Is the size of the company a mandatory record in ISO 27001?

In ISO 27001, the size of the company is not a mandatory record. The standard focuses on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) tailored to the specific needs and context of the organization. This means that while larger organizations may have more complex environments to manage, ISO 27001 is designed to be flexible and scalable, allowing organizations of all sizes and types to achieve compliance.

The standard does require organizations to assess their information security risks and determine appropriate controls, but it does not specify that the size of the organization must be recorded as part of the ISMS documentation. Instead, organizations are encouraged to document elements that are relevant to their context, which may include aspects like their information security objectives, risk assessments, and the results of audits. This flexibility allows small organizations to implement the standard without being burdened by unnecessary requirements.