Layer one: the management system (clauses 4 to 10)
- Clause 4, Context. Internal and external issues, interested parties and their requirements, and a precisely defined ISMS scope.
- Clause 5, Leadership. Top management accountability, an information security policy, and assigned roles including who reports ISMS performance to leadership.
- Clause 6, Planning. The engine of the standard: a defined risk assessment process, risk treatment, the Statement of Applicability, security objectives, and planned changes.
- Clause 7, Support. Resources, competence, awareness (auditors interview staff about it), communication, and documented information.
- Clause 8, Operation. Running the plans: performing risk assessments at planned intervals and when significant change occurs, implementing treatments, and controlling outsourced processes.
- Clause 9, Performance evaluation. Monitoring and measurement, internal audit, and management review with defined inputs and outputs.
- Clause 10, Improvement. Nonconformity, corrective action, and continual improvement.
Layer two: Annex A and the SoA
Annex A (aligned with ISO 27002:2022) provides 93 controls in four themes: organizational (37), people (8), physical (14), and technological (34). None is automatically mandatory; each is adopted, adapted, or excluded based on your risk assessment, and the Statement of Applicability records the decision and justification for every one. The SoA is the document auditors live in: it is the map between your risks and your controls, and unjustified exclusions or copy-pasted justifications are among the most common Stage 1 findings.
The thread auditors pull
A competent auditor picks one risk from your register and walks it end to end: how it was identified and scored, which treatment was chosen, which SoA controls implement it, where the control operates in practice, what evidence its operation leaves, and how monitoring or internal audit would catch its failure. Then they pick an incident and walk it backward through the same chain. Systems built as genuine risk machinery pass this trace easily; systems built as policy libraries do not.