The primary requirement for the documented information of an ISMS (Information Security Management System) is that it must be appropriately controlled, maintained, and made available as necessary to support the operation and effectiveness of the ISMS.

Relevant Extract:

ISO/IEC 27001:2022, Clause 7.5 (Documented information) states:

"The organization’s information security management system shall include documented information required by this document and determined by the organization as being necessary for the effectiveness of the ISMS. Documented information required by the information security management system and by this document shall be controlled to ensure it is available and suitable for use, where and when it is needed."

ISO/IEC 27001:2022, Clause 7.5.3 (Control of documented information) specifically requires:

"Documented information required by the information security management system and by this document shall be controlled to ensure:

— it is available and suitable for use, where and when it is needed;

— it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity)."

There is no requirement for ISMS documentation to exist only in digital format (A), to be public (C), or to be arbitrarily flexible to any change trigger (B). Control and availability as needed are the requirements.