ISO 27001 Clauses 4-10—Technical Requirements Detailed

Summary of ISO/IEC 27001 Requirements

Mandatory-Only Documentation 

This clause in ISO/IEC 27001 asks organizations to consider both external and internal factors that could affect how they manage information security. It also asks you to understand the needs and expectations of stakeholders, and to identify any key relationships or dependencies. All of this is considered when defining the scope of your ISMS.

Your ISMS scope sets the boundaries for which data and information will be protected under the system, and which will not. This applies no matter where the information is stored or accessed, whether it is in your offices, in the cloud, or from a remote location.

ISO/IEC 27001 refers to the scope as the “boundary and applicability” of the ISMS. In simple terms, it is about being clear on what is included in your security efforts, and what sits outside of them.

The ISMS Scope. 

ISO/IEC 27001 is frequently referred to as a “top-down management driven” management system. One of the standard’s key clauses outlines what is expected from top management. It requires them to show clear leadership and commitment, set and share a high-level Information Security Policy, and make sure that everyone involved in the ISMS knows their roles, responsibilities and authority. In short, it is about strong governance and clear communication from the top.

An Information Security Policy. 

As the clause title indicates, organizations are required to plan the establishment and implementation of their ISMS.

This involves identifying and addressing risks and opportunities, assessing, and treating information security risks, setting clear information security objectives, and planning for change.

These objectives should be communicated effectively and, where practical, monitored and measured, taking into account security requirements as well as the outcomes of risk assessments and treatments.

Plans should be developed to achieve these objectives, detailing the “what,” “how,” “when,” and “who.”

Additionally, any changes to the ISMS must be managed in a planned and controlled manner.  

Information security risk assessment process. 

Information security risk treatment process. 

Information security objectives. 

Another well-named clause in ISO/IEC 27001 sets out what is needed to properly support an ISMS.

This includes making sure the organization provides enough time, people, funding, information, and infrastructure to run it effectively.

It also covers the competence of personnel, with a requirement to take action if someone lacks the necessary skills.

Everyone in the organization must have a basic level of information security awareness. On top of that, communication around the ISMS must be planned and purposeful, and the management of ISMS-related documents (known as “documented information”) needs to be handled in a clear, efficient, and effective way.

Evidence of competence (for all relevant ISMS roles). 

Building on previous clause requirements which establish and implement an ISMS, organizations now need to operate and maintain (including continual improvement) their ISMS.

Clause 8 focuses on putting the ISMS into action. It outlines what is needed to run the system day to day and make sure it meets the standard’s requirements and supports your organization’s ISMS objectives.

This includes planning, implementing, and controlling all relevant processes. To do this, you need to set clear criteria for how processes should work and make sure they are followed.

The clause also highlights the need to manage changes effectively, oversee any outsourced processes, and keep up with ongoing risk assessment and treatment.

The results of operationalised risk assessment and treatment. 

Additionally, optional documentation can be generated to underpin organizational confidence that ISMS processes are carried out as planned. 

This clause focuses on using data and insight to support continual improvement of the ISMS. It sets out requirements for monitoring, measuring, analysing and evaluating how the system is performing. The organization decides what to monitor, how to do it, when it should happen and who is responsible. 

It also covers the need for internal audits and regular management reviews at planned intervals. 

In short, this clause asks organizations to review how well their ISMS is working, and whether it continues to be suitable, effective and fit for purpose. 

The results of monitoring, measurement, analysis and evaluation. 

A fully documented internal audit program. 

The results of ISMS review by Top Management. 

Building on the results from performance evaluation in Clause 9, this final mandatory clause focuses on continual improvement of the ISMS. 

It requires organizations to regularly review how suitable, adequate and effective their ISMS is. It also covers how to handle nonconformities when something doesn’t meet the standard by taking the right corrective action. 

Nonconformities might be spotted during internal or external audits, reviews of security incidents, or day-to-day observations. Addressing these issues properly is a key part of keeping the ISMS effective over time.  

Nonconformities (the nature of), corrective actions and their results. 

Summary of Requirements 

Example, typical or suggested/inferred documentation 

This group includes 37 controls that are organizational in nature. They focus on managing risks linked to governance, management, and day-to-day operations rather than technical systems, people, or physical security.

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to information security governance (policies, procedures, roles and responsibilities, segregation of duties, contacts, etc.), threat intelligence, asset management, Identity and Access Management (IAM), supplier relations, information security incident management, legal, statutory, regulatory and contractual requirements (including IP, record and PII protection, independent review and compliance). 

Information security and topic-specific policies. 

Inventory of assets. 

Rules for acceptable use of assets (mandatory). 

Information classification and labelling procedures. 

Rules for physical and logical access. 

Supplier agreements (to include organizational information security requirements). 

Information security incident management procedures (mandatory). 

Information security continuity (plans, testing, etc.). 

Legal, statutory, regulatory and contractual requirements and approach to compliance (mandatory). 

Documented information process and information process facilities operating procedures (mandatory). 

This section includes 8 controls that are HR-related. They focus on managing risks connected to people in the organization and how they interact with information and the systems used to process it. 

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls related to pre-employment (screening, terms and conditions, confidentiality/NDAs), during employment (awareness, disciplinary process, remote working, incident reporting) and personnel termination (responsibilities after termination or change). 

Personnel terms and conditions of employment (including information security responsibilities). 

Formal disciplinary process. 

Confidentiality or non-disclosure agreements (mandatory). 

Remote working requirements. 

Contains a selection of 14 controls designed to primarily respond to or modify risks associated with the physical site and environment.  

Like all Annex A controls, these can be preventive, detective and/or corrective in how they work. 

Examples include controls for physical perimeter, entry and the internal security of offices, rooms and facilities (all including monitoring), procedures for working in secure areas, protection of all physical assets (onsite and offsite), equipment maintenance, secure disposal and clear desk and screen. 

Building and services schematics. 

Procedures for working in secure areas. 

Rules for clear desks and screens. 

Rules for the management of the lifecycle of storage media (can be related to organizational asset management controls, including classification and labelling). 

Equipment maintenance agreements and records (can be related to organizational supplier relation controls). 

Contains a selection of 34 controls designed to primarily respond to or modify risks associated with the use of technology.   

As with all Annex A controls, they have preventive, detective and/or corrective attributes. 

Examples include controls for IT operations (configuration management, capacity management, end point device management, information and utility access restrictions, authentication, malware protection, technical vulnerability management, backup, data masking and leakage prevention, redundancy, logging and monitoring), network operations (network security, services, segregation, filtering), cryptography, secure software development (lifecycle, policy, principles, coding, testing, outsourcing) and change management. 

Technical vulnerability management process and procedures. 

Configuration management (mandatory). 

Backup policy. 

Logging and monitoring procedures and activities. 

Network diagrams. 

Rules for secure development (lifecycle and secure coding). 

Change management procedure or process.