Management system · Clauses 4–10 · ISMS
ISO 27001
ISO/IEC 27001:2013 is the requirements standard for an Information Security Management System (ISMS). It has ten short clauses plus a long Annex A. Clauses 4–10 are the mandatory, auditable part; they tell you how to build, run, measure and improve the system. This page walks the clauses in plain English.
→What the standard is
ISO 27001 gives you the requirements for establishing, implementing, maintaining and continually improving an ISMS. A few framing points worth keeping straight:
- Adopting these requirements is a strategic decision — it has to come from top management or the board, not from IT alone.
- An ISMS exists to preserve the confidentiality, integrity and availability of information — the CIA triad.
- Risk management processes sit at the centre of the whole thing.
- The ISMS must be integrated with the rest of the organisation's processes and overall management structure — not bolted on the side.
- Read ISO 27000:2018 alongside it — it supplies the overview, principles and vocabulary you need to read 27001 properly.
Structure at a glance: 10 clauses, plus Annex A which (in the 2013 edition) lists 14 control categories and 114 controls. You are certified against clauses 4–10; Annex A is the control menu you justify in your Statement of Applicability.
→Clause 4 — Context of the organisation
Before any controls, you decide why and for whom.
- What do we actually want to achieve with the certification / the ISMS?
- Which interested parties have requirements — customers, partners, regulators?
- This is where the scope of the ISMS is set (clause 4.3) and where the need for an ISMS is established.
→Clause 5 — Leadership
5.1 Leadership and commitment
- Management has to be involved from the start and demonstrably take responsibility.
- Allocate the resources needed to run the ISMS.
- Define the ISMS roles and who supports the system.
- Support the ISMS across its whole lifecycle.
5.2 Policy & documentation foundations
- The information security policy.
- An initial risk assessment, then a proper risk assessment.
- An action / risk-treatment plan.
- A Statement of Applicability (SoA).
- Get management to approve the risk-assessment results, the SoA and the policy.
5.3 Roles, responsibility and authority
Who does what — assigned, communicated and understood.
→Clause 6 — Planning
6.1 Actions to address risks and opportunities
- 6.1.1 — Define preventive actions, aligned with the interested-party requirements captured in clause 4.
- 6.1.2 — Establish a risk-assessment process that fits the ISMS. It must be repeatable/iterative and cover risk identification, analysis and evaluation.
- 6.1.3 — Risk treatment. Controls are considered and selected from Annex A (but you are not limited to Annex A). The output feeds the SoA and the risk-treatment plan.
6.2 Information security objectives & plans
- Objectives must be communicated across the organisation and stay consistent with the policy.
- Decide what implementing them takes, and who does the work.
- Documentation must be kept up to date.
→Clause 7 — Support
| Sub-clause | What it requires |
|---|---|
| 7.1 Resources | The organisation defines and provides the resources the ISMS needs to meet its objectives and keep improving. |
| 7.2 Competence | Competence shown through training, experience or education. Where it's lacking, set targets for the required training. |
| 7.3 Awareness | Awareness training so everyone is on board — staff must know the security policies and their purpose. |
| 7.4 Communication | Internal and external communication relevant to the ISMS. |
| 7.5 Documented information | Systems, processes and policies are described and documented. Ownership is named, documents are reviewed and approved before release, and protected so data isn't lost or altered. |
→Clause 8 — Operation
- 8.1 Operational planning & control — Plan, implement and control the relevant processes. Beyond security, account for change and for unforeseen change (outages) — and how you recover from them.
- 8.2 Risk assessment — Carry out assessments in line with 6.1.2.
- 8.3 Risk treatment — Keep documentation of how risks are handled in place and maintained.
→Clause 9 — Performance evaluation
- 9.1 Monitoring, measurement, analysis & evaluation — Define measures for ISMS effectiveness, e.g. whether the organisation and its people are in compliance with the documentation.
- 9.2 Internal audit — Run internal audits at planned intervals. Auditors must be independent of the area audited; unmet requirements are reported to the relevant management.
- 9.3 Management review — Management reviews the audit results to confirm the ISMS and ISO requirements are being met. Deviations are addressed. The review is documented so the ISMS keeps its strategic backing.
→Clause 10 — Improvement
- 10.1 Nonconformity & corrective action — Deviations found in review are handled, documented and described so they're avoided going forward. The effectiveness of the corrective actions is evaluated and recorded alongside the deviation.
- 10.2 Continual improvement — The ISMS is maintained and improved over time so it grows more resilient. Neglect it and it slowly becomes redundant and loses its function.
→What certification actually requires
Clauses 4–10 must be documented. The SoA must highlight which Annex A controls are adopted and which are not — and why. The mandatory documented information for certification:
Scope & policy
- ISMS scope (4.3)
- Information security policy (5.2)
- Information security objectives (6.2)
Risk
- Risk assessment process (6.1.2)
- Risk treatment process (6.1.3)
- Risk-assessment results (8.2)
- Risk-treatment decisions / SoA (8.3)
Operate & evidence
- Competence evidence (7.2)
- Operational planning & control (8.1)
- Monitoring & measurement (9.1)
Review
- Internal audit programme & results (9.2)
- Management review evidence (9.3)
- Nonconformities & corrective actions (10.1)
Annex A is normative but not mandatory to adopt wholesale — you may use other structures to treat your information risks, as long as you can justify the choice in the SoA. The goal of certification is credibility, and potentially market value.
→Why do the clauses start at 4 and Annex A at A.5?
Clauses 1–3 are scope, normative references, and terms/definitions (reused from ISO 27000) — administrative, not auditable. The real management-system requirements begin at clause 4. This high-level structure comes from Annex L (formerly Annex SL), the common template that keeps all ISO management-system standards consistent and aligned.
Annex A controls start at A.5 because they map directly onto ISO 27002, where sections 1–4 are introductory and the controls begin at section 5. See the companion pages on ISO 27002 / Annex A and ISO 27005 (risk).