ISO 27001 Requirements – A Comprehensive Guide

Summary of Requirements 

Mandatory-Only Documentation 

This clause in ISO/IEC 27001 asks organisations to consider both external and internal factors that could affect how they manage information security. It also asks them to understand the needs and expectations of stakeholders, and to identify any key relationships or dependencies. All of this is considered when defining the scope of the ISMS. 

Your ISMS scope sets the boundaries for which data and information will be protected under the system, and which won’t. This applies no matter where the information is stored or accessed, whether it’s in your offices, in the cloud, or from a remote location. 

ISO/IEC 27001 refers to the scope as the “boundary and applicability” of the ISMS. In simple terms, it’s about being clear on what’s included in your security efforts, and what sits outside of them. 

The ISMS Scope. 

ISO/IEC 27001 is frequently referred to as a “top-down management-driven” management system.  One of the standard’s key clauses outlines what’s expected from top management. It requires them to show clear leadership and commitment, set and share a high-level Information Security Policy, and make sure that everyone involved in the ISMS knows their roles, responsibilities and authority. In short, it’s about strong governance and clear communication from the top. 

An Information Security Policy. 

As the clause title indicates, organisations are required to plan the establishment and implementation of their ISMS.  

This involves identifying and addressing risks and opportunities, assessing and treating information security risks, setting clear information security objectives, and planning for change.  

These objectives should be communicated effectively and, where practical, monitored and measured, taking into account security requirements as well as the outcomes of risk assessments and treatments.  

Plans should be developed to achieve these objectives, detailing the “what”, “how”, “when”, and “who”.  

Additionally, any changes to the ISMS must be managed in a planned and controlled manner.  

Information security risk assessment process. 

Information security risk treatment process. 

Information security objectives. 

Another well-named clause in ISO/IEC 27001 sets out what’s needed to properly support an ISMS. 

This includes making sure the organisation provides enough time, people, funding, information and infrastructure to run it effectively. 

It also covers the competence of personnel, with a requirement to take action if someone lacks the necessary skills.  

Everyone in the organisation must have a basic level of information security awareness. On top of that, communication around the ISMS must be planned and purposeful, and the management of ISMS-related documents (known as “documented information”) need to be handled in a clear, efficient and effective way. 

Evidence of competence (for all relevant ISMS roles). 

Building on previous clause requirements which establish and implement an ISMS, organisations now need to operate and maintain (including continual improvement) their ISMS.  

Clause 8 focuses on putting the ISMS into action. It outlines what’s needed to run the system day to day and make sure it meets the standard’s requirements and supports your organisation’s ISMS objectives. 

This includes planning, implementing and controlling all relevant processes. To do this, clear criteria for how processes should work must be set and followed. 

The clause also highlights the need to manage changes effectively, oversee any outsourced processes, and keep up with ongoing risk assessment and treatment. 

The results of operationalised risk assessment and treatment. 

Additionally, optional documentation can be generated to underpin organisational confidence that ISMS processes are carried out as planned. 

This clause focuses on using data and insight to support continual improvement of the ISMS. It sets out requirements for monitoring, measuring, analysing and evaluating how the system is performing. The organisation decides what to monitor, how to do it, when it should happen and who is responsible. 

It also covers the need for internal audits and regular management reviews at planned intervals. 

In short, this clause asks organisations to review how well their ISMS is working, and whether it continues to be suitable, effective and fit for purpose. 

The results of monitoring, measurement, analysis and evaluation. 

A fully documented internal audit program. 

The results of ISMS review by Top Management. 

Building on the results from performance evaluation in Clause 9, this final mandatory clause focuses on continual improvement of the ISMS. 

It requires organisations to regularly review how suitable, adequate and effective their ISMS is. It also covers how to handle nonconformities when something doesn’t meet the standard by taking the right corrective action. 

Nonconformities might be spotted during internal or external audits, reviews of security incidents, or day-to-day observations. Addressing these issues properly is a key part of keeping the ISMS effective over time.  

Nonconformities (the nature of), corrective actions and their results. 

Summary of Requirements 

Example, typical or suggested/inferred documentation 

This group includes 37 controls that are organisational in nature. They focus on managing risks linked to governance, management and day-to-day operations rather than technical systems, people or physical security. 

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to information security governance (policies, procedures, roles and responsibilities, segregation of duties, contacts, etc.), threat intelligence, asset management, Identity and Access Management (IAM), supplier relations, information security incident management, legal, statutory, regulatory and contractual requirements (including IP, record and PII protection, independent review and compliance). 

Information security and topic-specific policies. 

Inventory of assets. 

Rules for acceptable use of assets (mandatory). 

Information classification and labelling procedures. 

Rules for physical and logical access. 

Supplier agreements (to include organisational information security requirements). 

Information security incident management procedures (mandatory). 

Information security continuity (plans, testing, etc.). 

Legal, statutory, regulatory and contractual requirements and approach to compliance (mandatory). 

Documented information process and information process facilities operating procedures (mandatory). 

This section includes 8 controls that are HR-related. They focus on managing risks connected to people in the organisation and how they interact with information and the systems used to process it. 

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to pre-employment (screening, terms and conditions, confidentiality/NDAs), during employment (awareness, disciplinary process, remote working, incident reporting) and personnel termination (responsibilities after termination or change). 

Personnel terms and condition of employment (including information security responsibilities). 

Formal disciplinary process. 

Confidentiality or non-disclosure agreements (mandatory). 

Remote working requirements. 

Contains a selection of 14 controls designed to primarily respond to or modify risks associated with the physical site and environment.  

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls for physical perimeter, entry and the internal security of offices, rooms and facilities (all including monitoring), procedures for working in secure areas, protection of all physical assets (onsite and offsite), equipment maintenance, secure disposal and clear desk and screen. 

Building and services schematics. 

Procedures for working in secure areas. 

Rules for clear desks and screens. 

Rules for the management of the lifecycle of storage media (can be related to organisational asset management controls, including classification and labelling). 

Equipment maintenance agreements and records (can be related to organisational supplier relation controls). 

Contains a selection of 34 controls designed to primarily respond to or modify risks associated with the use of technology.   

As with all Annex A controls, they have preventive, detective and/or corrective attributes. 

Examples include controls for IT operations (configuration management, capacity management, end point device management, information and utility access restrictions, authentication, malware protection, technical vulnerability management, backup, data masking and leakage prevention, redundancy, logging and monitoring), network operations (network security, services, segregation, filtering), cryptography, secure software development (lifecycle, policy, principles, coding, testing, outsourcing) and change management. 

Technical vulnerability management process and procedures. 

Configuration management (mandatory). 

Backup policy. 

Logging and monitoring procedures and activities. 

Network diagrams. 

Rules for secure development (lifecycle and secure coding). 

Change management procedure or process.