolution 2022-15), auditors are scrutinising documentation structure harder than ever. Here is how to build an ISO 27001 document control procedure that survives audit without burying your security team in paperwork.
What Clause 7.5 actually requires
ISO/IEC 27001:2022 Clause 7.5.3 demands four things from your documented information: it must be available where needed, adequately protected, controlled through distribution and version management, and retained in line with defined retention rules. That is it. There is no requirement for a 200-page policy suite. There is no mandate for quarterly reviews. There is no rule that every Annex A control needs its own standalone document.
The standard requires you to decide what is necessary, document that, and control it properly. Most ISMS implementations fail because teams confuse "documented information determined by the organisation as being necessary" with "every template the consultant left behind." The distinction is critical: if a document exists but serves no operational purpose, it creates audit risk rather than mitigating it.
The three-tier ISMS documentation structure that works
Our consultants implement a three-tier architecture across every ISO 27001 engagement. It maps cleanly to auditor expectations and stops policy sprawl at source. This ISMS documentation structure has been battle-tested across financial services, healthtech, and SaaS clients.
Tier 1 — Governance documents. Information Security Policy, ISMS Scope, Statement of Applicability, Risk Assessment Methodology, Risk Treatment Plan. Owned by the ISMS Manager or vCISO. Reviewed annually or on material change. Approved by top management with a signed record. These are the documents the certification body's lead auditor reads first.
Tier 2 — Topic-specific policies. Access Control, Cryptography, Supplier Security, Incident Management, Business Continuity, Secure Development. These map to the Annex A control themes (Organisational, People, Physical, Technological). Owned by the relevant control owner — not the ISMS Manager. Each policy should fit on 3-5 pages; anything longer indicates conflation with Tier 3 procedures.
Tier 3 — Procedures, standards, and records. The operational detail. How you actually onboard a user, patch a server, respond to a phishing report. This tier carries the evidence auditors sample during surveillance visits. It is the most common source of nonconformities, not because the procedures are wrong, but because they are not followed consistently.
Crucially, Tier 1 references Tier 2, which references Tier 3. No document repeats content from another. When new regulatory obligations land — for example, the EU AI Act's requirements for EU-exposed AI processing — you add one Tier 2 policy and a handful of Tier 3 procedures; you do not rewrite your governance stack.
The metadata discipline that makes audits painless
Every controlled document needs the same header block. No exceptions. Our standard set:
- Document ID (e.g. PYR-POL-AC-001) — encoding tier, type, topic, and sequence number
- Version and status — Draft, Approved, Superseded, or Retired
- Owner and approver — named roles, not individuals, to avoid gaps when people leave
- Effective date and next review date
- Change history — at minimum three prior versions with dates and change descriptions
Pair this with a single Master Document Register — a spreadsheet or, better, a record in your GRC tool — that lists every controlled document, its current version, owner, and review status. When the auditor asks to see the access control policy, you do not hunt through SharePoint. You open the register, click the link, and demonstrate end-to-end control in under thirty seconds. The lack of a maintained Master Document Register is the single most common Stage 1 nonconformity our consultants see.
Common mistakes that fail audits
Annual review theatre. Marking every policy "reviewed" on the same date each year, with no actual change record, signals to auditors that review is performative. Stagger reviews throughout the year. Document what was checked, what changed, and what was confirmed as still accurate.
Confusing policy with procedure. Policies state intent and accountability. Procedures describe execution. Mixing them produces 40-page Frankenstein documents nobody reads and auditors cannot map to controls. A policy fits on two pages; a procedure may run to ten or more depending on complexity.
Uncontrolled copies in Teams, Slack, and email. Clause 7.5.3(b) requires control over distribution. If your staff are pulling outdated PDFs from a shared Teams channel, you have lost control of the source of truth. Publish from one location — a document management system, a controlled intranet page, or your GRC platform. Link, do not attach.
No retention rules for superseded versions. ISO 27001 requires retention to be defined. "We keep everything forever" is not a retention policy — it is a data minimisation breach waiting to be noticed under UK GDPR Article 5(1)(e). Define retention periods per document type and automate archiving where possible.
Treating the Statement of Applicability as static. The SoA must reflect reality. When you adopt new technology — a SIEM, an MDR service, an identity provider — the justification column changes. Out-of-date SoAs are the single most cited finding our consultants see in surveillance audits, typically because teams update the technology but not the control justification. The SoA should be reviewed every time the ISMS scope or risk treatment changes, not just at the annual management review.
Frequently asked questions about ISO 27001 document control
How many documents do we need for ISO 27001 certification?
There is no prescribed minimum. The standard requires documented information "necessary for the effectiveness of the ISMS." Most UK SMEs certified to the 2022 standard operate with 15-25 controlled documents in Tier 1 and Tier 2, plus operational records in Tier 3. Quality matters far more than quantity — a well-maintained set of 15 documents passes audit more easily than 50 poorly controlled ones.
Does our document control procedure need to be a separate document?
Not necessarily. Many organisations embed their document control rules within their Information Security Policy or a standalone Document Control Procedure. Either approach works, provided the document control rules are clearly stated, accessible, and followed consistently. The key requirement is that the controls described in the document are evident in the document management system's operation.
How often should we review ISO 27001 policies?
Annually is the typical cycle, but the standard does not mandate a specific frequency. The requirement is that you define a review frequency, document it, and adhere to it. Our consultants recommend staggering reviews throughout the year rather than reviewing everything in December — this spreads workload and demonstrates continuous oversight to auditors.
How Pyralink helps
Pyralink Innovation Ltd builds ISMS documentation that earns certification on first attempt and stays maintainable afterwards. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our team has implemented ISO 27001:2022 across financial services, healthtech, SaaS, and professional services clients — not from templates, but tailored to actual operations.
Our ISO 27001 support engagements include a full document control procedure, the three-tier policy architecture, a populated Master Document Register, and SoA development aligned to your Risk Treatment Plan. For ongoing policy management best practice, our fractional vCISO service (from £497/month) keeps reviews on schedule and SoA evidence current between audits. Pyralink holds £5M professional indemnity insurance and operates under UK jurisdiction.
If your documentation is drifting or your Stage 1 audit is approaching, get a second pair of eyes before the auditor finds the gaps. Many organisations save months of remediation effort by identifying documentation issues before the formal audit begins — our readiness assessments are designed to catch exactly these problems.