ISO 27001 Clauses & Controls

The most recent revision of the ISO 27001 standard, published in 2018, consists of 11 clauses numbered “0” through “10”, plus an “Annex A” that lists specific security controls. Each of the main clauses contains a number of sub-clauses except for the introduction. Clauses 4 through 10 are considered “mandatory”, and an organization cannot claim ISO 27001 compliance without meeting the requirements spelled out in these sections. These 11 main clauses are listed below:

Introduction: Introduces the standard and its purpose.
Scope: Provides a very high-level view of the information security management system and risk treatment requirements specified within the rest of the standard. Also, clarifies that the standard is intended to be generic and applicable across different industries and business sizes.
Normative references: Explains the relationship between ISO 27000 and 27001 standards.
Terms and definitions: Covers the terminology that is used within the standard.
Context of the organization: The first mandatory clause. Covers stakeholders, internal and external issues, and regulatory and compliance requirements. An organization must also define the scope, boundaries, and applicability of the ISMS as part of this clause.
Leadership: True ISO 27001 compliance requires full support from top management. The leadership clause explains the responsibilities of senior executives in implementing and maintaining a functional ISMS. The audit process will involve interviews with top executives, which means the commitment from management must be truly genuine.
Planning: The planning clause covers risk assessment, risk treatment, and the creation of objectives to measure the performance of an ISMS in relation to the company’s greater business objectives. An organization will need to define and document its criteria for assessing and analyzing risks, and also specify how the identified risks will be addressed.
Support: This clause addresses the resources needed to successfully implement and support the ISMS. Think well-trained employees, effective communication of policies, and standardized procedures for creating and updating documentation.
Operation: In the operation clause, an organization will put much of the work developed during the Planning clause into action. Where clause 6 consisted of defining criteria for risk assessments, clause 8 is where the assessments are actually performed and documented. This is also the clause under which the mandated Risk Treatment Plan is implemented.
Performance evaluation: Measuring the performance of your ISMS is crucial for getting the most out of your ISO 27001 implementation. Clause 9 includes requirements for how to monitor and evaluate the policies, procedures, and controls that make up the management system. This clause also calls for regular internal audits and management reviews.
Improvement: The final mandatory clause covers both non-conformity to the other sections of the standard and continual improvement of the information security program.