ISO 270019 min read

ISO 27001 Requirements: Complete Guide to Clauses 4-10

ISO 27001 is built around mandatory requirements defined in Clauses 4-10. Understanding these requirements is essential for building a compliant ISMS. This guide breaks down each clause and what you need to do.

Key Takeaways

Point Summary
7 mandatory clauses Clauses 4-10 are auditable requirements; Clauses 0-3 are introductory
Clause 4 Context - define ISMS scope and stakeholder requirements
Clause 5-6 Leadership & Planning - management commitment, risk assessment, Statement of Applicability
Clause 7-8 Support & Operation - resources, documentation, control implementation
Clause 9-10 Evaluation & Improvement - internal audit, management review, corrective actions

Quick Answer: ISO/IEC 27001:2022 has 7 mandatory clauses (4-10) plus 93 Annex A controls organized in 4 themes (Organizational, People, Physical, Technological). Key deliverables include scope document, security policy, risk assessment, Statement of Applicability, internal audit, and management review records.

Overview of ISO 27001 Clauses

Clause Structure

ISO 27001:2022 Structure:

Clauses 0-3: Introduction (not auditable):

    1. Introduction
    1. Scope
    1. Normative references
    1. Terms and definitions

Clauses 4-10: Requirements (auditable):

    1. Context of the organization
    1. Leadership
    1. Planning
    1. Support
    1. Operation
    1. Performance evaluation
    1. Improvement

Annex A: Control objectives and controls:

  • 93 controls in 4 themes

Which Clauses Are Required?

Clause Requirement Level Notes
4-10 Mandatory Cannot exclude any
Annex A Mandatory to consider Can exclude with justification

Clause 4: Context of the Organization

Purpose

Establish the foundation for your ISMS by understanding your organization and stakeholder needs.

4.1 Understanding the Organization and its Context

Requirement: Determine external and internal issues relevant to your purpose and affecting ISMS outcomes.

External issues to consider:

  • Legal and regulatory requirements
  • Market conditions
  • Technological changes
  • Customer expectations
  • Competitive landscape

Internal issues to consider:

  • Organizational structure
  • Culture and values
  • Resources and capabilities
  • Information systems
  • Business processes

Documentation: Context analysis document

4.2 Understanding Stakeholder Needs and Expectations

Requirement: Identify interested parties and their requirements.

Stakeholder Typical Requirements
Customers Data protection, service availability
Employees Job security, privacy
Regulators Legal compliance
Shareholders Risk management, reputation
Partners Security assurance

Documentation: Stakeholder register

4.3 Determining the Scope of the ISMS

Requirement: Define ISMS boundaries and applicability.

Scope considerations:

  • External and internal issues (4.1)
  • Stakeholder requirements (4.2)
  • Interfaces and dependencies
  • Organizational boundaries
  • Information assets included

Example scope statement:

"The ISMS covers the development, delivery, and support of [Product Name], including all cloud infrastructure, development systems, and customer data processing activities."

Documentation: ISMS scope document

4.4 Information Security Management System

Requirement: Establish, implement, maintain, and continually improve the ISMS.

This encompasses:

  • All requirements in Clauses 4-10
  • Selected Annex A controls
  • Additional controls as needed
  • Documentation requirements

Clause 5: Leadership

Purpose

Ensure management commitment and establish organizational security direction.

5.1 Leadership and Commitment

Requirement: Top management must demonstrate leadership by:

Commitment Area Evidence
Ensuring ISMS achieves outcomes Defined objectives, measured results
Providing resources Budget allocation, staffing
Communicating importance Communications, policy statements
Ensuring results are achieved Management reviews, metrics
Supporting continual improvement Investment in improvements

5.2 Policy

Requirement: Establish an information security policy that:

Policy Requirement Description
Appropriate to purpose Aligned with business objectives
Includes objectives Clear security goals
Includes commitment To satisfy requirements and improve
Communicated Available to all relevant parties
Documented Written and maintained

Key policy elements:

  • Purpose and scope
  • Security objectives
  • Management commitment
  • Roles and responsibilities
  • Review and update process

5.3 Organizational Roles, Responsibilities, and Authorities

Requirement: Assign and communicate security responsibilities.

Critical roles:

Role Responsibilities
Top management Overall accountability, resource allocation
ISMS Manager Implementation, coordination, reporting
Risk owners Managing specific risks
Control owners Operating and maintaining controls
Internal auditor Verifying ISMS effectiveness

Clause 6: Planning

Purpose

Address risks and opportunities, and establish security objectives.

6.1 Actions to Address Risks and Opportunities

6.1.1 General

Determine risks and opportunities considering:

  • Context (4.1)
  • Stakeholder requirements (4.2)

Plan actions to:

  • Achieve intended ISMS outcomes
  • Prevent or reduce undesired effects
  • Achieve continual improvement

6.1.2 Information Security Risk Assessment

Requirement: Define and apply a risk assessment process.

Risk Assessment Process:

Step 1: Establish Criteria:

  • Risk acceptance criteria
  • Criteria for performing assessments
  • Consistency and validity requirements

Step 2: Identify Risks:

  • Identify information assets
  • Identify threats
  • Identify vulnerabilities
  • Identify potential consequences
  • Identify risk owners

Step 3: Analyze Risks:

  • Assess likelihood
  • Assess impact
  • Calculate risk level

Step 4: Evaluate Risks:

  • Compare against criteria
  • Prioritize for treatment
  • Document decisions

Documentation:

  • Risk assessment methodology
  • Risk register
  • Risk assessment results

6.1.3 Information Security Risk Treatment

Requirement: Define and apply a risk treatment process.

Treatment Option When to Use
Modify (mitigate) Implement controls to reduce risk
Accept Risk within tolerance
Avoid Eliminate the activity
Share (transfer) Insurance, outsourcing

Key outputs:

  • Risk treatment plan
  • Statement of Applicability (SoA)

Statement of Applicability must include:

  • Selected controls and justification
  • Implementation status
  • Excluded controls and justification

6.2 Information Security Objectives and Planning

Requirement: Establish measurable security objectives.

Objectives must be:

Characteristic Example
Consistent with policy Aligned with security policy commitments
Measurable "Achieve 100% MFA adoption"
Consider requirements Address stakeholder needs
Monitored Regular tracking
Communicated Known to relevant parties
Updated Revised as needed

Planning must determine:

  • What will be done
  • Required resources
  • Responsible parties
  • Completion timeline
  • How results will be evaluated

Clause 7: Support

Purpose

Provide resources needed for ISMS effectiveness.

7.1 Resources

Requirement: Determine and provide necessary resources.

Resource Type Examples
Financial Budget for tools, training, audits
Human Security staff, ISMS manager
Infrastructure Security tools, systems
Time Allocation for ISMS activities

7.2 Competence

Requirement: Ensure personnel competence for ISMS roles.

Actions required:

  • Determine required competence
  • Ensure competence through education, training, or experience
  • Take actions to acquire competence where needed
  • Retain evidence of competence

Evidence: Training records, certifications, qualifications

7.3 Awareness

Requirement: Personnel must be aware of:

Awareness Area Details
Security policy Understand the policy
Their contribution How they support ISMS
Implications of nonconformity Consequences of not complying

Evidence: Training completion records, acknowledgments

7.4 Communication

Requirement: Determine internal and external communication needs.

Communication Aspect Determination Needed
What to communicate Security updates, incidents, policies
When to communicate Triggers and schedules
With whom Internal teams, external parties
How to communicate Channels and methods
Who communicates Responsible parties

7.5 Documented Information

Requirement: Create and maintain required documentation.

7.5.1 General

Include:

  • Documentation required by ISO 27001
  • Documentation needed for ISMS effectiveness

7.5.2 Creating and Updating

Ensure appropriate:

  • Identification and description
  • Format and media
  • Review and approval

7.5.3 Control of Documented Information

Ensure:

  • Availability and suitability
  • Adequate protection
  • Distribution and access control
  • Storage and preservation
  • Change control
  • Retention and disposition

Clause 8: Operation

Purpose

Execute the ISMS through operational planning and risk management.

8.1 Operational Planning and Control

Requirement: Plan, implement, and control processes needed for ISMS.

Activity Description
Establish criteria Define process requirements
Implement control Execute according to criteria
Keep records Maintain evidence of execution
Control changes Manage planned and unplanned changes
Control outsourced processes Ensure third-party compliance

8.2 Information Security Risk Assessment

Requirement: Perform risk assessments at planned intervals or when significant changes occur.

Triggers for reassessment:

  • Planned intervals (typically annual)
  • Significant organizational changes
  • Major system changes
  • After security incidents
  • New threats identified

Documentation: Risk assessment results

8.3 Information Security Risk Treatment

Requirement: Implement the risk treatment plan.

Evidence required:

  • Risk treatment actions completed
  • Control implementation status
  • Residual risk assessment
  • Risk treatment results

Clause 9: Performance Evaluation

Purpose

Monitor, measure, audit, and review ISMS effectiveness.

9.1 Monitoring, Measurement, Analysis, and Evaluation

Requirement: Evaluate ISMS and control performance.

Determination Description
What to monitor Processes, controls, objectives
Methods How to measure
When Frequency of monitoring
Who Responsible parties
When to analyze Timing of analysis
Who analyzes Responsible parties

Metrics examples:

Metric Target
Training completion 100%
Access review completion Quarterly
Vulnerability remediation SLA 95% met
Incident response time < 4 hours

9.2 Internal Audit

Requirement: Conduct internal audits at planned intervals.

9.2.1 Audit Requirements

Audit must determine if ISMS:

  • Conforms to organization's requirements
  • Conforms to ISO 27001 requirements
  • Is effectively implemented and maintained

9.2.2 Audit Program

Aspect Requirement
Frequency Based on importance and previous results
Methods Defined approach
Responsibilities Clear ownership
Planning Documented schedule
Reporting Results to management
Independence Auditors objective and impartial

Documentation: Audit program, audit reports

9.3 Management Review

Requirement: Review ISMS at planned intervals.

9.3.1 General

Top management must review ISMS to ensure suitability, adequacy, and effectiveness.

9.3.2 Management Review Inputs

Input Description
Previous review actions Status of prior decisions
Changes External/internal issues affecting ISMS
Performance feedback Nonconformities, monitoring, audits, objectives
Stakeholder feedback From interested parties
Risk assessment results Current risk status
Improvement opportunities Potential enhancements

9.3.3 Management Review Outputs

Output Description
Improvement decisions What to improve
ISMS changes Modifications needed
Resource needs Additional resources required

Documentation: Management review minutes/records

Clause 10: Improvement

Purpose

Continually improve ISMS suitability, adequacy, and effectiveness.

10.1 Nonconformity and Corrective Action

Requirement: React to nonconformities and take corrective action.

When nonconformity occurs:

Nonconformity Management Process:

1. React to nonconformity:

  • Control and correct it
  • Deal with consequences

2. Evaluate corrective action need:

  • Review the nonconformity
  • Determine causes
  • Check for similar issues

3. Implement corrective actions:

  • Address root cause

4. Review effectiveness:

  • Verify action worked

5. Update ISMS if needed:

  • Make necessary changes

Documentation: Nonconformity records, corrective action records

10.2 Continual Improvement

Requirement: Continually improve ISMS suitability, adequacy, and effectiveness.

Improvement sources:

Source Examples
Audit findings Internal and external audits
Risk changes New or changed risks
Performance data Metrics and monitoring
Incident analysis Lessons learned
Technology changes New tools and methods
Best practices Industry developments

Requirements Summary Table

Clause Key Deliverables
4. Context Context analysis, stakeholder register, scope document
5. Leadership Security policy, roles and responsibilities
6. Planning Risk methodology, risk register, SoA, objectives
7. Support Resources, training records, awareness evidence, documentation
8. Operation Control implementation, risk assessment results
9. Evaluation Metrics, internal audit reports, management review records
10. Improvement Corrective action records, improvement evidence

The Bastion Approach

Simplified Requirements Management

Bastion helps you address all ISO 27001 requirements:

Challenge Bastion Solution
Understanding requirements Expert guidance from vCISO
Creating documentation Pre-built templates for all clauses
Risk assessment Guided methodology with automation
Evidence collection Automated collection and tracking
Audit preparation Requirement-mapped evidence

Need help meeting ISO 27001 requirements? Talk to our team →

Sources

← PreviousWhat is an Information Security Management System (ISMS)?Next →ISO 27001 Annex A Controls: Complete Guide
Back to ISO 27001 guides