Welcome to Amtivo in the United States, formerly Orion Registrar and ASR

Orion Logo ASR Logo

ISO 27001 Requirements – a Comprehensive Guide

Get Started Today

  • Customized certifications
  • Located nationwide
  • Save time & money
  • No extra or hidden fees
Get a Quote

To achieve ISO 27001 certification, you must understand the standard’s requirements, plan thoroughly and implement them effectively. This guide explores the mandatory ISO 27001 requirements, detailing the clauses of the standard and documentation to achieve compliance.

What Are the ISO 27001 Requirements?

Safeguarding sensitive information remains paramount for organizations regardless of size.

ISO 27001 is a globally recognized standard that provides a structured framework for managing information security risks.

Each organization faces unique information security challenges, so ISO 27001 doesn’t impose a generic security approach.

Instead, implementing ISO 27001 encourages you to implement the appropriate processes and policies that contribute to information security.

The ISO 27001 requirements outline the measures, policies and processes organizations need to implement a robust Information Security Management System (ISMS) that meets the global standard. The requirements include the scope of the standard, leadership commitment, planning, risk assessment and risk management.

To achieve ISO 27001 certification you must demonstrate compliance with the clauses outlined in the ISO 27001 compliance framework.

Download our free ISO 27001 Key Requirements Checklist.

ISO 27001 Requirements - ISO 27001 Checklist

 

List of ISO 27001 Requirements

Clause 1: Scope

One of the initial requirements is to define the scope of the ISMS. Organizations must specify the ISMS’s boundaries and applicability, detailing the locations, assets and technologies it covers.

Documentation Required: A Scope Statement

This document sets out the processes, activities and assets to which your ISMS will be applied and the boundaries that will be placed on it.

Outlining your management system’s applicability will involve describing the types of products and services provided by your organization and where they are provided (such as regionally, nationally or internationally).

Establishing the boundaries will require you to outline which parts of your organization will be subject to the ISMS. This may include processes, sites, departments and divisions.

In most cases, your ISMS will be applied to your entire organization. However, there may be circumstances where it is either inappropriate or impossible for a process, site or team to fall within the scope of your management system.

Clause 2: Normative References

This clause provides references to other standards that are essential for understanding ISO 27001 and must be followed to comply with requirements.

No documentation is required, but your organization should be familiar with the referenced materials.

Clause 3: Terms and Definitions

This clause requires knowledge of the specific terms and definitions used in the standard. Understanding these is essential for correctly applying the ISMS requirements outlined in ISO 27001.

No documentation is required, but a glossary of terms may be helpful.

Clause 4: Context of the Organization

Organizations must determine the internal and external issues that affect their ability to achieve the ISMS’s intended outcomes. This requires identifying stakeholders, determining the ISMS’s scope and aligning it with the organization’s objectives.

Documentation Required:

  • A Context Analysis identifying the internal and external issues relevant to your ISMS.
  • An Interest Parties List detailing all stakeholders and their requirements.

Clause 5: Leadership

Clause 5 focuses on the mandatory requirement for top-level management to demonstrate their commitment to fully supporting the ISMS.

This includes establishing a clear information security policy, assigning relevant roles and responsibilities, and ensuring the necessary resources are available to whoever needs them.

Required Documentation:

  • An Information Security Policy outlining your organization’s approach to managing information security to comply with legal regulations and ethical obligations. Your policy should also demonstrate your commitment to continual improvement.
  • A definition of the Roles and Responsibilities related to information security. Full job descriptions aren’t necessary, and these roles do not need to be held by employees whose sole responsibility is information security.

For example, a sales manager may have access to the customer database and is therefore responsible for ensuring that this access is protected and secure.

Discover our Team Leadership Essentials course.

Clause 6: Planning

A core requirement of ISO 27001 is to identify, assess and manage information security risks.

Organizations must identify risks and opportunities related to the ISMS and plan actions to address them. This includes setting information security objectives and plans to achieve them.

Organizations should be able to develop and implement the most appropriate information security and confidentiality procedures for their operations by undertaking thorough and regular risk assessments.

Required Documentation:

  • A Risk Assessment and Treatment Plan that details the process for assessing and treating risks.
  • Information Security Objectives to record the set objectives and plans to achieve them.
  • The Statement of Applicability (SoA) explains which of the 114 information security controls outlined in Annex A of ISO 27001 you will be adopting and why.

In more detail, a risk assessment and risk treatment plan sets out how you identify risks to information security and your approach to mitigating and addressing those risks when they occur. You’re not required to list the potential risks in this document, only your process for identifying them.

Risks might include:

  • Accidental loss
  • Accidental destruction
  • Incorrect storage
  • Inadvertent sharing
  • Unauthorized access by an employee
  • Unauthorized access by an external party

The methodology should address:

  • How you will identify risks
  • Who will own the risk
  • How you will determine the likelihood of the risk
  • How you will determine the severity of the risk
  • How you will determine the acceptance of a risk

Once you’ve established which controls you have chosen, the risk treatment plan document outlines how the information security management controls will be implemented, who is responsible for this, any required resources and the timeframe for implementation.

If a security incident were to occur, this would need to be documented as an incident management procedure.

The procedure should establish how your organization will determine who takes ownership of managing an incident and how that individual will:

  • Gather evidence following the incident.
  • Establish the circumstances surrounding and leading to the incident, including ascertaining the root cause, what happened and who was involved, for example.
  • Record any activities undertaken in response to the incident for later analysis.
  • Make management and leadership teams aware of the incident.
  • Raise the incident with regulators or independent bodies, if necessary.
  • Address any identified weaknesses that caused or contributed to the incident.

There would also need to be a business continuity plan in place.

This procedure can help your business to continue to operate after an information security incident. It outlines the responsibilities, actions, timescales and work required. Other clauses of ISO 27001 cover these aspects in more detail.

With so many information security controls to address, this document has the potential to become unwieldy, but you are only required to:

  1. Identify which of the controls apply to your organization.
  2. Outline why these controls apply.
  3. State how the controls have been implemented.
  4. Explain why any controls have not been chosen (known as exclusions.)

Clause 7: Support

This clause focuses on the resources, competence, awareness, communication and documented information necessary to support the ISMS.

To meet this criteria, you will need documentation of resource allocation. The ISMS itself may require some direct resource allocation to be ISO 27001-compliant—for example, you may need to invest in new or more advanced security software—but that isn’t the only support organizations should consider.

To manage an ISMS effectively, various team members will need to take ownership and responsibility for certain areas and processes, documenting their responsibilities and suitability for their roles—this is outlined in sub-clause 7.2.

Records of training, skills, experience and qualifications will demonstrate that every employee has the appropriate level of competence, showing that your organization takes data security seriously and seeks continual improvement.

Required Documentation:

  • Competence Records to document the skills, training and experience of individuals involved in the ISMS.
  • A Communication Plan for internal and external communications relevant to the ISMS.
  • Documented Information outlining the policies, procedures and records required and necessary by the standard for the effective planning, operation and control of processes.

Clause 8: Operation

Clause 8 focuses on the operational planning and control of the ISMS.

This includes evaluating its operational controls and security risks, applying security measures and ensuring compliance with the organization’s policies and objectives.

The security risk assessments outlined in Clause 6 are a part of this process, highlighted in sub-clauses 8.2 and 8.3.

Sub-clause 8.2 concerns risk assessments. It requires organizations to establish and implement a systematic process to identify, analyze and evaluate information security risks, including assessing their likelihood of occurring. A risk assessment and risk treatment report will describe the findings of your assessment, including any risks identified and any treatment undertaken to mitigate or avoid them.

Sub-clause 8.3 covers risk treatment, requiring organizations to determine the appropriate measures needed to address the identified risks. This involves selecting risk treatment options, implementing security controls to mitigate risks and thoroughly documenting the risk treatment plan. These documents may be needed later as evidence during audits.

Documentation Required:

  • Operational Procedures document detailing the procedures for managing the ISMS.
  • Risk Treatment Plan as mentioned in Clause 6.

Clause 9: Performance Evaluation

To achieve ISO 27001 certification, organizations must monitor, measure and evaluate the performance of their ISMS. This includes conducting and implementing a program of regular internal audits and management reviews to assess the system’s effectiveness.

An internal audit is a key aspect of an ISMS, assessing its effectiveness and your organization’s overall performance regarding information security. You must record and document the details of internal audits, including any issues or opportunities for improvements such audits uncover.

One of ISO 27001’s greatest strengths is its emphasis on continual improvement. That’s why a key part of an ISMS is monitoring and measuring results. This data is vital for securing the future success of your ISMS and ISO 27001 certification—it can inform future strategies.

You will need to have a documented record of these evaluations alongside evidence that your organization has considered:

  • What to measure.
  • How and when to measure it.
  • How the results will be used for effective process control and improvement.

Senior management should regularly review the ISMS to assess its efficiency, and in accordance with the standard, the results of management reviews should be recorded.

Required Documentation:

  • Monitoring and Measurement Records of monitoring and measurement activities.
  • Internal Audit Program and Reports documenting the internal audit process and findings.
  • Management Review Minutes, records of management reviews, including decisions and actions.

Clause 10: Improvement

Clause 10 concerns continual improvement—a key tenet of ISO 27001 (and other ISO standards.)

A fundamental part of operating and maintaining any management system is identifying, fixing and documenting nonconformities and the results of corrective actions. Even the best ISMS can have weak spots, so organizations must make timely adjustments and corrections. They also need to create plans that mitigate the risk of reoccurrences in the future and implement them.

This process repeats itself with every routine performance evaluation.

When documenting continual improvement efforts, you should include the following information:

  • The details of the nonconformity.
  • The actions taken (in detail.)
  • What concessions are obtained.
  • The responsible individuals.

You also need to include clear evidence in the documentation showing how any corrective action has achieved the desired results (ISO 27001 conformity.)

Required Documentation:

  • Nonconformity and Corrective Action Records, documenting nonconformities and the actions taken to address them.
  • A Continual Improvement Plan outlining how the organization intends to improve the ISMS over time.

Learn more with our free ISO 27001 training and online courses.

Other Key Documents

Other valuable documentation that may be necessary for effectively implementing and maintaining an ISMS includes:

  • Inventory of assets—Document any asset involved in data storage, including desktop computers, laptops, servers, phones, tablets, physical documents, financial records, email systems, and cloud computing services.
  • Acceptable use of assets—The assets you identified in your inventory handle sensitive information, so they must be used appropriately. Establishing acceptable use makes it clear to all employees how they are permitted to use a device to maintain information security.
  • Access control policy—This will help your organization manage access so that only the appropriate people are granted access to sensitive information. This document should outline how access to sensitive information is granted, reviewed and revoked.
  • Operating procedures for IT management—Document procedures for areas where sensitive information is at risk through incorrect operation of IT equipment. These may include software development, financial accounting, customer management and supplier management.
  • Secure system engineering principles—Secure engineering describes how you will apply security when you develop any new IT projects or how you will apply it to existing infrastructure. This security isn’t limited to firewalls or secure passwords—it also incorporates disaster planning and business continuity. When establishing these principles, you need to account for more than malicious human behavior; you need to account for accidents, system failures and even natural disasters.
  • Supplier security policy—There is little point in establishing security around sensitive information if flaws in a supplier’s security expose that information to theft or destruction. As such, it’s important to establish a policy regarding suppliers’ information security. Try to create a collaborative policy that facilitates close working relationships with suppliers who have access to or who could potentially compromise your data security.
  • Logging user activities, exceptions, and security events—This is vital for maintaining security. It doesn’t just help you ascertain how incidents occurred; it can also help with your risk assessments and identify weaknesses in your information security.
ISO 27001 Requirements - ISO 27001 Free Training

 

You’re Ready for ISO 27001 Certification

Undertaking the ISO 27001 certification process is a worthwhile commitment that will help you improve your organization’s information security.

The first step of certifying your organization for ISO 27001 (once your organization has implemented all the compliance it can) is a visit from one of our expert auditors for the Stage 1 assessment. They will identify any gaps in your current ISMS that must be addressed before continuing the certification process. Your organization will then be able to take the time to implement the relevant changes.

Once this is done and the auditor considers your ISMS compliant, your organization will undergo an in-depth Stage 2 assessment before it can successfully achieve ISO 27001 certification.

Amtivo is an ANAB-accredited certification body with proven expertise to help guide your business towards successful certifications. The ANSI National Accreditation Board (ANAB) is the largest accreditation body in North America and provides accreditation services and training to public—and private-sector organizations serving the global marketplace.

Find out more with our guide to ISO 27001.

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.

footerCta amtivo group