ReadSafety.com

ISO 27001 Questions, Answered

What are the requirements of ISO 27001?

Quick answer

ISO 27001 has two layers. Clauses 4 to 10 define the mandatory management system: context, leadership, risk assessment and treatment, resources, operation, performance evaluation, and improvement. Annex A lists 93 reference controls; you select which apply through your risk assessment and justify inclusions and exclusions in the Statement of Applicability.

Layer one: the management system (clauses 4 to 10)

  • Clause 4, Context. Internal and external issues, interested parties and their requirements, and a precisely defined ISMS scope.
  • Clause 5, Leadership. Top management accountability, an information security policy, and assigned roles including who reports ISMS performance to leadership.
  • Clause 6, Planning. The engine of the standard: a defined risk assessment process, risk treatment, the Statement of Applicability, security objectives, and planned changes.
  • Clause 7, Support. Resources, competence, awareness (auditors interview staff about it), communication, and documented information.
  • Clause 8, Operation. Running the plans: performing risk assessments at planned intervals and when significant change occurs, implementing treatments, and controlling outsourced processes.
  • Clause 9, Performance evaluation. Monitoring and measurement, internal audit, and management review with defined inputs and outputs.
  • Clause 10, Improvement. Nonconformity, corrective action, and continual improvement.

Layer two: Annex A and the SoA

Annex A (aligned with ISO 27002:2022) provides 93 controls in four themes: organizational (37), people (8), physical (14), and technological (34). None is automatically mandatory; each is adopted, adapted, or excluded based on your risk assessment, and the Statement of Applicability records the decision and justification for every one. The SoA is the document auditors live in: it is the map between your risks and your controls, and unjustified exclusions or copy-pasted justifications are among the most common Stage 1 findings.

Key factISO 27001 mandates the management system, not specific technologies. No clause requires a particular firewall, SIEM, or encryption product. What it requires is that your choices trace back to an honest risk assessment, are implemented as stated in your SoA, and produce evidence of operation.

The thread auditors pull

A competent auditor picks one risk from your register and walks it end to end: how it was identified and scored, which treatment was chosen, which SoA controls implement it, where the control operates in practice, what evidence its operation leaves, and how monitoring or internal audit would catch its failure. Then they pick an incident and walk it backward through the same chain. Systems built as genuine risk machinery pass this trace easily; systems built as policy libraries do not.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC