ISO 27001 Requirements Explained

Example H2

The ISO 27001 requirements can be overwhelming.

Whether you're new to the standard or a seasoned practitioner, there is a lot to remember.

And that is ok.

This articles gives you a definitive reference guide on each of the ISO 27001 requirements, including:

What it is
What it means
Practical, real world examples of how to implement it
Show you how to comply with it
Share common mistakes and things to avoid
Share insights on how to drive continuous improvement

You will learn exactly what you need to know and what you need to do to drive success in the world of ISO 27001.

‍

Understanding the Structure of ISO 27001

ISO 27001 is made up of 7 requirements (or mandatory clauses) that you must comply with ISO 27001.

These include:

Clause 4, Context of the organisation
Clause 5, Leadership
Clause 6, Planning
Clause 7, Support
Clause 8, Operation
Clause 9, Performance evaluation
Clause 10, Improvement

‍

‍

Within these mandatory clauses are a collection of 34 subclauses that detail the requirements for specific characteristics of an ISMS.

Combined, these clauses establish the foundations of an ISMS that applies a risk-based approach, underpinned by the principle of continuous improvement.

‍

Clause 4: Context of the organisation

ISO 27001 Clause 4 sets the stage of your entire Information Security Management System.

It is made up of four sub-clauses that form the foundation of your security journey:

This isn’t just paperwork — it’s about knowing what you’re protecting and why it matters.

It's about understanding the threats, stakeholders, and internal factors that shape your company’s security landscape.

Think of it as the foundation of your security journey.

Without a strong understanding of context, your efforts might be wasted on the wrong areas.

Moreover, if certification is the goal - the auditor can only make an accurate assessment of the effectiveness of your ISMS once they understand what it's trying to achieve.

Here’s how to get it right:

Identify Stakeholders: Who cares about your security? Employees, clients, regulators? List them out.
Define Needs and Expectations: What do these stakeholders expect from you in terms of security? Clear up any grey areas here.
Pinpoint Internal and External Issues: What’s happening inside your organization? And what external forces—like laws or market changes—impact security?
Set Scope with Precision: Specify which parts of your organization ISO 27001 will cover. This step saves you from spreading yourself thin.
Document it All: Get this context written down. It’s not just for compliance; it’s your roadmap to focused, impactful security decisions.

Start here, and you’re laying the groundwork for a secure, resilient organization.

‍

Clause 5: Leadership

If you want your security efforts to succeed, it all starts at the top.

ISO 27001 Clause 5 is all about leadership — where real commitment happens, where accountability begins.

So what does the standard say?

Well, ISO 27001 breaks Clause 5: Leadership into 3 parts:

Combined, they form the basis upon which leadership can...well, Lead.

But it's not about checking a box.

It's about showing up and leading by example.

When leadership gets involved, security isn’t just an IT thing.

It becomes part of your organisation's DNA, part of every decision.

Leaders bring focus, direction, and, most importantly, support.

Without this? It’s like building a house with no foundation. Everything can crumble under pressure.

So, what does Clause 5 demand from leadership?

Vision, support, and action.

This isn’t hands-off; it’s all-in.

Here’s how to make it count:

Set a Clear Security Policy: Write down what security means for your organization. Make it direct and easy for everyone to understand.
Define Roles and Responsibilities: Who does what in your security plan? No overlaps, no gaps. Everyone has a place.
Empower People: Give teams the tools, budget, and time they need. Security isn’t free—it needs real investment.
Lead with Accountability: Leadership must be accountable. Show the team you’re in it for real, and they’ll follow.
Commit to Improvement: Security is a journey. Push for ongoing reviews and updates to keep up with new threats.

Get leadership on board, and you’re building security that sticks, backed by a team that believes in the mission.

‍

Clause 6: Planning

Clause 6 is your roadmap to security success.

This is where the rubber meets the road in ISO 27001 — no more guessing, just clear, practical steps.

Clause 6 sets you up to identify risks, set objectives, and outline how you’ll tackle everything.

It’s all about planning for the real world, making sure your security approach is solid.

We already know that security is a moving target.

ISO 27001 Clause 6 is about being prepared and adaptive to the evolving threat landscape instead of scrambling in a crisis.

So how does ISO 27001 Clause 6 help us with this?

It focuses on three key outcomes:

Ensure that your information security management system can achieve it's intended outcome(s)
Prevent or reduce "undesired effects" (we'll come back to this)
Achieve continual improvement

It helps in the form of two sub-clauses:

Clause 6.1 focuses on how you identify, evaluate, treat, manage and monitor risk.

But what is risk?

Well at it's most basic level, it is the "likelihood and impact of undesired effect" on the operations of your business.

In the security world, this could include:

Disruption to business operations
Failure of a system
Data loss
Compromise of a system
And more...

What ISO 27001 wants from you in Clause 6.1 is a methodology for performing information security risk assessments, evidence of the results (in the form of documentation and a risk register) and plans to treat your risks.

‍

‍

The second part of Clause 6 is ISO 27001 Clause 6.2 Information security objectives and planning to achieve them.

In essence, this is about defining Specific, Measurable, Attainable, Realistic and Timely (SMART) objectives to drive continuous improvement of your information security in the context of:

The organisation and it's purpose (as defined in Clause 4: Context of the organisation);
The organisations current risk profile (based on the output of your risk assessment.)

‍

Clause 7: Support

ISO 27001 Clause 7 is all about support — it’s the glue that keeps your security efforts together.

The purpose of Clause 7 is straightforward.

Make sure your team has everything it needs to establish, implement, maintain and continuously improve your information security management system.

This isn’t just about tools — it’s about people, training, and clear communication.

ISO 27001 Clause 7 brings this to life in the form of five sub-clauses:

First off, ISO 27001 wants to make sure that you have the human expertise to support information security in your business.

Security requires effort.

Technology and tools help, but there are still human tasks that need to be performed to protect your business effectively.

This requires the right resources and ensuring that they are trained and have the necessary competence to support your business.

Next it addresses one of the most critical aspects of security - awareness, training and communication.

According to a study by KnowBe4, approximately 88% of data breaches are caused by human error.

Why?

Simply put - threat actors know that manipulating human behaviour through phishing, social engineering etc is far more effective than trying to crack through your firewall.

This doesn't mean that your people are the weakest link.

It means that your people are your first line of defence.

So if you want to avoid 88% of your data breaches then you need to focus on your people and ensure that you have appropriate awareness, training and communication in place.

The success of your security program hinges on your ability to embed security into your culture, your DNA.

To support this, you also need to make sure that you have appropriate documented information such as:

Policies
Processes
Procedures
Records

Not only does this support your security culture by providing a north star, it provides a knowledgebase for your people and provides the necessary evidence to auditors that your ISMS is operating effectively.

The good news is that the standard is very clear on what documentation is required for ISO 27001.

In summary, to master Clause 7, here are five things you need to focus on:

Provide Resources: Make sure your team has the tools and time they need. Security isn’t done with empty hands.
Train Continuously: Give everyone the knowledge to act confidently. Regular training keeps skills sharp.
Document Information: Write down the processes and policies. People can’t follow what they don’t know.
Foster Communication: Keep everyone in the loop. Good communication builds teamwork and trust.
Encourage Responsibility: Show that security is everyone’s job. Empower your team to own their roles.

With the right support, your security plan becomes more than just a strategy — it becomes a powerful, people-driven defence.

‍

Clause 8: Operations

In Clause 6 we talked about risk assessments, risk treatment and defining information security objectives.

ISO 27001 Clause 8 is where all the planning and preparation meet action.

You’re not just talking about security — you’re doing it.

Clause 8 ensures that every risk you’ve prioritised gets handled and every response is ready to go.

This is brought to life in the form of three sub-clauses:

Clause 8.1 focuses on ensuring that you have have planned and implemented appropriate processes to meet your security objectives.

These processes should be documented (as per Clause 7.5 above) and appropriate controls in place to ensure their effectiveness.

Next we need to operationalise our risk assessment process.

What this means is that you need to plan information security risk assessments at regular intervals or when significant changes to your environment occur.

These changes could be:

Organisational changes
Changes to a process
Migration of key systems or platforms
Onboarding a new supplier

‍

#ProTip The results of these risk assessments should be documented and stored in a secure location for future reference.

‍

Once you've done your risk assessment, you are no doubt going to identify something that could cause an "undesired event" to your business (i.e. a risk).

This is where your information security risk treatment plan comes in.

What does this mean?

Essentially, what action are you going to take to reduce the likelihood and/or impact of the risk materialising.

Again, these risk treatment plans should be documented, monitored and managed to ensure that your risks are being addressed.

So, in summary, to deliver against the requirements of Clause 8 you need to:

Be action oriented: Don't talk security. Do security.
Define your processes: Make sure you have documented processes that deliver against your security objectives.
Implement controls: Use the security measures you planned. Make them a part of everyday operations.
Perform risk assessments: Assess your risks regularly. Not just at planned intervals, but when significant changes are on the horizon.
Execute risk treatments: Put your risk responses into action. Don’t let risks sit unaddressed.

Remember, Clause 8 turns your security plan into action.

‍

Clause 9: Performance evaluations

Clause 9 is where you check your security pulse.

It’s all about evaluating how well your security measures are working.

This isn’t guesswork — it’s a structured way to see if your plan is effective.

With Clause 9, you get to look at the big picture, spot gaps, and make improvements.

It does this in three ways:

ISO 27001 asks you to monitor, measure, and analyse your security performance.

This will require you to decide:

What needs to be monitored and measured (inc. information security processes and controls)
How you will monitor and measure your security processes.
When the monitoring will take place (e.g. continuous or periodically)
Who will perform the monitoring and measurement
How the results will be analysed and communicated to relevant stakeholders

As you'd expect, ISO 27001 wants you to capture this as documented information as well.

This could include:

Information security monitoring policy
Supporting information security processes and procedures
Records of monitoring activity (e.g. logs, analyses, reports etc.)

Another key aspect of ISO 27001 Clause 9 is the use of an internal audit program to evaluate the performance of your ISMS.

The primary goal of internal audit is for the business to get it's own assurance that it's own requirements are being met.

Your internal audit program needs to be structured, planned, documented and maintained.

Finally, the output of Clause 9.1 and Clause 9.2 needs to be packaged in an appropriate format for management review.

Remember Clause 5: Leadership?

We talked about leadership, commitment and active involvement from top management.

This is where it all comes full circle.

Leadership need visibility and insight into the effectiveness of the ISMS in order that they can take responsibility.

If there are emerging risks, challenges, operational issues, performance issues - leadership need to know.

They then make a decision about whether they're prepared to accept the risk.

Or, whether they are prepared to give you the support and resources you need in order to drive continuous improvement.

So, in summary. ISO 27001 Clause 9 is about turning security into a cycle of constant improvement by:

Defining Metrics: Decide what success looks like for your security goals. Be specific.
Gathering Data: Collect information on how your controls are performing. Stay data-driven.
Conducting Regular Audits: Test your processes and controls to ensure they’re effective.
Analysing Results: Look for patterns or gaps in your data. Where do you need to adjust?
Taking Action: Use your insights to inform leadership. Don’t let data sit; make it work for you.

‍

Clause 10: Continuous Improvement

Last, but by no means least we have ISO 27001 Clause 10 - continuous improvement.

Effective information security management systems are adaptive.

They evolve and improve in response to changes in your business, technology and of course, the threat landscape.

ISO 27001 calls you to actively seek out improvement. Identify weaknesses, make changes, and look for ways to get ahead of the curve.

Without improvement, your security can become outdated.

Clause 10 keeps you sharp, helping you stay resilient against new challenges.

ISO 27001 continuous improvement comes to life in the form of two sub-clauses:

Clause 10.1 focuses on improving the suitability, adequacy and effectiveness of your information security management system.

This can be achieved in a number of ways:

Delivery against your information security objectives
Reduction in your overall risk profile
Improvement in incident response times
Faster vulnerability response times

Ultimately Clause 10.1 is looking for you to answer the simple question of "Is my ISMS better today, than it was yesterday?"

Clause 10.2 is slightly different but still anchored in the world of continuous improvement.

Clause 10.2 focuses on nonconformity, i.e. the "non-fulfilment of a requirement".

ISO 27001 is looking for you to ensure that you continue to meet the requirements of the standard - i.e. Clauses 4 to 10 discussed in this article.

Examples of nonconformity could include:

Failure to define and maintain the scope of your ISMS (ISO 27001 Clause 4.3)
Failure to implement and communicate an Information Security Policy (ISO 27001 Clause 5.2)
Failure to perform appropriate security awareness and training (ISO 27001 Clause 7.2 and Clause 7.3)
Failure to perform Internal Audits (ISO 27001 Clause 9.2)

It's important to understand that not all nonconformities are created equal.

Broadly speaking, there are three types of nonconformity:

Major Nonconformity: A complete non-fulfilment of a requirement.
Minor Nonconformity: A partial non-fulfilment of a requirement.
Opportunity for improvement: You fulfil the requirement, but it could be more effective or more efficient.

If a nonconformity is identified - either through an internal audit, external audit or certification audit then an action must be taken to correct it.

This is called a Corrective Action.

Hence why ISO 27001 10.2 is called "Nonconformity and Corrective Action.

To satisfy the requirement of 10.2, there are some specific things that you need to do:

Have a method of identifying nonconformities (i.e. Clause 9)
Respond to nonconformities as appropriate (i.e. take action to control and correct it, as well as deal with the consequences.)
Determine the cause of the nonconformity and identify ways to prevent recurrence.
Implement any actions needed
Review the effectiveness of the corrective action taken
Produce and maintain appropriate documentation that details what happened, what action was taken and the results of that action

In summary. Clause 10 ensures that your security isn’t static; it’s always improving, always evolving.

Here’s 5 ways to how to make it count:

Conduct Regular Reviews: Look at what’s working—and what’s not. Find ways to improve constantly.
Analyse Incidents: Every incident teaches a lesson. Learn from each one and strengthen your defenses.
Gather Feedback: Ask your team for insights. They’re on the front lines and can spot areas for improvement.
Implement Changes: Don’t just talk about improvement. Put it into action right away.
Monitor Progress: Keep an eye on new changes to see their impact. Continuous improvement means staying alert.

‍

Conclusion

ISO 27001 can seem complex, but step by step, each requirement helps create a resilient security framework for your organisation.

Remember, the key is not to aim for perfection overnight, but to foster continuous improvement.

Keep building, learning, and refining.

Want more expert advice on ISO 27001 and other GRC topics? Subscribe to the GRCMana newsletter and stay ahead of the curve.

P.S. Whenever you're ready, here are 3 ways I can help you:

Subscribe to GRCMANA and each week you will get more tips, strategies and resources that will help you accelerate your GRC career.
Join the Cyber Resilience Network: Join 16,000+ other members in the largest LinkedIn Community dedicated to building cyber resilience in the cloud.
Follow me on LinkedIn for more tools, strategies and insights on how to govern your clod, secure your cloud and defend your cloud.

Harry West

Founder

About the author

Harry is a technologist and security leader with 20+ years experience in helping organisations govern their cloud, secure their cloud and defend their cloud.

ISO 27001 Requirements Explained

Table of Contents