ISO/IEC 27001 •

ISO 27001 Requirements

See how ISMS.online can help your business

See it in action
By David Alloway | Updated 12 March 2024

The core requirements of ISO 27001 are addressed in Clauses 4.1 through to 10.2. Here we'll look through an overview of each clause.

Jump to topic

Get certified 5 x faster with ISMS.online

1. Scope

The ISO 27001 standard covers various aspects of information security management, including the establishment, implementation, maintenance, and continual improvement of an ISMS within the context of an organisation. The standard is applicable to organisations of all types, sizes, and nature.

The requirements set out in the ISO 27001 standard are designed to ensure that organisations have appropriate measures in place to protect their information assets. These requirements cover a wide range of areas.


2. Normative References

ISO 27001 itself is based on a risk management approach and provides a framework for organisations to establish, implement, maintain, and continually improve an information security management system (ISMS). The normative references in ISO 27001 include several other ISO/IEC standards that provide guidance on various aspects of information security management. These include:

  • ISO/IEC 27000: This standard is a normative reference in ISO 27001 and serves as an overview and vocabulary for information security management systems. It defines key terms and concepts used throughout the ISO 27000 family of documents and outlines the scope and objectives of each member of the family.
  • ISO/IEC 27002: Also known as the Code of Practice for Information Security Management, this standard provides guidance on the selection and implementation of security controls. It offers a comprehensive set of best practices for organisations to protect their information assets and manage security risks effectively.
  • ISO/IEC 27005: This standard focuses on risk management and provides guidance on the risk assessment process and risk treatment. It helps organisations identify and assess information security risks, and develop appropriate risk treatment plans to mitigate those risks.
  • ISO/IEC 27006: This standard provides guidance on the certification process for information security management systems. It outlines the requirements for certification bodies and auditors to assess and certify organisations’ compliance with ISO 27001.
  • ISO/IEC 27007: These guidelines are specifically designed for auditing information security management systems. They provide guidance on the audit process, including planning, conducting, and reporting on audits, to ensure that an organisations’ ISMS is effectively implemented and maintained.
  • ISO/IEC 27008: These guidelines focus on the management of information security. They provide guidance on establishing, implementing, maintaining, and continually improving the management system for information security within an organisation.

3. Terms and Definitions

The terms and definitions section serves the purpose of providing a common understanding and language for all parties involved in the implementation of the standard.

Free download

Get your guide to
ISO 27001 success

Everything you need to know about achieving ISO 27001 first time

Get your free guide

4. Context of the Organisation

4.1 – Understanding the Organisation and its Context

ISO 27001 Requirement 4.1 is aimed at ensuring that organisations have a comprehensive understanding of their internal and external environment in order to effectively manage their information security risks.

This involves identifying and assessing the factors that can impact the organisation’s ability to achieve its information security objectives.

By understanding their internal and external context, organisations can identify and assess the risks associated with their information security management system.

This enables them to develop a tailored and effective system that mitigates the identified risks and ensures compliance with applicable laws and regulations.

Read more about 4.1

4.2 – Understanding the Needs and Expectations of Interested Parties

ISO 27001 Requirement 4.2 is for organisations to identify and comprehend the needs and expectations of their stakeholders. This includes customers, suppliers, employees, shareholders, and other interested parties.

The purpose is to ensure that the organisation’s information security management system (ISMS) meets the requirements of these parties.

To fulfil this requirement, organisations must first identify their stakeholders and understand their specific needs and expectations.

This involves considering legal and regulatory requirements, contractual obligations, and other external and internal issues that are relevant to the organisation’s purpose and affect its ability to achieve the intended outcome of its ISMS.

Read more about 4.2

4.3 – Determining the Scope of the Information Security Management System

ISO 27001 Requirement 4.3 defines the boundaries and extent of the organisation’s Information Security Management System (ISMS).

This involves identifying and documenting the information assets, processes, procedures, people, systems, and networks that are included within the scope of the ISMS.

The scope should encompass all of the organisation’s information assets, both physical and digital, as well as the processes and procedures used to manage them.

Read more about 4.3

4.4 – Information Security Management System

ISO 27001 Requirement 4.4 outlines the necessary elements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

The ISMS is designed to ensure the security of information and data, as well as protect the rights and freedoms of individuals.

ISO 27001 provides a comprehensive set of requirements for establishing and maintaining an effective ISMS that protects the confidentiality, integrity, and availability of information.

Read more about 4.4

5. Leadership

5.1 – Leadership & Commitment

ISO 27001 Requirement 5.1 explains that the organisation’s top management must demonstrate leadership and commitment to the information security management system (ISMS). This involves several key responsibilities.

Management must monitor and evaluate the ISMS to ensure its effectiveness. This involves conducting internal audits and taking necessary corrective actions to address any identified weaknesses or non-conformities.

Read more about 5.1

5.2 – Information Security Policy

ISO 27001 Requirement 5.2 requires organisations to have an information security policy that is approved by top management.

This policy serves as a guideline for managing the organisation’s information security and should consider various factors such as business strategy, regulations, legislation, and current and projected information security risks and threats.

It should cover areas such as information transfer, secure configuration and handling of user endpoint devices, networking security, information security incident management, backup, cryptography and key management, information classification and handling, management of technical vulnerabilities, and secure development.

Read more about 5.2

5.3 – Organisational Roles, Responsibilities & Authorities

ISO 27001 Requirement 5.3 outlines the requirement for organisations to define and allocate roles, responsibilities, and authorities related to information security.

This is crucial for ensuring that all individuals and groups within the organisation are aware of their specific roles and responsibilities in regards to information security.

The document emphasises the need for segregation of duties, meaning that different individuals or groups should be responsible for different aspects of information security.

This helps to prevent any single person from having excessive control over the organisation’s information security. Furthermore, the document requires organisations to ensure that personnel are adequately trained and possess the necessary skills to fulfil their roles and responsibilities.

Read more about 5.3

6. Planning

6.1 – Actions to Address Risks and Opportunities

ISO 27001 Requirement 6.1 is focused on ensuring that organisations identify, assess, treat, and monitor information security risks and opportunities.

This involves a systematic approach to managing risks and taking appropriate actions to mitigate them.

This requirement emphasises the importance of a proactive and comprehensive approach to managing information security risks in order to protect personal data and ensure the integrity and availability of information systems.

Read more about 6.1

6.2 – Information Security Objectives & Planning to Achieve them

ISO 27001 Requirement 6.2 requires organisations to establish information security objectives and develop a plan to achieve them.

These objectives should be specific, measurable, achievable, relevant, and time-bound (SMART), and should align with the organisation’s overall business objectives. The plan should outline the steps, resources, and timeline needed to reach the desired goals.

Regular review of information security objectives and plans is necessary to ensure their relevance and effectiveness. Any changes in the organisation should be considered and incorporated into the plans as needed.

Read more about 6.2

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

7. Support

7.1 – Resources

ISO 27001 Requirement 7.1 ensures that an organisation has the necessary resources to maintain the security of its information systems.

This includes identifying and documenting the personnel, hardware, software, and other resources needed for information security.

The organisation must ensure that these resources are available and accessible when needed.

As described before with Requirement 5.3, ISO 27001 does not actually mandate that the ISMS has to be staffed by full time resources, just that the roles, responsibilities and authorities are clearly defined and owned – assuming that the right level of resource will be applied as required.

Read more about 7.1

7.2 – Competence

ISO/IEC 27001 Requirement 7.2 outlines how the organisation will ensure that it has:

  • Determined the competence of the people doing the work on the ISMS that could affect its performance.
  • People that are deemed competent on the basis of the relevant education, training or experience.
  • Where required, taken action to acquire the necessary competence and evaluated the effectiveness of the actions.
  • Retained evidence of the above for audit purposes.
  • By ensuring that personnel are competent, organisations can effectively manage their information security performance and protect personal data.

    Read more about 7.2

7.3 – Awareness

ISO 27001 Requirement 7.3 states that organisations must ensure that all personnel are aware of the importance of information security and their roles and responsibilities in maintaining it.

This includes providing training and education on information security topics, ensuring personnel understand the organisation’s security policies and procedures, and the consequences of not following them.

ISO 27001 is seeking confirmation that the persons doing the work are aware of:

  • The information security policy.
  • Their contribution to the effectiveness of the ISMS including benefits from its improved performance.
  • What happens when the information security management system does not conform to its requirements.
  • By ensuring that personnel are competent, organisations can effectively manage their information security performance and protect personal data.

    Read more about 7.3

7.4 – Communication

ISO 27001 Requirement 7.4 focuses on the need for organisations to establish effective communication practices to ensure information security objectives are met. This includes communication with relevant stakeholders, the Commissioner in the event of a personal data breach, and between all involved parties.

ISO 27001 requirement 7.4 is looking for the following:

  • What to communicate about the ISMS.
  • When that will be communicated.
  • Who will be part to that communication.
  • Who does the communication.
  • How that all happens i.e. what systems and processes will be used to demonstrate it happens and is effective
Read more about 7.4

7.5 – Documented Information

ISO 27001 Requirement 7.5 for ISO 27001 asks you to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation.

It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification form a body like UKAS.

ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system.

Read more about 7.5

8. Operation

8.1 – Operational Planning & Control

ISO 27001 Requirement 8.1 is focused on ensuring the security of an organisation’s information by planning and controlling its operations.

This involves identifying and assessing risks associated with the organisation’s operations and implementing appropriate security controls to mitigate those risks.

The organisation must also develop and implement policies and procedures to protect its information from unauthorised access, use, disclosure, modification, or destruction.

This requirement is very easy to demonstrate evidence against if the organisation has already ‘showed its workings’. In developing the information security management system to comply with requirements 6.1, 6.2 and in particular 7.5 where the whole ISMS is well structured and documented, this also achieves 8.1 at the same time.

Read more about 8.1

8.2 – Information Security Risk Assessment

ISO 27001 Requirement 8.2 requires organisations to perform an Information Security Risk Assessment (ISRA) at planned intervals or when significant changes occur.

The purpose of this requirement is to ensure that organisations are aware of potential risks to their information security management system and can take necessary steps to mitigate them.

The process involves identifying, assessing, and managing risks to the organisation’s information assets. This includes analysing the organisation’s information assets, identifying threats and vulnerabilities associated with those assets, and evaluating the potential impact of a security breach.

Read more about 8.2

8.3 – Information Security Risk Treatment

ISO 27001 Requirement 8.3 outlines the requirement for organisations to identify, assess, and treat information security risks.

This involves identifying and assessing risks associated with the processing of personal data and implementing appropriate security measures to mitigate those risks. These measures can include access control, encryption, and data backup.

Organisations should ensure that any externally provided processes, products, or services relevant to the information security management system are controlled. Documented information of the results of the information security risk treatment should also be retained.

Read more about 8.3

9. Performance Evaluation

9.1 – Monitoring, Measurement, Analysis and Evaluation

ISO 27001 Requirement 9.1 requires organisations to evaluate how the ISMS is performing and look at the effectiveness of the information security management system.

If the organisation is seeking certification for ISO 27001 the independent auditor working in a certification body associated to UKAS (or a similar accredited body internationally for ISO certification) will be looking closely at the following areas:

  • What it has decided to monitor and measure, not just the objectives but the processes and controls as well.
  • How it will ensure valid results in the measuring, monitoring, analysis and evaluation.
  • When that measurement, monitoring, evaluation and analysis takes place and who does it.
  • How the results get used.

Like everything else with ISO/IEC standards including ISO 27001, documented information is all important – so describing it and then demonstrating that it is happening, is the key to success!

Read more about 9.1

9.2 – Internal Audit

Requirement 9.2 of ISO 27001 says that an organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

  • Conforms to the organisation’s own requirements for its information security management system; and meets the requirements of the ISO 27001 international standard.
  • Whether the ISMS is effectively implemented and maintained.

This requirement ensures that organisations regularly assess and improve their information security management system to protect their information assets and meet their security objectives.

Read more about 9.2

9.3 – Management Review

ISO 27001 Requirement 9.3 requires organisations to conduct regular management reviews to ensure the ongoing suitability, adequacy, and effectiveness of their information security management system.

These reviews should be conducted at planned intervals, at least annually, and should involve senior management or a designated representative.

The purpose of the management review is to assess the organisation’s information security policies, procedures, and controls, as well as its risk assessment and risk management processes.

It also involves evaluating the organisation’s compliance with applicable laws and regulations.

During the review, the organisation should assess the effectiveness of its information security management system and identify any necessary changes to ensure compliance with the ISO 27001 standard. The review should also consider the organisation’s performance in meeting its information security objectives.

Read more about 9.3

10. Improvement

10.1 – Nonconformity and Corrective Action

ISO 27001 Requirement 10.1 states that organisations must establish a process to identify, document, and address any deviations from the ISO 27001 standard, which are referred to as nonconformities.

Nonconformities can include failures to meet the requirements of the standard, deficiencies in the information security management system, or any other issues that could lead to a security breach.

When a nonconformity is identified, the organisation must take corrective action to address it. The corrective action should be appropriate to the severity of the nonconformity and designed to prevent similar issues from occurring in the future.

The effectiveness of the corrective action must be reviewed on a regular basis to ensure that the nonconformity does not recur.

Read more about 10.1

10.2 – Continual Improvement

ISO 27001 Requirement 10.2 states that organisations must continually improve their information security management system (ISMS).

This means that organisations need to regularly review and update their ISMS to ensure its effectiveness and alignment with the organisation’s objectives, legal and regulatory requirements, and the ISO 27001 standard.

The continual improvement process should be monitored and reviewed to ensure its effectiveness, and any necessary changes should be made to enhance the suitability, adequacy, and effectiveness of the ISMS.

Read more about 10.2

We'll guide you every step of the way

Our built-in tool takes you from set-up to certification with a 100% success rate.

Book a demo

ISO 27001 requirements


ISO 27001 Annex A Controls


About ISO 27001


ISMS.online launches a new Public API. Click here to find out more