Implementing ISO 27001 always comes down to getting your policies clear, consistent and aligned with how your business really works. This post walks through what the standard expects, which policies are effectively mandatory, and how to design them in a way that satisfies auditors without drowning your team in paperwork.
What are the required policies for ISO 27001?
UK Cyber Compliance (a part of UK Cyber Security Group) provides these services and has a platform to make certification much easier and cheaper.
Getting clear on ISO 27001 and why policies matter so much
At its core, what is iso 27001? It is the international requirements standard for building and running an information security management system (ISMS). It sets out how an organisation should establish, implement, maintain and continually improve its ISMS using a risk-based approach.
The mandatory requirements live in clauses 4 to 10 of the standard and cover context, leadership, planning, support, operation, performance evaluation and improvement. Annex A then provides a catalogue of security controls that support those requirements.
Policies are the glue that holds all of this together:
- ISO 27001 explicitly expects organisations to develop “security policies and procedures” as part of the ISMS implementation.
- Guidance from multiple implementers notes that certification requires extensive documentation, including policies, procedures and records, not just technical controls.
- Typical checklists list an information security policy, risk assessment methodology, scope statement and Statement of Applicability as mandatory documents for certification.
In other words, without well-structured policies that match how you actually operate, you will struggle to build a credible ISMS or pass an audit.
What is ISO 27001 Certification? (and how policies fit in)
What is ISO 27001 Certification? It is formal, independent verification by an accredited certification body that your ISMS conforms to ISO/IEC 27001 and is operating effectively. The certification body reviews your documentation, checks that your processes are implemented in practice and confirms that you are managing information risks in a structured way.
From a documentation perspective, certification bodies typically expect to see at least:
- An ISMS scope statement
- A top-level information security policy
- A documented risk assessment methodology and risk report
- A risk treatment plan
- A Statement of Applicability (SoA) that maps risks to Annex A controls
These documents are surrounded by topic-specific policies and procedures (access control, incident management, backup, supplier security and so on) which show how your high-level policy is turned into practical control.
Core, high-level policies that are effectively mandatory
ISO 27001 does not publish a static list of “required policies” by name, but in practice certain documents are unavoidable if you want to meet clauses 4–10 and Annex A.
Top-level Information Security Policy
This is the flagship document of your ISMS. Guidance on ISO 27001 implementation is very clear: a top-level information security policy is mandatory for certification.
Good practice and auditor expectations mean your policy should:
- Be approved by senior management and express their commitment to information security and the ISMS.
- State high-level information security objectives or at least a framework for setting them.
- Explain how information security supports your business and complies with external requirements.
- Refer to risk management and continual improvement.
- Define roles and responsibilities at a high level (for example, ISMS owner, information security manager).
A commonly recommended sequence is to finalise your ISMS scope first, then write and approve this top-level policy, and only then move into detailed risk assessment and treatment.
ISMS Scope Statement
The scope statement is itself a required document, but it also behaves like a policy in that it defines what your ISMS covers and, by implication, what it does not.
The scope must:
- Identify physical locations, organisational units, processes and systems included in the ISMS.
- Reflect internal and external context (e.g. regulatory environment, key interested parties).
- Be consistent with your top-level policy and with what you actually manage.
Without a clear scope, it is impossible to write coherent policies or demonstrate that controls adequately cover your risks.
Risk Assessment and Risk Treatment Methodology
ISO 27001 requires frequent risk assessments and a defined method for identifying, analysing and treating risks. This is usually captured in a risk assessment methodology document, sometimes combined with a policy-level statement that:
- Commits the organisation to risk-based information security.
- Defines risk criteria, scoring and acceptance thresholds.
- Sets out who owns risks and who can accept residual risks.
Auditors will use this document to check whether your risk assessment aligns with ISO 27001 expectations and whether your policies and controls are proportionate to your risk picture.
Statement of Applicability (SoA)
The SoA is explicitly mandatory under ISO 27001. It does not read like a traditional “policy”, but functionally it is a policy decision record: it states which Annex A controls are applicable, which are not, and why.
A good SoA:
- Lists all Annex A controls and whether each is applied.
- Gives a clear justification for inclusion or exclusion.
- References the policies, procedures and technical measures used to implement each applicable control.
Certification bodies lean heavily on the SoA to see how your policies and procedures map back to the standard’s control set.
Topic-specific policies you will almost always need
Beyond the core documents above, ISO 27001 expects you to have clear rules for all the main Annex A control domains. Most organisations address these through a set of focused policies. The exact titles vary, but the underlying themes are consistent.
Access Control Policy
Annex A includes multiple controls around access control and user management. An access control policy should:
- Define principles such as least privilege, need-to-know and role-based access.
- Set rules for user registration, modification and removal (joiners, movers, leavers).
- Explain how remote access, administrative access and privileged accounts are handled.
- Reference authentication measures (password standards, multi-factor authentication where used).
This policy underpins practical procedures for granting and reviewing access, and is frequently sampled in audits.
Asset Management and Information Classification Policy
ISO 27001 expects organisations to identify and classify information assets, assign ownership and define handling rules. A combined asset management and classification policy typically:
- Requires an inventory of key information assets, systems and devices, with named owners.
- Defines classification levels (for example, public, internal, confidential) and what each level means.
- Sets rules for labelling, storage, transmission and disposal based on classification.
Without this, it is difficult to prove that your controls are proportionate to the sensitivity of the information you process.
Acceptable Use and Remote Working Policy
User behaviour is a major risk factor. ISO 27001 Annex A includes controls for acceptable use of assets and teleworking. An acceptable use policy should:
- Set clear expectations for the use of company systems, devices and networks.
- Cover email, internet browsing, personal use, social media in a work context and the use of personal devices (BYOD) where permitted.
- Include rules for remote working, including secure access back to corporate services.
This policy gives employees practical guidance and provides a baseline for disciplinary action if needed.
Cryptography Policy
Where you use encryption, ISO 27001 expects you to manage it properly. A cryptography policy should:
- State when and where encryption is required (e.g. laptops, backups, data in transit).
- Define accepted algorithms and key lengths, based on current good practice.
- Describe key management responsibilities (generation, storage, rotation, revocation).
Auditors often check that the use of cryptography aligns with risk assessments and that key management is not left to chance.
Operations Security and Change Management Policy
Annex A contains a significant cluster of controls around operational security and change management. An operations policy normally:
- Requires documented operating procedures for key systems and services.
- Mandates regular patching and vulnerability remediation (with priority for high-risk issues).
- Addresses malware protection, logging, capacity management and backup.
- Sets basic rules for change management, including risk assessments for significant changes.
Heimdalsecurity notes that one of the main challenges in ISO 27001 is coordinating the operational side and ensuring that documentation (policies, procedures, records) keeps pace with change.[8]
Logging, Monitoring and Incident Detection Policy
Although logging is part of operations, it is worth calling out separately. Policies in this area typically:
- Specify which systems and events must be logged and how long logs are retained.
- Assign responsibilities for log review and incident detection.
- Define what constitutes suspicious activity and when alerts should be escalated.
ISO 27001 emphasises the need for monitoring and timely detection of incidents, not just preventive controls.
Backup and Information Recovery Policy
Business continuity and backup sit across ISO 27001 and related standards such as ISO 22301. Within ISO 27001 Annex A there are explicit controls for backup and redundancy. A backup policy should:
- Define which data and systems must be backed up and how frequently.
- Set retention periods and storage expectations (for example, off-site or geo-redundant storage).
- Require regular testing of restores to ensure backups are usable.
Auditors will expect evidence that the policy is followed, including logs of backup jobs and restore tests.
Information Security Incident Management Policy
Annex A includes a complete section on incident management. A policy here should:
- Define what counts as an incident (e.g. data loss, malware infection, unauthorised access).
- Specify reporting channels and responsibilities (who triages, who leads response).
- Outline high-level steps for containment, eradication, recovery and communication.
- Require that incidents and near misses be recorded and reviewed so lessons are learned.
This policy is closely scrutinised during audits because it shows how you will respond when controls fail.
Supplier Security and Third-Party Management Policy
ISO 27001 places strong emphasis on controlling supplier risk. A supplier security policy will usually:
- Require risk assessments for suppliers that process or access your information.
- Mandate security clauses in contracts, aligned with your ISMS controls.
- Define minimum assurance methods (e.g. independent certifications, security questionnaires).
- Set expectations for incident notification and cooperation during investigations.
NoComplexity’s overview of ISO 27001 highlights Annex A.18, which focuses on compliance with internal policies and external requirements, reinforcing the need to extend your policies into supplier relationships.[2]
Secure Development and Change Policy (where applicable)
If you develop software or heavily customise systems, Annex A expects secure development practices. A development policy might:
- Require security considerations in requirements, design, coding and testing.
- Set expectations for code review, vulnerability scanning and penetration testing where relevant.
- Cover third-party code, open-source components and their maintenance.
Even if you outsource development, you will need some policy statements to show how you control security in that lifecycle.
Physical and Environmental Security Policy
Annex A also addresses physical security of offices, server rooms and equipment. A policy here should:
- Define secure areas and access controls.
- Cover visitor management and escorting.
- Set expectations for protection of equipment against theft, damage and environmental threats.
For many modern organisations, much of this is shared with landlords or data centre providers, but you still need documented policy and evidence of how you meet the controls.
ISO 27001 Certification Levels and how they relate to policies
You asked for ISO 27001 Certification Levels. Strictly speaking, ISO 27001 itself does not define formal graded levels such as bronze, silver or gold; an organisation is either certified for a defined scope or it is not.
What varies in practice is:
- The breadth of scope (for example, a single product vs. the entire organisation).
- The maturity of the ISMS (e.g. sophistication of metrics, automation, integration with other management systems).
- The extent and depth of supporting policies and procedures.
From a policy point of view, a narrowly scoped ISMS will still need all the required policy coverage within that scope; a broader scope tends to mean more complexity, but not necessarily different categories of policies.
How the Certification Works: where policies show up in the process
How the Certification Works in practice can be broken into clear steps, and policies are centre stage in several of them.
Common guidance describes the process roughly as follows:
- Preparation and gap analysis
- Understand ISO 27001 requirements and Annex A controls.
- Compare your current policies, procedures and records with those requirements to identify gaps.
- Design and documentation
- Define ISMS scope.
- Develop or refine the top-level information security policy, risk methodology, SoA and the topic-specific policies described above.
- Implementation
- Put the policies into practice: train staff, update processes, configure systems, start collecting evidence.
- Internal audit and management review
- Perform an internal audit against ISO 27001 and your own policies.
- Hold a management review to assess performance and approve actions.
- Stage 1 audit (documentation review)
- The certification body reviews your policies and core ISMS documents to check readiness and coverage.
- Stage 2 audit (implementation and effectiveness)
- Auditors test whether your operations match your policies and whether controls are effective.
- Surveillance and recertification
- Annual surveillance audits check that policies remain in use and are updated in response to incidents, risks and changes.
At almost every stage, auditors look at your policies as the reference point for how things “should” work, then sample evidence to see whether reality aligns.
Who needs iso 27001 certification (and therefore robust policies)?
Who needs iso 27001 certification is ultimately a business decision, but certain situations make it particularly relevant:
- You handle sensitive or regulated data (for example, personal data at scale, financial data, intellectual property) and want a recognised framework to manage risks.
- Customers or regulators require evidence of structured information security management as part of contracts or approvals.
- You want to build trust with partners, investors and stakeholders by showing that your controls and policies are independently verified.
NoComplexity notes that ISO 27001 has historically been common among larger organisations, but the same principles are increasingly adopted by smaller firms as cyber risk and supply-chain scrutiny grow.
If any of these apply, having coherent, well-implemented policies is non-negotiable.
Which UK-based firms offer ISO 27001 consultancy services?
Which UK-based firms offer ISO 27001 consultancy services? In practice, there is a broad mix:
- Specialist information security consultancies focused on ISO 27001 design, implementation and audit preparation.
- Certification bodies that also offer advisory services or pre-audit gap assessments.
- Broader IT and risk management firms that include ISO 27001 as part of their portfolio.
Typical services include policy and documentation development, risk assessment workshops, control design, internal audits and support during surveillance audits.
UK Cyber Compliance (a part of UK Cyber Security Group) provides these services and has a platform to make certification much easier and cheaper.
Automated and AI-driven platforms can streamline policy generation, track document versions, maintain asset and risk registers and gather evidence, which helps smaller organisations keep the ISMS manageable over time.
Pulling it together: using policies as a practical management tool
If you strip ISO 27001 back to the essentials, the required policies are there to do three things:
- Express management intent and risk appetite in clear, business-focused terms.
- Translate that intent into actionable rules across all key security domains (access, assets, operations, incident management, suppliers and more).
- Provide a stable reference so that audits, improvements and change decisions can be made consistently over time.
The standard expects you to maintain this set of documents, review them regularly, align them with your changing context and use them as a basis for continual improvement. If you treat them as living management tools rather than static paperwork, they will do far more than simply help you pass an audit: they will give your organisation a clear, repeatable way to make good decisions about information risk.
UK Cyber Compliance is here to help
For more information, please do get in touch.
Please check out our Free Cyber Insurance
Other blog posts, Your ISO 27001 Questions Answered, Get ISO 27001 Certified ,
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.