Welcome to Amtivo in Ireland, formerly Certification Europe and EQA

cert eu logo eqa Logo white

ISO 27001 Requirements – A Comprehensive Guide

Get Started Today

  • Located nationwide
  • Save time & money
  • No extra or hidden fees

Request a Quote

Implementing the Requirements of ISO/IEC 27001:2022 

To successfully achieve and retain ISO/IEC 27001 certification, it is critical for organisations to properly understand the technical and mandatory requirements of the standard. They must establish, operate, maintain and continually improve a conformant Information Security Management System (ISMS) in an effective and efficient manner.   

The following information explores ISO/IEC 27001 in detail, providing insights into the standard’s clauses and controls and their requirements to achieve conformance. It focuses on the technical requirements of ISO 27001 – ideal if you’re ready to learn more about the specifics.  

If you’re just starting out and looking for a high-level overview of what ISO 27001 is and why it matters, we recommend heading over to our Beginner’s Guide to ISO 27001 instead. 

 

Summary Insights Into ISO/IEC 27001 Requirements 

ISO/IEC 27001 is divided into two components, or parts: 

1. Mandatory “Management” or “ISMS” component (Clauses 4 to 10)  

This part contains approximately 140-150 requirements for setting up, running, maintaining, and continually improving an Information Security Management System. These are the core requirements that every organisation must follow to be in line with the standard.  

2. Annex A information security controls component (Clauses 5 to 8)  

This part contains ninety-three potential controls – practical measures or actions that help reduce risks to information and systems. You don’t need to use all of them. The ones you choose depend on what comes out of your risk assessment and planning process (Clause 6).  

Although ISO/IEC 27001 includes Clauses 1 to 3, these clauses do not contain any conformance requirements. They explain the scope, give references and define terms. They do not include any requirements for certification, meaning they can be safely ignored when focusing on the core requirements.  

The table below summarises ISO/IEC 27001’s Clauses 4 to 10 and the Annex A information security controls reference Clauses 5 to 10 – including identification of mandatory documentation. 

 

ISMS/Management Component:

Clause 

Summary of Requirements 

Mandatory-Only Documentation 

Clause 4 Context of the organisation 

This clause in ISO/IEC 27001 asks organisations to consider both external and internal factors that could affect how they manage information security. It also asks them to understand the needs and expectations of stakeholders, and to identify any key relationships or dependencies. All of this is considered when defining the scope of the ISMS. 

Your ISMS scope sets the boundaries for which data and information will be protected under the system, and which won’t. This applies no matter where the information is stored or accessed, whether it’s in your offices, in the cloud, or from a remote location. 

ISO/IEC 27001 refers to the scope as the “boundary and applicability” of the ISMS. In simple terms, it’s about being clear on what’s included in your security efforts, and what sits outside of them. 

The ISMS Scope. 

Clause 5 Leadership 

ISO/IEC 27001 is frequently referred to as a “top-down management-driven” management system.  One of the standard’s key clauses outlines what’s expected from top management. It requires them to show clear leadership and commitment, set and share a high-level Information Security Policy, and make sure that everyone involved in the ISMS knows their roles, responsibilities and authority. In short, it’s about strong governance and clear communication from the top. 

An Information Security Policy. 

Clause 6 Planning 

As the clause title indicates, organisations are required to plan the establishment and implementation of their ISMS.  

This involves identifying and addressing risks and opportunities, assessing and treating information security risks, setting clear information security objectives, and planning for change.  

These objectives should be communicated effectively and, where practical, monitored and measured, taking into account security requirements as well as the outcomes of risk assessments and treatments.  

Plans should be developed to achieve these objectives, detailing the “what”, “how”, “when”, and “who”.  

Additionally, any changes to the ISMS must be managed in a planned and controlled manner.  

Information security risk assessment process. 

Information security risk treatment process. 

Information security objectives. 

Clause 7 Support 

Another well-named clause in ISO/IEC 27001 sets out what’s needed to properly support an ISMS. 

This includes making sure the organisation provides enough time, people, funding, information and infrastructure to run it effectively. 

It also covers the competence of personnel, with a requirement to take action if someone lacks the necessary skills.  

Everyone in the organisation must have a basic level of information security awareness. On top of that, communication around the ISMS must be planned and purposeful, and the management of ISMS-related documents (known as “documented information”) need to be handled in a clear, efficient and effective way. 

Evidence of competence (for all relevant ISMS roles). 

Clause 8 Operation 

Building on previous clause requirements which establish and implement an ISMS, organisations now need to operate and maintain (including continual improvement) their ISMS.  

Clause 8 focuses on putting the ISMS into action. It outlines what’s needed to run the system day to day and make sure it meets the standard’s requirements and supports your organisation’s ISMS objectives. 

This includes planning, implementing and controlling all relevant processes. To do this, clear criteria for how processes should work must be set and followed. 

The clause also highlights the need to manage changes effectively, oversee any outsourced processes, and keep up with ongoing risk assessment and treatment. 

The results of operationalised risk assessment and treatment. 

Additionally, optional documentation can be generated to underpin organisational confidence that ISMS processes are carried out as planned. 

Clause 9 Performance evaluation 

This clause focuses on using data and insight to support continual improvement of the ISMS. It sets out requirements for monitoring, measuring, analysing and evaluating how the system is performing. The organisation decides what to monitor, how to do it, when it should happen and who is responsible. 

It also covers the need for internal audits and regular management reviews at planned intervals. 

In short, this clause asks organisations to review how well their ISMS is working, and whether it continues to be suitable, effective and fit for purpose. 

The results of monitoring, measurement, analysis and evaluation. 

A fully documented internal audit program. 

The results of ISMS review by Top Management. 

Clause 10 Improvement 

Building on the results from performance evaluation in Clause 9, this final mandatory clause focuses on continual improvement of the ISMS. 

It requires organisations to regularly review how suitable, adequate and effective their ISMS is. It also covers how to handle nonconformities when something doesn’t meet the standard by taking the right corrective action

Nonconformities might be spotted during internal or external audits, reviews of security incidents, or day-to-day observations. Addressing these issues properly is a key part of keeping the ISMS effective over time.  

Nonconformities (the nature of), corrective actions and their results. 

 

Annex A information security controls reference: 

IMPORTANT NOTE: The controls provided in Annex A are NOT MANDATORY as the standard specifies that organisations can design their own controls as required or identify them from any source – of course, including from Annex A. Irrespective of the source of an organisation’s controls, they are only implemented when determined necessary to implement risk treatment options (in response to analysed unacceptable risk to the confidentiality, integrity and availability of organisational information and information processing facilities). 

Clause 

Summary of Requirements 

Example, typical or suggested/inferred documentation 

Clause 5 Organisational controls 

This group includes 37 controls that are organisational in nature. They focus on managing risks linked to governance, management and day-to-day operations rather than technical systems, people or physical security. 

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to information security governance (policies, procedures, roles and responsibilities, segregation of duties, contacts, etc.), threat intelligence, asset management, Identity and Access Management (IAM), supplier relations, information security incident management, legal, statutory, regulatory and contractual requirements (including IP, record and PII protection, independent review and compliance). 

Information security and topic-specific policies. 

Inventory of assets. 

Rules for acceptable use of assets (mandatory). 

Information classification and labelling procedures. 

Rules for physical and logical access. 

Supplier agreements (to include organisational information security requirements). 

Information security incident management procedures (mandatory). 

Information security continuity (plans, testing, etc.). 

Legal, statutory, regulatory and contractual requirements and approach to compliance (mandatory). 

Documented information process and information process facilities operating procedures (mandatory). 

Clause 6 People controls 

This section includes 8 controls that are HR-related. They focus on managing risks connected to people in the organisation and how they interact with information and the systems used to process it. 

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to pre-employment (screening, terms and conditions, confidentiality/NDAs), during employment (awareness, disciplinary process, remote working, incident reporting) and personnel termination (responsibilities after termination or change). 

Personnel terms and condition of employment (including information security responsibilities). 

Formal disciplinary process. 

Confidentiality or non-disclosure agreements (mandatory). 

Remote working requirements. 

Clause 7 Physical controls 

Contains a selection of 14 controls designed to primarily respond to or modify risks associated with the physical site and environment.  

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls for physical perimeter, entry and the internal security of offices, rooms and facilities (all including monitoring), procedures for working in secure areas, protection of all physical assets (onsite and offsite), equipment maintenance, secure disposal and clear desk and screen. 

Building and services schematics. 

Procedures for working in secure areas. 

Rules for clear desks and screens. 

Rules for the management of the lifecycle of storage media (can be related to organisational asset management controls, including classification and labelling). 

Equipment maintenance agreements and records (can be related to organisational supplier relation controls). 

Clause 8 Technological controls 

Contains a selection of 34 controls designed to primarily respond to or modify risks associated with the use of technology.   

As with all Annex A controls, they have preventive, detective and/or corrective attributes. 

Examples include controls for IT operations (configuration management, capacity management, end point device management, information and utility access restrictions, authentication, malware protection, technical vulnerability management, backup, data masking and leakage prevention, redundancy, logging and monitoring), network operations (network security, services, segregation, filtering), cryptography, secure software development (lifecycle, policy, principles, coding, testing, outsourcing) and change management. 

Technical vulnerability management process and procedures. 

Configuration management (mandatory). 

Backup policy. 

Logging and monitoring procedures and activities. 

Network diagrams. 

Rules for secure development (lifecycle and secure coding). 

Change management procedure or process. 

 

What to Expect From the ISO/IEC 27001 Certification Process

Undertaking ISO/IEC 27001 certification is a strategic investment, helping you improve your organisation’s information security management. 

Your journey begins with a Stage 1 Audit by a qualified auditor, who will assess the readiness of your ISMS and identify, if necessary,  any potential nonconformities. Your organisation will then implement any necessary changes before continuing the certification process. 

Once the identified issues are addressed, your organisation will progress to the Stage 2 Audit. On successful completion, you will be awarded ISO/IEC 27001 certification – demonstrating that your organisation takes information security seriously and manages it to a recognised international standard. 

Amtivo in Ireland is an INAB-accredited certification body for ISO certifications, with proven expertise to provide services to support your business “journey” towards successful ISO certifications. The Irish National Accreditation Board (INAB) is the national body with responsibility for the accreditation of certification bodies and inspection bodies. 

 

Contact Us to Get Started 

Start your journey to ISO 27001 certification today – get a quote or contact our team to discuss your needs. 

Luke Feeney

Written by

LinkedIn Luke Feeney

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.

Amtivo Group (Formerly Certification Europe and EQA) - Worker in a data centre