ISO 27001 mandatory documentation question

ISO does not publish lists of mandatory documents and records for its standards, but they are easily identifiable.

In the ISO world, mandatory requirements/documents/records are related to the words “must” or “shall”, while nonmandatory requirements/documents/records are related to the words “may” or “should”. For example:
- "The scope shall be available as documented information"
- "... shall retain documented information about the information security risk assessment/treatment..."
- "... shall retain documented information on the information security objectives."

In clause 7.5, which defines requirements for documented information (i.e., management of documents and records), there are no requirements demanding written practices for creation, updating and control of documents and records. What happens in real life is that a procedure for control of documents and records is written as a good practice when organizations see this is worthy. This procedure is part of ISO 27001 toolkit even though such document is not mandatory.

 These materials will also help you regarding document management:

- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001

- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/