How Many Documents Each Compliance Framework Actually Requires
A complete ISO/IEC 27001:2022 documentation set runs to about 24 policies and procedures plus the 93-control Statement of Applicability; a SOC 2 set is around 22 policies mapped to the Trust Services Criteria; a small-practice HIPAA set is about 18 policies plus a Security Risk Assessment; and NIST CSF 2.0 spans 6 Functions, 22 Categories and 106 Subcategories. The exact list depends on scope, but these are the document counts auditors typically expect.
Document counts by framework
The table below shows the core policy/procedure count, the key register or workbook, and the structural facts for each framework. These counts are concrete and verifiable, and rarely published in one place. The exact number always depends on your scope — treat the figures as the typical full documentation set, not a fixed legal minimum.
| Framework (current version) | Core policies / procedures | Key register / workbook | Structural facts |
|---|---|---|---|
| ISO/IEC 27001:2022 | 24 (complete) / 16 (core) | Risk register + 93-control Statement of Applicability | Clauses 4–10; 93 Annex A controls in 4 themes |
| SOC 2 (AICPA TSC) | 22 (complete) / 15 (core) | Control–TSC mapping | No fixed control list; you define controls to the Trust Services Criteria |
| HIPAA Security & Privacy Rules | 18 | Security Risk Assessment workbook | Self-attested; OCR-enforced; no official certification |
| GDPR (Reg. 2016/679) | 14 | Records of Processing Activities (Art. 30) | Accountability principle, Art. 5(2) |
| NIST CSF 2.0 | 15 | Profile & Assessment workbook | 6 Functions · 22 Categories · 106 Subcategories |
| ISO/IEC 42001:2023 | 14 | Annex A Statement of Applicability + AI risk register | Clauses 4–10; 38 Annex A reference controls |
| AI Governance (EU AI Act + NIST AI RMF) | 10 | AI risk register | EU AI Act = Reg. 2024/1689; 4 risk tiers |
| WISP (FTC Safeguards, 16 CFR 314) | 9 | Risk assessment workbook | Implements GLBA; IRS Pub 4557/5708 |
Counts are the typical full documentation set ComplianceDocs ships for each framework; your required set varies with scope. No document set, by itself, makes an organization certified or compliant.
How to read these counts
A higher document count is not “more compliant” — it reflects how a framework is structured. ISO 27001 and ISO 42001 are management-system standards, so they include a fixed clause structure plus a Statement of Applicability. SOC 2 has no fixed control list at all: you define controls that meet the Trust Services Criteria, then a CPA firm examines them. HIPAA, GDPR, NIST CSF and the WISP are operated and self-attested rather than certified. Match the toolkit to your framework below; each ships the register or workbook named in the table.
Frequently asked questions
- How many policies does ISO 27001 require?
- A complete ISO/IEC 27001:2022 set is about 24 policies and procedures, plus a risk register and the 93-control Statement of Applicability. A lean core starter set is around 16 policies. The exact number depends on your ISMS scope and which Annex A controls you apply.
- What documents are in a SOC 2 audit?
- SOC 2 has no fixed control list. A working set is around 22 policies mapped to the AICPA Trust Services Criteria, plus a control-to-criteria mapping. You define the controls that satisfy the criteria in your audit scope, and a licensed CPA firm examines them.
- How many subcategories are in NIST CSF 2.0?
- NIST CSF 2.0 has 106 Subcategories, organized under 22 Categories and 6 Functions — Govern, Identify, Protect, Detect, Respond and Recover. It is a voluntary framework you self-assess against, not a certification.
Related guides: ISO/IEC 27001 · SOC 2 · HIPAA · GDPR · NIST CSF 2.0
Toolkits that help
ISO 27001 Complete Toolkit
All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.
SOC 2 Complete Toolkit
22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
GDPR Compliance Pack for Small Business
14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.
NIST CSF 2.0 Complete Toolkit
15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.
ISO 42001 AI Management System Toolkit
14 editable ISO/IEC 42001:2023 policies and procedures — impact assessments, AI lifecycle, data governance, third-party AI — plus the Annex A Statement of Applicability, an AI risk register, and an audit evidence checklist.
AI Governance Policy Pack
10 editable AI policies — including an employee AI use policy and an AI risk register — aligned to the EU AI Act and NIST AI RMF. Govern workplace AI before regulators and clients ask.
WISP Toolkit for Tax Professionals
Complete Written Information Security Plan package for tax preparers, CPAs and accounting firms — FTC Safeguards Rule (16 CFR 314) crosswalk, IRS Pub 4557-aligned policies, risk assessment workbook, training logs and incident response — everything Pub 5708 doesn't operationalize.