CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Andrea Giesler

What do the ISO 27001 requirements and structure look like?

The ISO 27001 standard offers requirements and a structure that will provide guidance in implementing an Information Security Management System (ISMS). As a management system, ISO 27001 is based on continuous improvement – in this article, you will learn more about how this is reflected in the ISO 27001 requirements and structure.

Two main parts of the standard

The standard is separated into two parts. The first, main part consists of 11 clauses (0 to 10). The second part, called Annex A, provides a guideline for 114 control objectives and controls. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) set the introduction of the ISO 27001 standard. The following clauses 4 to 10, which provide ISO 27001 requirements that are mandatory if the company wants to be compliant with the standard, are examined in more detail further in this article.

Annex A of the standard supports the clauses and their requirements with a list of controls that are not mandatory, but that are selected as part of the risk management process. For more, read the article The basic logic of ISO 27001: How does information security work?

ISO 27001 requirements and structure

Clause 4: Context of the organization

One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organization. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.

With this in mind, the organization needs to define the scope of the ISMS. How extensively will ISO 27001 be applied to the company?

Read more about the context of the organization in the articles How to define context of the organization according to ISO 27001, How to identify interested parties according to ISO 27001 and ISO 22301, and How to define the ISMS scope.

Clause 5: Leadership

The requirements of ISO 27001 for an adequate leadership are manifold. The commitment of the top management is mandatory for a management system. Objectives need to be established according to the strategic objectives of an organization. Providing resources needed for the ISMS, as well as supporting persons to contribute to the ISMS, are other examples of the obligations to meet.

Furthermore, the top management needs to establish a policy according to the information security. This policy should be documented, as well as communicated within the organization and to interested parties.

Roles and responsibilities need to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.

Learn more about top management in ISO 27001 in these articles: Top management perspective of information security implementation, Roles and responsibilities of top management in ISO 27001 and ISO 22301, and What should you write in your Information Security Policy according to ISO 27001?

Clause 6: Planning

Planning in an ISMS environment should always take into account risks and opportunities. An information security risk assessment provides a sound foundation to rely on. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned to the company’s overall objectives. Moreover, the objectives need to be promoted within the company. They provide the security goals to work towards for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in Annex A.

For better understanding of risks and opportunities, read the article ISO 27001 risk assessment & treatment – 6 basic steps. Learn more about control objectives in the article ISO 27001 control objectives – Why are they important? For more details about a company’s direction, read the article Aligning information security with the strategic direction of a company according to ISO 27001.

Clause 7: Support

Resources, competence of employees, awareness, and communication are key issues of supporting the cause. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as being controlled. A suitable set of documentation needs to be maintained in order to support the success of the ISMS.

For more about training, awareness, and communication read the articles How to perform training & awareness for ISO 27001 and ISO 22301 and How to create a Communication Plan according to ISO 27001. Learn more about document management in the article Document management in ISO 27001 & BS 25999-2.

Clause 8: Operation

Processes are mandatory to implement information security. These processes need to be planned, implemented, and controlled. Risk assessment and treatment – which needs to be on top management’s mind, as we learned earlier – has to be put into action.

Learn more about risk assessment and treatment in the articles ISO 27001 risk assessment: How to match assets, threats and vulnerabilities and How to assess consequences and likelihood in ISO 27001 risk analysis, and in this free Diagram of the ISO 27001:2013 Risk Assessment and Treatment Process.

Clause 9: Performance evaluation

The requirements of the ISO 27001 standard expect monitoring, measurement, analysis, and evaluation of the Information Security Management System. Not only should the department itself check on its work – in addition, internal audits need to be conducted. At set intervals, the top management needs to review the organization’s ISMS.

Learn more about performance, monitoring, and measurement in the articles Key performance indicators for an ISO 27001 ISMS and How to perform monitoring and measurement in ISO 27001.

Clause 10: Improvement

Improvement follows up on the evaluation. Nonconformities needs to be addressed by taking action and eliminating the causes when applicable. Moreover, a continual improvement process should be implemented, even though the PDCA (Plan-Do-Check-Act) cycle is no longer mandatory (read more about this in the article Has the PDCA Cycle been removed from the new ISO standards? Still, the PDCA cycle is often recommended, as it offers a solid structure and fulfills the requirements of ISO 27001.

For more about improvement in ISO 27001, read the article Achieving continual improvement through the use of maturity models.

Annex A (normative) Reference control objectives and controls

Annex A is a helpful list of reference control objectives and controls. Starting with A.5 Information security policies through A.18 Compliance, the list offers controls by which the ISO 27001 requirements can be met, and the structure of an ISMS can be derived. Controls, identified through a risk assessment as described above, need to be considered and implemented.

For more about Annex A, read the articles Overview of ISO 27001:2013 Annex A and How to structure the documents for ISO 27001 Annex A controls.

Requirements of an ISMS

The implementation and the standard itself might seem challenging or complicated at first sight, because some requirements might not sound logical to you. But, with more in-depth learning about it, things fall into place and one starts to appreciate the comprehensiveness that implementation of ISO 27001 brings into security. Soon after becoming compliant you will surely realize that the standard offers you a structured guideline, and you will be satisfied with your decision about the implementation.

To learn more about ISO 27001 requirements, download this free Clause-by-clause explanation of ISO 27001.

About the author:

Andrea Giesler is an Internal Auditor, based in Cologne, Germany, specializing in the areas of ISO 27001, ISO 9001, and EU GDPR. She is a Certified Information Systems Auditor (CISA) and is certified in Risk and Information Systems Control (CRISC) by ISACA.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.