ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
 

The standard is structured into mandatory clauses (4–10) and security controls listed in Annex A.

 

1. Clauses 4–10 (Mandatory ISMS Requirements)

These clauses define how an organization must operate its security management system.

Clause 4 — Context of the Organization

Organizations must understand their environment and define the scope of the ISMS.

Requirements

• Identify internal and external issues affecting information security.

• Identify interested parties (customers, regulators, partners).

• Determine information security requirements of those parties.

• Define the scope of the ISMS.

• Establish the ISMS framework.

Evidence typically required

• ISMS scope statement

• Stakeholder register

• External/internal issues assessment

Clause 5 — Leadership

Top management must demonstrate commitment to information security.

Requirements

• Establish an information security policy

• Assign roles and responsibilities

• Ensure security objectives align with business strategy

• Provide resources for the ISMS

Evidence

• Security policy

• Organizational roles matrix

• Management commitment statements

Clause 6 — Planning

Organizations must plan how they will manage information security risks.

Requirements

• Establish a risk assessment methodology

• Conduct information security risk assessments

• Identify risk treatment options

• Produce a Statement of Applicability (SoA)

Core Outputs

• Risk register

• Risk treatment plan

• Statement of Applicability (Annex A control selection)

Clause 7 — Support

Ensures the organization has the resources needed to run the ISMS.

Requirements

• Provide training and awareness

• Maintain documented information

• Manage communication processes

• Ensure staff competence

Evidence

• Training records

• Document control procedures

• Awareness programs

Clause 8 — Operation

Execution of the ISMS and risk treatment plans.

Requirements

• Implement security controls

• Manage operational security processes

• Conduct risk assessments when changes occur

• Maintain evidence of control operation

Examples

• Incident management

• Access management

• Secure development practices

Clause 9 — Performance Evaluation

Organizations must measure whether the ISMS is effective.

Requirements

• Conduct internal audits

• Monitor security performance

• Conduct management reviews

Evidence

• Audit reports

• Security metrics dashboards

• Management review minutes

Clause 10 — Improvement

Organizations must continually improve their security posture.

Requirements

• Correct nonconformities

• Implement corrective actions

• Improve the ISMS over time

Evidence

• Corrective action logs

• Improvement plans

 

2. Annex A Controls (ISO 27001:2022)

Annex A contains 93 security controls grouped into four domains.

These controls are not mandatory by default but must be evaluated and justified in the Statement of Applicability.

A. Organizational Controls (37)

Governance and management of information security.

Examples:

• Information security policies

• Security roles and responsibilities

• Asset management

• Supplier security

• Threat intelligence

• Business continuity planning

Key Controls

• A.5.1 Information security policies

• A.5.7 Threat intelligence

• A.5.19 Supplier security

• A.5.30 ICT readiness for business continuity

B. People Controls (8)

Security responsibilities of personnel.

Examples:

• Background checks

• Security awareness training

• Acceptable use policies

• Disciplinary procedures

Key Controls

• A.6.3 Information security awareness

• A.6.6 Confidentiality agreements

• A.6.8 Information security event reporting

C. Physical Controls (14)

Protection of physical environments and equipment.

Examples:

• Secure office areas

• Physical entry controls

• Equipment protection

• Environmental monitoring

Key Controls

• A.7.1 Physical security perimeters

• A.7.4 Physical security monitoring

• A.7.9 Security of assets off-premises

D. Technological Controls (34)

Technical safeguards protecting information systems.

Examples:

• Identity and access management

• Encryption

• Logging and monitoring

• Secure configuration

• Vulnerability management

Key Controls

• A.8.2 Privileged access management

• A.8.9 Configuration management

• A.8.16 Monitoring activities

• A.8.24 Use of cryptography

 

3. Required ISO 27001 Documentation

Typical documents required during certification include:

Governance

• Information Security Policy

• ISMS Scope

• Roles and Responsibilities

Risk Management

• Risk Assessment Methodology

• Risk Register

• Risk Treatment Plan

• Statement of Applicability

Operational Security

• Access Control Policy

• Incident Response Plan

• Asset Management Policy

• Supplier Security Policy

Audit & Improvement

• Internal Audit Procedure

• Management Review Records

• Corrective Action Records

 

4. ISO 27001 Certification Process

1. Gap Analysis

2. ISMS Implementation

3. Internal Audit

4. Stage 1 Audit (documentation review)

5. Stage 2 Audit (operational audit)

6. Certification

7. Annual surveillance audits

Certification is typically valid for 3 years.

 

5. Relationship to Other Frameworks

ISO 27001 aligns with:

• ISO/IEC 27002

• NIST Cybersecurity Framework

• SOC 2

• General Data Protection Regulation

 

This makes it a global baseline security framework used by governments, cloud providers, fintech companies, and SaaS firms.

​