In total there are 16 pieces of documented information that every ISMS must create and maintain in order to be eligible for certification.

|   |   |   |   |   |   |
|---|---|---|---|---|---|
|Title|Type|Clause|Title|Type|Clause|
|Scope of the ISMS|Mandatory|4.3|Results of information security risk treatment|Mandatory|8.3|
|Information security policy|Mandatory|5.2|Results of monitoring and measurement|Mandatory|9.1|
|Information security risk assessment process|Mandatory|6.1.2|Audit programme|Mandatory|9.2|
|Information security risk treatment process|Mandatory|6.1.3|Audit results|Mandatory|9.2|
|Statement of applicability (SoA)|Mandatory|6.1.3|Results of management reviews|Mandatory|9.3|
|Information security objectives|Mandatory|6.2|Nature of nonconformities and any subsequent actions taken|Mandatory|10.2|
|Evidence of competence|Mandatory|7.2|Results of any corrective action|Mandatory|10.2|
|Evidence for processes being carried out as planned|Mandatory|8.1||||
|Results of information security risk assessments|Mandatory|8.2|||   |