What are the ISO 27001 Requirements?

The ISO 27001 requirements are structured across ten clauses, with clauses 4-10 containing the auditable requirements for an Information Security Management System (ISMS). Additionally, Annex A provides 93 security controls organised into four themes: organisational, people, physical, and technological. Meeting these requirements demonstrates your organisation’s commitment to protecting information confidentiality, integrity, and availability.

The standard follows the Plan-Do-Check-Act (PDCA) cycle, ensuring systematic implementation and continual improvement. Below is a complete checklist covering all ten clauses:

1. Scope – Defines the boundaries and applicability of the standard to information security management.

2. Normative References – References ISO/IEC 27000 for terms and definitions.

3. Terms and Definitions – Refers to the vocabulary in ISO/IEC 27000.

4. Context of the Organisation

This clause requires organisations to understand internal and external factors affecting their ISMS, identify interested parties and their requirements, and define the scope of the management system.

• 4.1 Understanding the organisation and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the information security management system
• 4.4 Information security management system

5. Leadership

Top management must demonstrate commitment to the ISMS by establishing policy, assigning roles, and ensuring adequate resources.

• 5.1 Leadership and commitment
• 5.2 Information security policy
• 5.3 Organisational roles, responsibilities and authorities

6. Planning

Organisations must identify risks and opportunities, then establish information security objectives and plans to achieve them.

• 6.1 Actions to address risks and opportunities
• 6.2 Information security objectives and planning to achieve them

7. Support

This clause addresses resources, competence, awareness, communication, and documented information needed to support the ISMS.

• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented information

8. Operation

Operational requirements focus on risk assessment, risk treatment, and implementing planned actions to meet ISO 27001 compliance requirements.

• 8.1 Operational planning and control
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment

9. Performance Evaluation

Organisations must monitor and measure ISMS performance, conduct internal audits, and hold management reviews.

• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review

10. Improvement

The final clause addresses nonconformities, corrective actions, and the requirement for continual improvement of the ISMS.

• 10.1 Nonconformity and corrective action
• 10.2 Continual improvement

Unlike some management system standards, the clause requirements in ISO 27001 (clauses 4-10) cannot be excluded. All clauses must be addressed for certification. However, organisations have flexibility with Annex A controls.

When completing the Statement of Applicability (SoA), organisations assess each of the 93 Annex A controls based on their risk assessment. Controls may be deemed not applicable if the associated risks don’t exist within the ISMS scope. Any exclusions must be justified and documented, demonstrating that excluding a control does not compromise information security or ISO 27001 compliance requirements.