In order to maintain a standard-compliant information security management system, various forms of documentation are required at different levels of an organization.

At a very abstract level, there is often a document to represent the mission statement - for example, a top level information security policy. The guidelines derived from this are already more concrete - for example, guidelines for risk management, cloud applications, social media use, passwords, backup and recovery, training and awareness-raising, etc..

At an even more granular level are concepts and implementation documentation - for example, operating manuals, instructions for employees or the documentation of incidents or changes within IT operations.