To achieve ISO 27001 certification, you must understand the standard’s requirements, plan thoroughly and implement them effectively. This guide explores the mandatory ISO 27001 requirements, detailing the clauses of the standard and documentation to achieve compliance.
What Are the ISO 27001 Requirements?
Safeguarding sensitive information remains paramount for organisations, regardless of their industry or size.
ISO 27001 is a globally recognised standard that provides a structured framework for managing information security risks.
Each organisation faces unique information security challenges, so ISO 27001 doesn’t impose a generic security approach.
Instead, implementing ISO 27001 encourages you to implement the appropriate processes and policies that contribute to information security.
The ISO 27001 requirements outline the measures, policies and processes organisations need to implement a robust Information Security Management System (ISMS) that meets the global standard. The requirements include the scope of the standard, leadership commitment, planning, risk assessment and risk management.
To achieve ISO 27001 certification you must demonstrate compliance with the clauses outlined in the ISO 27001 compliance framework.
Download our free ISO 27001 Key Requirements Checklist.
List of ISO 27001 Requirements
Clause 1: Scope
One of the initial requirements is to define the scope of the ISMS. Organisations must specify the ISMS’s boundaries and applicability, detailing the locations, assets and technologies it covers.
Documentation required: A Scope Statement
This document sets out the processes, activities and assets to which your ISMS will be applied and the boundaries that will be placed on it.
Outlining your management system’s applicability will involve describing the types of products and services provided by your organisation, and where they are provided (such as regionally/nationally/internationally).
Establishing the boundaries will require you to outline which parts of your organisation will be subject to the ISMS. This may include processes, sites, departments and divisions.
In most cases, your ISMS will be applied to your entire organisation. However, there may be circumstances where it is either inappropriate or impossible for a process, site, or team to fall within the scope of your management system.
Clause 2: Normative references
This clause provides references to other standards that are essential for understanding ISO 27001 and must be followed to comply with requirements.
No documentation is required, but your organisation should be familiar with the referenced materials.
Clause 3: Terms and definitions
This clause requires knowledge of the specific terms and definitions used in the standard. Understanding these is essential for correctly applying the ISMS requirements outlined in ISO 27001.
No documentation is required, but a glossary of terms may be helpful.
Clause 4: Context of the organisation
Organisations must determine the internal and external issues that affect their ability to achieve the ISMS’s intended outcomes. This requires identifying stakeholders, determining the ISMS’s scope and aligning it with the organisation’s objectives.
Documentation required:
- A Context Analysis identifying the internal and external issues relevant to your ISMS.
- An Interest Parties List detailing all stakeholders and their requirements.
Clause 5: Leadership
Clause 5 focuses on the mandatory requirement for top-level management to demonstrate their commitment to fully supporting the ISMS.
This includes establishing a clear information security policy, assigning relevant roles and responsibilities, and ensuring the necessary resources are available to whoever needs them.
Required documentation:
- An Information Security Policy outlining your organisation’s approach to managing information security to comply with legal regulations and ethical obligations. Your policy should also demonstrate your commitment to continual improvement.
- A definition of the Roles and Responsibilities related to information security. Full job descriptions aren’t necessary, and these roles do not need to be held by employees whose sole responsibility is information security.
For example, a sales manager may have access to the customer database and is therefore responsible for ensuring that this access is protected and secure.
Clause 6: Planning
A core requirement of ISO 27001 is to identify, assess and manage information security risks.
Organisations must identify risks and opportunities related to the ISMS and plan actions to address them. This includes setting information security objectives and plans to achieve them.
Organisations should be able to develop and implement the most appropriate information security and confidentiality procedures for their operations by undertaking thorough and regular risk assessments.
Required documentation:
- A Risk Assessment and Treatment Plan that details the process for assessing and treating risks.
- Information Security Objectives to record the set objectives and plans to achieve them.
- The Statement of Applicability (SoA) explains which of the 114 information security controls outlined in Annex A of ISO 27001 you will be adopting and why.
In more detail, a risk assessment and risk treatment plan sets out how you identify risks to information security and your approach to mitigating and addressing those risks when they occur. You’re not required to list the potential risks in this document, only your process for identifying them.
Risks might include:
- Accidental loss
- Accidental destruction
- Incorrect storage
- Inadvertent sharing
- Unauthorised access by an employee
- Unauthorised access by an external party
The methodology should address:
- How you will identify risks
- Who will own the risk
- How you will determine the likelihood of the risk
- How you will determine the severity of the risk
- How you will determine the acceptance of a risk
Once you’ve established which controls you have chosen, the risk treatment plan document outlines how the information security management controls will be implemented, who is responsible for this, any required resources and the timeframe for implementation.
If a security incident were to occur, this would need to be documented as an incident management procedure.
The procedure should establish how your organisation will determine who takes ownership of managing an incident and how that individual will:
- Gather evidence following the incident.
- Establish the circumstances surrounding and leading to the incident, including ascertaining the root cause, what happened and who was involved, for example.
- Record any activities undertaken in response to the incident for later analysis.
- Make management and leadership teams aware of the incident.
- Raise the incident with regulators or independent bodies, if necessary.
- Address any identified weaknesses that caused or contributed to the incident.
There would also need to be a business continuity plan in place.
This procedure can help your business to continue to operate after an information security incident. It outlines the responsibilities, actions, timescales and work required. Other clauses of ISO 27001 cover these aspects in more detail.
With so many information security controls to address, this document has the potential to become unwieldy, but you are only required to:
- Identify which of the controls apply to your organisation.
- Outline why these controls apply.
- State how the controls have been implemented.
- Explain why any controls have not been chosen (known as exclusions).
Clause 7: Support
This clause focuses on the resources, competence, awareness, communication and documented information necessary to support the ISMS.
To meet this criteria, you will need documentation of resource allocation. The ISMS itself may require some direct resource allocation to be ISO 27001-compliant – for example, you may need to invest in new or more advanced security software – but that isn’t the only support organisations should consider.
To manage an ISMS effectively, various team members will need to take ownership and responsibility for certain areas and processes, documenting their responsibilities and suitability for their roles – this is outlined in sub-clause 7.2.
Records of training, skills, experience and qualifications will demonstrate that every employee has the appropriate level of competence, showing that your organisation takes data security seriously and seeks continual improvement.
Required documentation:
- Competence Records to document the skills, training and experience of individuals involved in the ISMS.
- A Communication Plan for internal and external communications relevant to the ISMS.
- Documented Information outlining the policies, procedures, and records required and necessary by the standard for the effective planning, operation and control of processes.
Clause 8: Operation
Clause 8 focuses on the operational planning and control of the ISMS.
This includes evaluating its operational controls and security risks, applying security measures and ensuring compliance with the organisation’s policies and objectives.
The security risk assessments outlined in Clause 6 are a part of this process, highlighted in sub-clauses 8.2 and 8.3.
Sub-clause 8.2 concerns risk assessments. It requires organisations to establish and implement a systematic process to identify, analyse and evaluate information security risks, including assessing their likelihood of occurring. A risk assessment and risk treatment report will describe the findings of your assessment, including any risks identified and any treatment undertaken to mitigate or avoid them.
Sub-clause 8.3 covers risk treatment, requiring organisations to determine the appropriate measures needed to address the identified risks. This involves selecting risk treatment options, implementing security controls to mitigate risks and thoroughly documenting the risk treatment plan. These documents may be needed later as evidence during audits.
Documentation required:
- Operational Procedures document detailing the procedures for managing the ISMS.
- Risk Treatment Plan as mentioned in Clause 6.
Clause 9: Performance evaluation
To achieve ISO 27001 certification, organisations must monitor, measure and evaluate the performance of their ISMS. This includes conducting and implementing a programme of regular internal audits and management reviews to assess the system’s effectiveness.
An internal audit is a key aspect of an ISMS, assessing its effectiveness and your organisation’s overall performance regarding information security. You must record and document the details of internal audits, including any issues or opportunities for improvements such audits uncover.
One of the greatest strengths of ISO 27001 is its emphasis on continual improvement. That’s why a key part of an ISMS is the monitoring and measurement of results. This data is vital for securing the future success of your ISMS and ISO 27001 certification – it can be used to inform future strategies.
You will need to have a documented record of these evaluations alongside evidence that your organisation has considered:
- What to measure.
- How and when to measure it.
- How the results will be used for effective process control and improvement.
Senior management should regularly review the ISMS to assess its efficiency, and in accordance with the standard, the results of management reviews should be recorded.
Required documentation:
- Monitoring and Measurement Records of monitoring and measurement activities.
- Internal Audit Program and Reports documenting the internal audit process and findings.
- Management Review Minutes, records of management reviews, including decisions and actions.
Clause 10: Improvement
Clause 10 concerns continual improvement – a key tenet of ISO 27001 (and other ISO standards).
When operating and maintaining any kind of management system, a fundamental part of the process is to identify, fix and document nonconformities and results of corrective actions. Even the best ISMS can have weak spots, so organisations must make timely adjustments and corrections. They also need to create plans that mitigate the risk of reoccurrences in the future and implement them.
This process repeats itself with every routine performance evaluation.
When documenting continual improvement efforts, you should include the following information:
- The details of the nonconformity.
- The actions taken (in detail).
- What concessions are obtained.
- The responsible individuals.
You also need to include clear evidence in the documentation showing how any corrective action has achieved the desired results (ISO 27001 conformity).
Required documentation:
- Nonconformity and Corrective Action Records, documenting nonconformities and the actions taken to address them.
- A Continual Improvement Plan outlining how the organisation intends to improve the ISMS over time.
Learn more with our free ISO 27001 training and online courses.
Other key documents
Other valuable documentation that may be necessary for effectively implementing and maintaining an ISMS includes:
- Inventory of assets – Document any asset involved in data storage, including desktop computers, laptops, servers, phones, tablets, physical documents, financial records, email systems and cloud computing services.
- Acceptable use of assets – The assets you identified in your inventory handle sensitive information, so they must be used appropriately. Establishing acceptable use makes it clear to all employees how they are permitted to use a device to maintain information security.
- Access control policy – This will help your organisation manage access so that only the appropriate people are granted access to sensitive information. This document should outline how access to sensitive information is granted, reviewed and revoked.
- Operating procedures for IT management – Document procedures for areas where sensitive information is at risk through incorrect operation of IT equipment. This may include software development, financial accounting, customer management and supplier management.
- Secure system engineering principles – Secure engineering describes how you will apply security when you develop any new IT projects or how you will apply it to existing infrastructure. This security isn’t limited to firewalls or secure passwords – it also incorporates disaster planning and business continuity. When establishing these principles, you need to account for more than malicious human behaviour; you need to account for accidents, system failures and even natural disasters.
- Supplier security policy – There is little point in establishing security around sensitive information if flaws in a supplier’s security expose that information to theft or destruction. As such, it’s important to establish a policy regarding suppliers’ information security. Try to create a collaborative policy that facilitates close working relationships with suppliers who have access to or who could potentially compromise your data security.
- Logging user activities, exceptions, and security events – This is vital for maintaining security. It doesn’t just help you ascertain how incidents occurred; it can also help with your risk assessments and identify weaknesses in your information security.
You’re Ready for ISO 27001 Certification
Undertaking the ISO 27001 certification process is a worthwhile commitment that will help you improve your organisation’s information security.
The first step of certifying your organisation for ISO 27001 (once your organisation has implemented all the compliance it can) is a visit from one of our expert auditors for the Stage 1 assessment. They will identify any gaps in your current ISMS that must be addressed before continuing the certification process. Your organisation will then be able to take the time to implement the relevant changes.
Once this is done and the auditor considers your ISMS compliant, your organisation will undergo an in-depth Stage 2 assessment before it can successfully achieve ISO 27001 certification.
Amtivo is an INAB-accredited certification body for ISO certifications, with proven expertise to help guide your business towards successful ISO certifications. The Irish National Accreditation Board (INAB) is the national body with responsibility for the accreditation of certification bodies and inspection bodies.