Skip to content
English
Contact
  • There are no suggestions because the search field is empty.

What is a supporting document in the context of ISO 27001?

In the context of ISO 27001, Supporting Documents play a critical role in turning policies and controls into real-world action. While policies define your intent and controls outline your requirements, supporting documents show how those requirements are carried out in day-to-day operations.

These documents are the practical, operational artefacts that demonstrate the implementation of your
Information Security Management System (ISMS).

What is a Supporting Document?
A Supporting Document is any procedure, standard, guideline, or form that supports the execution of a security control, policy, or ISMS process. Examples include:
  • Change Control Policy
  • Data Backup Procedure
  • Incident Response Plan
  • RBAC Matrix (Role-Based Access Control)
  • Configuration Standards
  • Add/Remove User Process
  • Internal Development Procedure
  • Material Event Plan

Each of these documents connects to specific clauses or Annex A controls in ISO 27001 and provides practical evidence that the control is not only defined, but operational and effective.

Why Are Supporting Documents Important?
ISO 27001 places strong emphasis on documentation that supports:
  • Control design (Annex A)
  • Operational effectiveness (Clause 9 – Performance Evaluation)
  • Evidence of continuous improvement (Clause 10 – Improvement)
  • Audit readiness and traceability
Supporting Documents help your organisation:
  • Bridge the gap between policy and action
  • Ensure consistency in how critical security processes are followed
  • Train new staff with step-by-step instructions
  • Satisfy auditors by demonstrating how compliance requirements are met in practice
  • Adapt quickly to incidents or system changes with documented response playbooks
How Supporting Documents Work in de.iterate
In de.iterate, Supporting Documents are managed under the Document Library section. You can:
  • Upload and categorise them by type (e.g. Procedure, Standard, Policy, Matrix)
  • Link them to specific ISO 27001 clauses or Annex A controls
  • Assign ownership and set review dates to ensure they stay up to date
  • Attach them to Assurance Tasks, risks, or corrective actions for full traceability

The auditor packs generated by de.iterate link Supporting Documents to controls and clauses, and help you demonstrate to your auditor that your Management System is functional and effective.

Best Practice Tips
  • Ensure each document is mapped to relevant Statement of Applicability controls. This mapping is used in audit packs for your auditor to connect documentation to intent, and evidence
  • Assign clear ownership for every document. Someone must be responsible for keeping it current
  • Schedule annual reviews (at minimum) to keep documentation aligned with evolving risks, technologies, and business processes
  • Use naming conventions and document types consistently for easier navigation and audit response

Supporting Documents are the operational glue that holds your ISMS together. Without them, your
security controls may look good on paper but fall short in practice. By documenting how your organisation handles critical processes, and keeping those documents up to date, you not only strengthen your compliance, but also build a more secure and resilient business.

With de.iterate, managing and maintaining Supporting Documents is simple, centralised, and aligned with
ISO 27001 best practices.