Join the thousands of companies using Secureframe

The official ISO/IEC 27001:2017 standards document is broken into several sections, called clauses, and appendices called annexes. The ones you need to know about are clauses 4-10 and Annex A.

Clauses 4-10 list every requirement an information security management system (ISMS) must meet before it can be ISO 27001 certified. Annex A lists 114 security controls that an organization can implement to meet those requirements. 

In this article, we’ll go through the clauses. For details on the security controls of Annex A, check out our article on ISO 27001 controls.

Clause 4: Context of the organization

The ISMS should document what it’s supposed to be doing. 

Why are there information assets under the care of your company in the first place, and what do you use them for?

The auditor can only make an accurate assessment of the effectiveness of your ISMS once they understand its goals. A company that manages customer names in a guest registry needs a very different ISMS than a firm that collects social security numbers for tax services.

To meet the requirements of Clause 4, document what your organization does, what customers need from you, and the scope of your ISMS.

Clause 5: Leadership

For an ISMS to be effective, it has to have the full support of senior management. 

ISO 27001 auditors need to know that senior leaders feel accountable for the success of the ISMS. It’s also vital that they feel bound by it and don’t believe their executive roles place them above ISMS policies.

If senior managers aren’t directly involved, dedicated leaders should be assigned to monitor, test, and improve information security processes. There cannot be any doubt about who is responsible for each aspect of the ISMS.

Clause 6: Planning

Clause 6 deals with risk management. Documentation should show:

  • How you identify and analyze each information security risk
  • Your process for choosing how to respond to each risk
  • What risk avoidance, tolerance, and mitigation look like for your team

Clause 6 is also about opportunity. In addition to mitigating risks, one ISO 27001 requirement is that you must name goals for your ISMS and make plans to achieve them. To meet Clause 6 requirements, you need to be able to define success for your ISMS.

Clause 7: Support

Reaching the level of sophistication that ISO 27001 requires from an ISMS demands a lot of support. Clause 7 entails the creation of a plan to ensure support resources will always be available.

Chief among those resources is human expertise. Any time your organization is working with customer data, somebody needs to be on hand who understands how the ISMS works in the appropriate context.

Clause 7 also details one of the crucial requirements of ISO 27001: a communication system. The people responsible for information security must have dedicated, always-open channels to discuss implementing and improving ISMS policies.

Clause 8: Operations

Clause 6 is about risk assessment and analysis. Clause 8 builds on those requirements to discuss how risk assessments are implemented.

To meet the requirements in Clause 8, build on your work from Clauses 6 and 7. Clause 8’s documentation pulls together the elements laid out in Clauses 6 and 7 into a coherent, start-to-finish plan.

Clause 9: Performance evaluations

The final two clauses, 9 and 10, are a matched set. They require you to document how you plan to continually improve your organization’s ISMS. 

Clause 9 deals with monitoring. To start, you’ll need to document how you measure the effectiveness of your ISMS and how to know if you’re getting reliable results. Processes like penetration testing often make an appearance here.

You’ll also need a plan for conducting internal audits to ensure you remain ISO 27001 compliant after your certification audit is complete.

Clause 10: Continuous Improvement

Clause 10 is all about damage control. How do you react if you spot a nonconformity in your ISMS (defined as any failure to follow established ISMS policies)?

A nonconformity could be the result of simple human error. It could also come from a hostile outsider attempting to steal data from your system. To effectively head off risks, you need a consistent plan for dealing with an aberration.

Once you’ve resolved an issue, how do you shore up the system, so it doesn’t happen again? A certifiable ISMS must be in a constant state of growth and improvement.

ISO 27001:2002: Updates to Annex A

An update to the ISO 27001 standard was officially published in October 2022, titled ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection. The updates in the ISMS Clauses 4-10 include minor wording and structural changes. 

For example, changes to Clause 6: Planning remove ambiguity and outdated language (i.e., control objectives). 

In terms of structural changes, Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. However, the requirements remain the same. 

Similarly, Clause 9.3: Management review was split into three subsections — 9.3.1: General, 9.3.2: Management review inputs, and 9.3.3: Management review results.  The 2022 version also introduces a new Clause 6.3: Planning for Changes.

prevAn Introduction to the ISO 27001 ISMSWhat Are ISO 27001 Controls? A Guide to Annex Anext