ISO/IEC 27001: Standard Structure and Requirements

Clause 4 requires the organisation to understand its context before designing any controls. This means identifying internal factors (business strategy, organisational structure, contractual obligations, technology environment) and external factors (the regulatory environment, the threat environment, supply chain dependencies, sector expectations). It also requires identifying interested parties, which include regulators, customers, insurers, and partners, and determining what their requirements are. From this analysis, the organisation defines the scope of the ISMS: which parts of the organisation, which assets, which processes, and which locations are included.

Scope definition is one of the most consequential decisions in an ISMS. A scope that is too narrow may exclude the highest-risk systems; a scope that is too broad may make the ISMS unmanageable. Certification bodies audit the scope boundary carefully: if a critical processing system is excluded without justification, an auditor may treat this as a nonconformity.

Clause 5 addresses leadership. Top management must demonstrate commitment by establishing the information security policy, assigning roles and responsibilities, and ensuring the ISMS receives the resources it needs. The information security policy required by Clause 5.2 is not a set of technical configuration rules; it is a short statement of management intent that commits the organisation to protecting information, meeting applicable requirements, and continually improving. Clause 5.3 requires that roles relevant to the ISMS be assigned and communicated throughout the organisation.

Clause 6 is the planning clause. It has two main requirements: risk assessment (Clause 6.1.2) and risk treatment (Clause 6.1.3), plus the requirement to set measurable information security objectives (Clause 6.2). The standard does not prescribe a risk assessment method. It requires that the method produce consistent, valid, and comparable results, that it identify risks associated with the loss of confidentiality, integrity, and availability of information within scope, that risk owners be assigned, and that the likelihood and consequences of each risk be analysed.

Risk treatment (Clause 6.1.3) requires the organisation to select options for treating each risk: modifying the risk (by applying controls), avoiding it (by deciding not to carry out the risk-creating activity), sharing it (through insurance or contractual transfer), or retaining it (accepting the risk without action). For risks that are to be modified, the organisation selects controls. At this point Annex A must be referenced: the organisation must compare its chosen controls against Annex A to confirm that no necessary controls have been omitted, and must document this in the Statement of Applicability.

Clause 8 is the operational counterpart to the planning clause: it requires the organisation to implement and control the processes needed to carry out what was planned, and to retain documented information demonstrating that the processes have been carried out as planned. This is where risk assessments are run and risk treatment plans are executed, not just written.

Clause 7 covers the resources and infrastructure that allow the ISMS to function. It has five sub-clauses. Clause 7.1 requires adequate resources. Clause 7.2 requires that people doing ISMS work are competent, with documented evidence of competence (qualifications, training records). Clause 7.3 requires that people are aware of the information security policy, their contribution to ISMS effectiveness, and the implications of not conforming. Clause 7.4 sets requirements for internal and external communication about the ISMS.

Clause 7.5 governs documented information, the standard's term for records and documents. The ISMS must maintain documented information required by the standard (explicitly listed items include the scope, the policy, the risk assessment results, the risk treatment plan, the SoA, and several others) and retain documented information as evidence that processes have been executed. This distinction between maintaining a document and retaining a record is important in audits: an auditor asking to see evidence of an internal audit expects records, not a policy saying internal audits will be conducted.

Clause 9 closes the Check phase of the PDCA cycle. It requires three things. First, monitoring and measurement (Clause 9.1): the organisation must define what it will measure, by what methods, when, and who will analyse and communicate the results. The standard does not specify metrics; the organisation chooses them. Common choices include the number of incidents per period, time-to-patch for critical vulnerabilities, and percentage of staff completing security awareness training.

Second, internal audit (Clause 9.2): the organisation must conduct internal audits at planned intervals to determine whether the ISMS conforms to its own requirements and to the standard's requirements, and whether it is effectively implemented. Internal auditors must be objective and impartial, which means they cannot audit their own work. The audit programme must cover the entire ISMS scope over a defined cycle. Internal audit findings feed directly into the third element.

Third, management review (Clause 9.3): top management must review the ISMS at planned intervals. The inputs to this review are specified: audit results, the status of previous nonconformities and corrective actions, monitoring and measurement results, feedback from interested parties, and any changes in external and internal issues. The outputs must include decisions on continual improvement opportunities and any needed changes to the ISMS. Management review minutes, with these inputs and outputs documented, are standard audit evidence.

Clause 10 is the Act phase. When a nonconformity occurs (a failure to meet a requirement, whether from the standard or from the organisation's own ISMS policies), the organisation must react to it, evaluate the need to eliminate its root cause, implement any needed corrective action, and verify that the corrective action was effective. Documented information on all nonconformities and corrective actions must be retained.

Clause 10.2 requires continual improvement: the organisation must continuously improve the suitability, adequacy, and effectiveness of the ISMS. This clause is intentionally brief because the mechanisms for identifying and implementing improvements are embedded in Clauses 6, 7, 8, and 9. The practical effect is that each management review should produce documented decisions about what will be improved, and those decisions must be traceable through to implementation.

ISO/IEC 27001 is the certifiable standard. It specifies what an organisation must do at the management system level: define scope, assess risk, treat risk, monitor performance, and improve. Its Annex A provides a reference list of 93 controls. The standard does not tell implementers how to set up an access control system or how to configure a firewall; it tells them that they must select and implement appropriate controls based on risk and verify their effectiveness.

ISO/IEC 27002:2022 is the implementation guide for those 93 controls. For each control, it provides the purpose, implementation guidance, and other information such as related controls and mapping notes. It is structured to mirror Annex A: the same four themes and 93 controls in the same order. An implementer who needs to know how to implement Control 5.15 (Identity management) or Control 8.5 (Secure authentication) reads the corresponding ISO 27002 clause for detailed guidance.

In practice, organisations implement controls by using 27002 as a checklist and design guide, then demonstrate conformance to 27001 in their certification audit. See ISMS Scope and Implementation for the practical sequencing of these activities, and ISO 27001 Certification and Surveillance for what happens during Stage 1 and Stage 2 audits.