Cyberzoni Iso 27001

The Complete ISO/IEC 27001 Clauses Overview

ISO/IEC 27001:2022 is structured into 10 main clauses, of which clauses 4 through 10 contain the mandatory requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Navigate
ISO/IEC 27001

Mandatory ISO/IEC 27001 Clauses

Each of the seven (4-10) clauses addresses a critical aspect of managing information security – from setting the organizational context and leadership commitment to the ongoing evaluation and improvement of the ISMS.

The 2022 revision of ISO 27001 introduced only minor wording and structural updates to these clauses (e.g., a new clause on change planning and reordering of sub-clauses) without altering their fundamental requirements. This means organizations transitioning from ISO 27001:2013 to 2022 do not face new obligations in clauses 4-10, but should note the clarifications (such as an added focus on process interactions and change management).

These clauses are mandatory for certification, serving as a blueprint for compliance officers, consultants, CISOs, and CEOs to build and assess an effective ISMS.

Below is a clause-by-clause guidance on ISO 27001’s requirements, explaining what each clause entails, how to address it, recent updates in the 2022 edition, and how each contributes to a robust security management program.

Clause 4: Context of the Organization

Clause 4 sets the stage for your ISMS by requiring a clear understanding of internal and external context, along with the needs of interested parties, to define the scope of the ISMS.

In practice, this means an organization must identify factors such as regulatory, market, and technological conditions (external context), as well as its own organizational structure, culture, and capabilities (internal context). It also must determine who the stakeholders are (e.g., customers, regulators, partners) and what their information security expectations or requirements may be. Not every stakeholder demand can be addressed, so ISO 27001:2022 explicitly added a requirement to decide which of these requirements will be addressed through the ISMS. Based on all this, the organization defines the scope of its ISMS (which parts of the business and what information assets are covered).

A well-defined scope and context ensure that security efforts are focused and relevant. For example, a small SaaS startup and a global bank will have very different contexts and interested parties – Clause 4 ensures each tailors the ISMS appropriately. Key activities for Clause 4 include:

  • Identify internal/external issues: Use techniques like PESTLE analysis (Political, Economic, Social, Technological, Legal, Environmental) to map out factors that could affect your information security.
  • Understand interested parties: List the stakeholders and their relevant requirements (e.g., legal/regulatory obligations, contractual security clauses from clients). Decide which requirements will be fulfilled via your ISMS.
  • Define the ISMS scope: Clearly document which organizational units, sites, processes, and assets are included in (or excluded from) your ISMS. This scope statement becomes a cornerstone document for audits, since auditors can only assess the ISMS effectiveness once its boundaries and objectives are understood.

Clause 4 Guidance

When handling Clause 4, be thorough and honest about your context. Document the business environment, threats, and opportunities.

A tip is to create a Context Analysis document capturing internal/external issues and a list of stakeholder needs.

This will feed into risk assessment later. Ensure top management approves the defined scope – it should align with business objectives and legal requirements.

Clause 4 requirements are not optional; they form the foundation of the ISMS against which all other controls and processes will be aligned. A poorly defined context or scope can lead to gaps in your ISMS, so invest time here to “know thy organization” before moving forward.

Clause 5 emphasizes that an ISMS must have strong leadership and commitment from top management. The idea is that information security should be embedded in the organization’s culture and strategic direction, not just an IT issue. Top management (executives and department heads) are accountable for the ISMS’s effectiveness and must demonstrate support in tangible ways. Specifically, ISO 27001 requires leadership to:

  • Establish an information security policy: A high-level policy, approved by top management, should define the organization’s commitment to information security and set overall objectives. This policy needs to align with organizational goals and regulatory requirements, and it must be communicated within the organization.
  • Assign roles and responsibilities: Leadership ensures that roles relevant to the ISMS are assigned to competent people and that those individuals have the authority to perform their duties. Everyone should know who the CISO or security officer is, who handles risk assessments, etc. (and in ISO 27001:2022 this was clarified to be “within the organization,” meaning internal assignment and awareness are key).
  • Provide resources and remove roadblocks: Top management must allocate sufficient resources (budget, personnel, tools) for the ISMS. They should also promote a culture that values security – for instance, by integrating ISMS objectives into business processes and not penalizing those who raise security concerns.
  • Demonstrate and communicate support: Leaders should lead by example, comply with security policies themselves, and reinforce the importance of security to all staff. Auditors will look for evidence of this commitment, such as signed policies, records of management reviewing ISMS performance, and security being a standing agenda item in executive meetings. They want to see that ISMS is not just an “IT project” but has oversight at the highest level.

Clause 5 is about accountability and governance. Leadership should create an environment where security objectives are set and achieved.

Clause 5 Guidance

Guidance: Ensure you have an “Information Security Policy” document that is approved by the CEO or equivalent. Maintain an org chart or RACI matrix showing ISMS roles (like who is responsible for incident response, who manages risk, etc.). Have top management actively participate in the ISMS – e.g., they might issue a mission statement about security, allocate budget during planning, and attend periodic ISMS review meetings. The 2022 update of ISO 27001 made only slight editorial tweaks in this clause (e.g., adding a note clarifying that “business” in this context can mean any core activities of the organization), so the essence remains: without true leadership buy-in, an ISMS will likely fail. All requirements in Clause 5 are mandatory – an organization cannot achieve certification if its leadership doesn’t actively support and govern the ISMS.

Clause 6 deals with planning the ISMS and is heavily focused on risk management and security objectives. The organization must systematically identify and address information security risks and opportunities as part of its ISMS planning. There are several sub-components here:

6.1 – Actions to address risks and opportunities: This requires a risk assessment process and a risk treatment process. In practical terms:

  • Risk Assessment (6.1.2): Identify information assets, threats, and vulnerabilities, then analyze and evaluate the associated risks. You should establish risk criteria (what level of risk is acceptable vs. requires treatment) and ensure the method is repeatable and produces valid results. The output is typically a list of risks ranked by severity.
  • Risk Treatment (6.1.3): Decide how to respond to each unacceptable risk – e.g., mitigate it by applying controls, transfer it (insurance or outsourcing), accept it, or avoid it. ISO 27001 expects you to select appropriate controls to treat risks. Many controls will come from Annex A of the standard, but you can use other controls too; the 2022 update rephrased Annex A’s role as a list of possible controls rather than an exhaustive set. You must then produce a Statement of Applicability (SoA) that lists all controls you consider necessary (referencing Annex A) and justify any exclusions. The SoA is a crucial document that links your risk assessment to the controls you implement. Finally, formulate a risk treatment plan describing how and by when the chosen controls will be implemented, and get risk owners’ approval of the plan (including acceptance of any residual risks).

ISO 27001:2022 kept these risk process requirements largely the same as the 2013 version, with a few wording updates for clarity (e.g., removing the term “control objectives” and explicitly requiring justification for excluding any Annex A control).

6.2 – Information security objectives: Clause 6 also requires setting security objectives at relevant functions and levels. Objectives should be consistent with the security policy and broader business goals. For example, objectives might be “Reduce average incident response time to <24 hours” or “Train all employees in security awareness by Q4”. Objectives must be measurable and accompanied by plans for how to achieve them. In fact, ISO 27001:2022 added new bullet points here to ensure objectives are monitored, documented, updated as needed, and communicated. In short, treat security objectives like you would treat business KPIs: they need owners, deadlines, and metrics. (Tip: Use the SMART criteria – Specific, Measurable, Achievable, Relevant, Time-bound – when defining ISMS objectives, as auditors will look for clarity rather than vague aspirations.)

6.3 – Planning of changes: A notable addition in ISO 27001:2022 is Clause 6.3, which explicitly requires organizations to plan changes to the ISMS in a controlled manner. This means if you decide to make adjustments – whether it’s adopting a new security tool, expanding the ISMS scope to a new location, or updating a policy – those changes should not be ad-hoc. You need to consider the purpose of the change, the potential impacts, resource needs, schedule, etc., and ensure changes are implemented with minimal disruption to the ISMS. In essence, treat ISMS modifications as you would changes in any managed process (similar to change management in ITIL or ISO 9001 quality systems).

Guidance: To implement Clause 6 effectively, maintain a documented Risk Assessment Procedure and perform risk assessments at planned intervals (e.g., annually) and whenever there are significant changes (a requirement explicitly highlighted in Clause 8.2). Keep a Risk Register or risk assessment report as evidence. Also, maintain a Risk Treatment Plan and the Statement of Applicability – these will be closely examined by auditors. For security objectives, create an ISMS Objectives Plan that lists each objective, how it will be achieved, by whom, and how progress is measured. Review these objectives regularly (at least annually, possibly as part of management review in Clause 9) and update them as appropriate – which is now explicitly required by the standard. All planning outputs (risk assessment results, treatment plans, objectives, change plans) should be retained as documented information. This clause is inherently mandatory – you cannot claim ISMS compliance without doing risk management and planning. It’s the “Plan” part of the Plan-Do-Check-Act cycle, so give it sufficient attention and ensure it’s well-documented and approved by management.

Clause 7 is all about ensuring your ISMS has the necessary resources and support to operate effectively. Even a well-planned ISMS (from Clause 6) will fail if it’s not properly resourced and embedded into organizational practices. Key aspects of Clause 7 include:

  • Resources (7.1): The organization must provide adequate resources for the ISMS. This isn’t just budget, but also people (competent staff or external experts) and infrastructure/tools. For instance, you might need to invest in security training platforms, vulnerability management software, or even additional headcount in the IT security team. Top management’s commitment (from Clause 5) is put into action here by funding and staffing the ISMS.
  • Competence (7.2): Persons performing work that affects the ISMS must be competent. This means you should determine what skills are needed (for example, risk assessment skills, incident response skills, secure coding knowledge for developers, etc.), evaluate your staff against these needs, and then fill the gaps via training, hiring, or mentoring. ISO 27001 expects you to retain evidence of competence and training – e.g., keep records of training sessions, certifications, or experience for individuals in ISMS roles. The 2022 update simply changed “may include” to “can include” in the guidance note about training methods, so the requirement remains: ensure all relevant personnel are qualified and keep proof (this demonstrates due diligence).
  • Awareness (7.3): Staff must be aware of the ISMS policies, their own security responsibilities, the impact of their actions on information security, etc. A common practice is to run ongoing security awareness programs for all employees and specialized training for certain roles. Everyone in scope should know that the ISMS exists and why security is important.
  • Communication (7.4): You need to establish processes for internal and external communications relevant to the ISMS. This involves deciding what you will communicate, when, who will receive the communication, and how (the channels). For example, internally you might set up a process to report security incidents or to circulate monthly security metrics to management; externally you might have a procedure for responsible disclosure or notifying customers of breaches. ISO 27001:2022 simplified the communication clause by removing some redundant sub-points (like eliminating a subclause about “who shall communicate”) to focus on ensuring the needed communications are determined. The essence is to avoid ad-hoc communication – instead, plan out how vital information (security policies, incident reports, alerts, etc.) flows to the right stakeholders in a timely manner.
  • Documented Information (7.5): This clause covers documentation requirements. Your ISMS will involve documents and records (policies, procedures, risk assessments, plans, logs, reports, etc.). ISO 27001 requires that documented information required by the standard and the ISMS be controlled. This means having controls for document approval, version control, access, storage, retention and disposal, and making sure documents are available where needed. In short, manage your ISMS documents properly so that people can rely on them and auditors can verify them. The standard doesn’t dictate a specific format – you can have digital or paper documents, use SharePoint or Google Drive, etc., as long as they are controlled. In the 2022 update, the terminology was just updated to replace “International Standard” with “document” in these references, with no new requirements added.

Guidance: To fulfill Clause 7, conduct a resource assessment – ensure you have sufficient and qualified personnel. If you are a small company, this might mean assigning an existing staff member to multiple ISMS roles but ensure they are trained (e.g., send them to ISO 27001 lead implementer training or get a consultant’s help). Maintain a Training and Competence matrix that lists key roles and evidences of their training/skills. For awareness, implement regular security awareness training (e.g., annual e-learning for all staff, phishing drills, posters, newsletters). Have a Communication Plan or at least documented procedures for things like incident reporting (how employees report issues), escalation contacts, and external communications (who speaks to regulators or media if needed). Also, create and maintain the required documentation: at minimum, ISO 27001 expects certain documents like the security policy, scope, SoA, risk assessment/treatment documents, evidence of operational controls, audit programs, etc. Consider using a documentation toolkit or a SharePoint site to organize these and apply document control (with clear owners and revision history). Since Clause 7’s elements (resources, competence, awareness, communication, documentation) are all enablers for the ISMS, they are absolutely required – an auditor will check, for example, that people working on the ISMS are indeed competent and that important ISMS documents are up-to-date and controlled.

Clause 8 is the “Do” phase of the ISMS – it focuses on the execution of plans and processes to achieve information security objectives. In Clause 8, the organization must carry out the risk treatment plans and other necessary operational actions identified in Clause 6, under controlled conditions.

The clause is short but vital: 8.1 Operational planning and control is about implementing the processes needed to meet information security requirements and to act on the risks and opportunities identified earlier. In practice, Clause 8 involves:

  • Executing Risk Treatment: Take the list of risk treatments (security controls) from Clause 6 and implement them. For example, if one risk treatment was “implement multi-factor authentication (MFA) for all remote logins,” Clause 8 is where you actually roll out MFA technology and enforce it. The organization should establish criteria for these processes and controls (e.g. define what “successful implementation” means, what procedures to follow, etc.) and then perform them in accordance with those criteria. The 2022 update clarified that organizations need to determine criteria for the processes addressing risks and ensure the controls are applied according to those criteria – essentially reinforcing a consistent, planned approach to operations.
  • Managing Changes and Outsourced Processes: Clause 8 also implicitly covers controlling any changes in operations and any outsourced processes. ISO 27001:2022 made a subtle change here: it now explicitly states that externally provided processes, products, or services relevant to the ISMS must be controlled. That means if you outsource IT hosting to a cloud provider or use a third-party data processor, you need to consider those in your ISMS operations (e.g., have agreements or SLAs that address security, include them in risk assessments, monitor their performance, etc.). Additionally, you should plan and control changes to your security processes (this ties in with the new Clause 6.3 – plan changes so operations aren’t haphazard). If a change occurs unexpectedly, you should review its consequences and mitigate any adverse effects. For instance, if a sudden re-org happens in IT, you’d assess whether roles and access need updating to maintain security.
  • Maintaining Documentation and Evidence: Operations should be carried out according to documented procedures, and you need to retain evidence (records) that things were done as planned. ISO 27001 specifically requires keeping documented information to the extent necessary to have confidence that processes have been carried out as planned. In an audit, for example, you might show change request logs, risk assessment reports, backup logs, or access recertification records to prove that operational controls are working. The 2022 standard reworded this slightly (“documented information shall be available to have confidence…”) but the intent is the same – evidence is key.

Guidance: Think of Clause 8 as your ISMS in action. It’s useful to develop an ISMS Operations Manual or procedures describing how you perform recurring security processes (user access reviews, incident management, backup and restore drills, system maintenance, etc.). Make sure responsibilities defined in Clause 5 are actually carried out in Clause 8 – e.g., if Clause 5 assigns an Incident Response Team, Clause 8 is where that team’s procedure is executed during an incident. Conduct periodic risk assessments at intervals defined by your risk methodology (many organizations do them annually, plus whenever major changes occur) – this is part of operation: you keep identifying new risks and treating them. Maintain a change log for the ISMS (significant changes to processes or controls) to show you are following Clause 6.3’s guidance for planned changes. Also, ensure any third-party services that impact your security (cloud providers, outsourced IT support, etc.) are covered by contracts or agreements that include security provisions, and that you monitor their performance (for instance, review their SOC 2 reports or ISO 27001 certificates, if available). Auditors will expect to see that you haven’t ignored outsourced parts of your operations. Clause 8’s requirements are mandatory – you must demonstrate that the plans and controls on paper are actually implemented in real life, and you’re running the ISMS proactively. This is where all the policies and risk treatment decisions translate into day-to-day practices that protect the organization.

Clauses 9 and 10 form the “Check” and “Act” parts of the continuous improvement cycle. Clause 9 requires the organization to monitor, measure, analyze, and evaluate the ISMS and its information security performance. It ensures that you don’t just set up security processes, but also continuously check if they are effective and producing the desired results. The main components are:

  • Monitoring and Measurement (9.1): Determine what needs to be monitored and measured, how, when, and by whom, to gauge ISMS performance. This could include technical measures (number of incidents detected, system uptime, percentage of staff who passed phishing tests) and process measures (completion rate of risk treatment tasks, policy compliance rates, etc.). ISO 27001:2022 explicitly clarified that organizations must evaluate the information security performance and the effectiveness of the ISMS, not just collect data. In fact, a sentence to that effect, which was in the 2013 version, was moved to a more prominent spot in 2022 to stress evaluation. You should also retain documented evidence of monitoring and measurement results – for example, keep reports of your security metrics or dashboards that management reviews.
  • Internal Audit (9.2): You are required to conduct internal audits of the ISMS at planned intervals. An internal audit is a self-assessment (or second-party assessment, if you hire an external consultant to do it) to check whether your ISMS conforms to ISO 27001’s requirements and your own internal requirements, and is effectively implemented and maintained. The standard now breaks this into sub-clauses for clarity: 9.2.1 (Internal audit – general) and 9.2.2 (Internal audit programme) in the 2022 version. Essentially, you need to plan the audit program (covering scope, frequency, methodologies, and responsibilities) and conduct audits to review all parts of the ISMS. Auditors (internal) must be objective and impartial, meaning you can’t audit your own work. Findings from internal audits should be reported to management. Internal audits are a key tool to identify non-conformities or weaknesses before the certification auditor finds them. They are mandatory – lack of an internal audit program is a common cause of audit failure.
  • Management Review (9.3): At planned intervals (typically once a year), top management must review the ISMS to ensure its continuing suitability, adequacy, and effectiveness. The management review looks at inputs such as results of audits, changes in external/internal issues, fulfillment of objectives, performance metrics, status of corrective actions, and suggestions for improvement. ISO 27001:2022 enhanced this section by splitting it into 9.3.1 (General), 9.3.2 (Management review inputs), and 9.3.3 (Management review results), which helps clarify what topics should be covered and what outcomes are expected. A notable addition in 2022 is that management reviews must consider the needs and expectations of interested parties as an input – for example, if customers now demand higher security or new laws have been passed, management should discuss how the ISMS needs to adapt. After the review meeting, the outputs should include decisions on improvements to the ISMS, any changes needed (to policy, objectives, resources, etc.), and actions to address any issues. Minutes or reports from these reviews should be retained as evidence.

Guidance: To comply with Clause 9, define a set of Key Performance Indicators (KPIs) or metrics for your ISMS. These could cover different domains (technical security, compliance, user awareness, etc.). Regularly collect data on these – many organizations do this monthly or quarterly – and analyze trends. For example, track how quickly incidents are resolved or how often access reviews are completed on time. Use this data to make decisions: if metrics show a negative trend (say, increasing malware incidents), investigate why and plan improvements.

Establish an Internal Audit schedule – typically, organizations audit their entire ISMS annually, or they might split it into multiple smaller audits spread across the year. Make sure auditors are trained (or experienced) in ISO 27001 and are independent of the areas they audit. Document each audit with an audit plan, audit reports, and records of findings and corrective actions. Clause 9.2 doesn’t require a specific number of audits, just that it’s planned and conducted; the expectation is at least one full cycle before certification and then periodic audits thereafter. Remember to include both the ISMS processes (clauses 4-10) and controls (Annex A implementations) in the audit scope over time.

For management reviews, create a template or agenda aligning with 9.3’s required inputs (e.g., start with changes in context, then review audit results, incidents, performance against objectives, status of previous actions, etc.). Hold the review with CISO or security manager, and relevant executives (IT Director, Risk Manager, etc., plus a representative of top management – often the CEO or COO for smaller companies, or a VP for larger ones). Write minutes that record what was discussed and decisions made. Auditors will look for evidence that top management is actively reviewing and directing the ISMS.

Ultimately, Clause 9 ensures the ISMS is not a “set-and-forget” system – it must be continuously observed and evaluated. All elements of Clause 9 are mandatory for certification. In fact, demonstrating a cycle of measurement and internal audit and management oversight is crucial to show the ISMS is alive and effective. If you find issues during these activities, Clause 10 (below) is where you address them, completing the feedback loop.

Clause 10 focuses on continuously improving the ISMS. Even a well-run ISMS will have nonconformities (instances where something doesn’t meet requirements) or opportunities for improvement, and Clause 10 ensures you deal with these in a structured way. There are two main parts:

  • Nonconformity and Corrective Action (10.1 in ISO 27001:2022): When something in the ISMS is found noncompliant or ineffective – be it through an incident, an internal audit finding, or a complaint – the organization must react. The process is to identify the nonconformity, take action to control and correct it, and deal with the consequences (e.g., contain a security incident). Then, crucially, you must investigate the root cause of the problem and determine if similar issues exist elsewhere. Based on that, you implement corrective actions to eliminate the causes of the nonconformity and prevent recurrence. For example, if an internal audit finds that backups were not performed as scheduled (a nonconformity to your backup policy), you might discover the cause was unclear responsibility and then assign a new owner and implement an automated reminder system as corrective action. ISO 27001 requires that the organization document the results of these actions – so you should keep records of incidents, investigations (like root cause analysis), and what fixes were applied. In ISO 27001:2013, “Nonconformity and corrective action” was clause 10.1 and “Continual improvement” was 10.2; the 2022 standard reversed these subclauses (placing improvement first) to align with ISO’s harmonized structure, but the content remains essentially the same. The word “and” at the end of some statements was removed for grammar, but there were no new steps added.
  • Continual Improvement (10.2 in ISO 27001:2022): The organization should actively seek to improve the suitability, adequacy, and effectiveness of the ISMS on an ongoing basis. This goes beyond reacting to problems; it means proactively looking for ways to make the ISMS better. It could involve adopting new security technologies, streamlining processes for efficiency, raising the bar on security objectives, or integrating with other management systems (like quality or privacy) for synergy. Continual improvement is more of a principle than a checklist item – auditors will look for a culture of improvement. One concrete way to show this is through the results of management reviews and internal audits: these activities should generate improvement actions, and you then implement them. Over time, the ISMS should mature – for instance, risks that were once accepted might be mitigated as you improve, or metrics targets might become more stringent as you achieve initial goals.

Guidance: When a nonconformity is identified (whether it’s a security incident, an audit finding, or even a near-miss that you voluntarily catch), log it in a Nonconformity/Corrective Action Register. Perform a Root Cause Analysis for significant issues – techniques like the 5 Whys or fishbone diagrams can help drill down beyond the superficial cause. Document your findings and the corrective steps taken. It’s important to not only fix the immediate problem but also update any affected documentation or processes (for example, if a procedure was unclear and led to the mistake, update the procedure as part of the corrective action). Clause 10 expects that after actions are taken, you review their effectiveness – essentially checking that the fix actually worked and the problem didn’t recur.

For continual improvement, maintain an Improvement Log or include potential improvements as an agenda item in management reviews. Encourage a mindset that no ISMS is ever perfect – there are always evolving risks and new best practices, so the system should evolve too. This could be as simple as periodically benchmarking your security controls against industry standards or new versions of ISO 27002 for ideas on enhancements.

All Clause 10 activities are mandatory for an ISO 27001-compliant ISMS. Certification auditors will often sample how you handle nonconformities: they might ask, “Tell me about a security incident or an internal audit finding and show how you addressed it.” They will expect to see that the organization doesn’t ignore problems and has an effective corrective action process. They’ll also check that top management is driving continual improvement (for instance, through the outcomes of management reviews). In the spirit of ISO’s continuous improvement model, Clause 10 ensures the ISMS doesn’t stagnate – it keeps adapting and getting more resilient over time. By diligently following this clause – treating every incident or audit finding as a learning opportunity – an organization not only stays compliant but actually reduces risk and improves security in the long run.

ISO/IEC 27001 A Comprehensive Framework

The clauses 4 through 10 of ISO/IEC 27001 form a comprehensive framework for managing information security systematically. They are all mandatory for organizations seeking certification, and each clause builds on the previous to create a cycle of continuous improvement (Plan-Do-Check-Act) in securing information assets.

The 2022 update to the standard refined this framework with clearer requirements for things like determining stakeholder needs, planning ISMS changes, and structuring audits and reviews, but did not fundamentally change the intent of the clauses.

For practitioners – whether compliance officers ensuring requirements are met, consultants guiding implementations, CISOs managing the ISMS, or CEOs championing security at the top – understanding these seven clauses is crucial. They spell out what must be done, while giving flexibility in how to do it in a way that fits the organization’s context.

ISO/IEC 27001 Core Documents Toolkit

Core Policies and Excel Tools
View Bundle
Scroll to Top