What does ISO 27001 actually look like?
ISO/IEC 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.
According to Annex SL of the International Organization for Standardization ISO/IEC Directives, the section titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards, enabling easier integration of these standards.
Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.
Section 1: Scope – explains that this standard is applicable to any type of organization.
Section 2: Normative references – refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions – again, refers to ISO/IEC 27000.
Section 4: Context of the organization – this section is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Section 5: Leadership – this section is part of the Plan phase in the PDCA cycle and defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy.
Section 6: Planning – this section is part of the Plan phase in the PDCA cycle and defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Section 7: Support – this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of resources, competences, awareness, communication, and control of documents and records.
Section 8: Operation – this section is part of the Do phase in the PDCA cycle and defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Section 9: Performance evaluation – this section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit and management review.
Section 10: Improvement – this section is part of the Act phase in the PDCA cycle and defines requirements for nonconformities, corrections, corrective actions and continual improvement.
Annex A – this annex provides a catalogue of 114 controls (safeguards) placed in 14 sections (sections A.5 to A.18).
See also: Has the PDCA Cycle been removed from the new ISO standards?