A Complete List of ISO 27001 Requirements

A Complete List of ISO 27001 Requirements

Data is an important resource for any modern-day organisation. Therefore, to protect its data, an organisation has to take appropriate measures to strengthen its security against cyber-attacks. One of the most adopted information security standards across the world is the ISO 27001 standard, and organisations across the world seek compliance with it to improve their security practices.   

As per Statista, 21% of all organisations and 57% of large organisations in the United Kingdom are aware of ISO 27001. However, in order to comply with ISO 27001, an organisation has to fulfil certain requirements according to the ISO 27001 compliance framework. This blog will elaborate on the ISO 27001 Requirements that an organisation needs to fulfil to gain compliance.  

Table of Contents 

1) What are the ISO 27001 Requirements? 

     a) Clause 4: Context of the organisation 

     b) Clause 5: Leadership and commitment 

     c) Clause 6: Planning for risk management 

     d) Clause 7: Allocation of resources 

     e) Clause 8: Regular assessments and evaluations of operational controls 

     f) Clause 9: Performance evaluation 

      g) Clause 10: Improvement and correction plan for non-conformities 

2) How are ISO 27001 Annex A controls related to ISO 27001 Requirements? 

3) Conclusion 

What are the ISO 27001 Requirements? 

The ISO 27001 Requirements guide talks about the different Information Security Management System (ISMS) policies and procedures that one must implement in order to demonstrate compliance with the clauses (4-10) listed in the ISO 27001 compliance framework. 

In order to become ISO 27001 certified, it is necessary to align your ISMS with the requirements of ISO 27001. These requirements aim to help organisations or businesses continuously create, maintain and improve their ISMS posture.

ISO 27001 Requirements

There is a total of seven ISO 27001 Requirements or clauses listed through clauses 4-10 in the compliance framework that your organisation would need to become compliant with, based on the scope of your ISMS. Here is the complete list as follows: 

Clause 4: Context of the organisation 

This document will set out the type of operations that your ISMS will be applied to, as well as the boundaries that will be placed upon it. The scope sets the context that you draft for ISO 27001 compliance. The scope will include information on all of the identified risks and the measures you have implemented to mitigate unauthorised access to sensitive information.  

Establishing the applicability of the management system will need you to describe the type of products and services that are provided by your organisation, and where they are provided. Outlining the boundaries will need you to outline the parts of your organisation that the ISMS will apply to. This will include the processes, sites, departments, divisions etc. This scope is also used by the auditor during the ISO 27001 to understand the risks that have been identified and the security measures that have been implemented within the organisation.  

Clause 5: Leadership and commitment 

The top management of the organisation should demonstrate their ownership and a strong commitment to compliance by taking part in training programs and enabling the team with all the necessary resources that are needed to get the job done efficiently.  

As a part of Clause 5, you will be asked to establish your Information Security Policy and objectives. Your Information Security Policy essentially acts as a statement that your organisation’s goal is to manage information in a secure manner which complies with any legal regulations and ethical obligations, besides showing evidence of a desire for continual improvement. Your Information Security Policy should also demonstrate your commitment to any action that will help improve the security of the information that your organisation holds. 

Clause 6: Planning for risk management 

The ISO 27001 global standard does not mandate the list of things that every organisation should implement in order to be compliant. Instead, they require organisations to have their security measures and policies tailor-made according to their business’ unique needs and specifications. Every single business works uniquely, and hence the risks of maintaining the safety, confidentiality and integrity of sensitive data differ significantly.  

The Clause 6 of the ISO 27001 compliance framework requires an organisation to elaborate on its information risk treatment process, the statement of applicability as well as its risk treatment plan – all three of which have been briefly discussed as follows: 

1) Risk Treatment Process: Your Risk Treatment Process has to set out how you will identify risks to information security as well as your approach to mitigating these risks and addressing them appropriately 

2) Statement of Applicability: The Statement of Applicability outlines the Annex A controls that you have selected or omitted, and explains your thinking behind your choices.   

3) Risk Treatment Plan: Once you are done establishing the security controls that you have chosen, you will then have to document the way that your organisation will respond to the mentioned threats.

ISO 27001 Foundation
 

Clause 7: Allocation of resources 

The ISO 27001 global standard requires organisations to allocate their resources in order to meet their requirements. However, many organisations tend to misunderstand this particular clause and struggle to allocate their full-time resources to the implementation and management of ISO 27001. This clause states that specific team members of an organisation can take up the ownership of implementing the security and policy requirements as listed in the ISMS. This clause also states that the employees tasked with the responsibility of implementing the security and policy requirements should be given authorised access to training resources. 

Clause 8: Regular assessments and evaluations of operational controls 

ISO 27001 requires every organisation to continuously monitor their ISMS and regularly evaluate if the general performance of the controls and policies that have been implemented are effective. With a periodic performance evaluation routine set in place, organisations are expected to make improvements to their systems in order to meet the requirements consistently. Additionally, these performance evaluations should be properly documented and presented as evidence during the course of an audit to demonstrate compliance.  

The eighth clause in the ISO 27001 compliance framework prescribes a Risk Assessment Report to be submitted. This document is a report on a risk assessment that is performed in line with the Risk Treatment Process as outlined in Clause 6. This report will describe the findings of your assessment, which includes any risks identified, and any treatment that was undertaken in order to mitigate or avoid the risks.   

Clause 9: Performance evaluation 

Performance evaluations also tend to serve as an excellent guide and framework when one is conducting internal audits. An external auditor makes use of these performance evaluations to assess whether an organisation has properly implemented the necessary controls and policies and maps them with the ISMS scope that you previously established. Clause 9 elaborates on the monitoring and measurement results, the results of the internal audits and the results of the management review – all of which we will briefly discuss as follows: 

1) Monitoring and measurement results: One will need to have a record of the continual evaluations as encouraged by the ISO 27001 standard. This will serve as evidence of whether the organisation’s controls are working as intended. 

2) Internal audit results: Internal audits help demonstrate compliance with the processes implemented for your ISMS. This record holds details of a regular internal audit, as well as the results of any issues or opportunities for improvements. 

3) Results of the management review: The senior management should review the ISMS on a regular basis to ensure that the controls are functioning, and a record of the same should be preserved.   

Clause 10: Improvement and correction plan for non-conformities 

Whenever a non-conformity pops up in your ISMS, your organisation must make sure to document that particular instance with reasons that explain what caused the occurrence of the non-conformity as well as the corrected measures that have been implemented.  

The document recorded should include information about the following: 

1) The individual responsible for the non-conformity 

2) The nature of the non-conformity 

3) Details on concessions (if applicable) 

4) Corrective measures implemented 

Register for our ISO 27001 Internal Auditor course to enhance your auditing skills and safeguard your organization's information! 

How are ISO 27001 Annex A controls related to ISO 27001 Requirements? 

The ISO 27001 Requirements list the policies and controls that an organisation must implement. However, it does not provide a validating mechanism to check whether the deployed controls are functioning optimally. This is where the Annex A controls come in. During the course of an audit, an auditor uses the ISO 27001 Annex A controls as the benchmark to measure the effectiveness of the policies and controls of the ISO 27001 framework.  

The ISO Annex A outlines the controls that are often associated with various risks. Depending on the controls that your organisation selects, you will also be needed to document: 

1) Definition of security roles and responsibilities (Clauses A.7.1.2 and A.13.2.4) 

2) Inventory of assets (Clause A.8.1.1) 

3) Acceptable use of assets (Clause A.8.1.3) 

4) Access control policy (Clause A.9.1.1) 

5) Operating procedures for IT management (Clause A.12.1.1) 

6) Secure system engineering principles (Clause A.14.2.5) 

7) Supplier security policy (Clause A.15.1.1) 

8) Incident management procedure (Clause A.16.1.5) 

9) Business continuity procedures (Clause A.17.1.2) 

10) Statutory, regulatory, and contractual requirements (Clause A.18.1.1) 

11) Logs of user activities, exceptions, and security events (Clauses A.12.4.1 and A.12.4.3)  

Register for our ISO 27001 Lead Auditor course to become a certified ISO 27001 Lead Auditor and protect your organization's data! 

Conclusion 

All in all, an organisation needs to ensure that they fulfil all the abovementioned requirements to gain compliance with the ISO 27001 standard. These ISO 27001 Requirements need to be fulfilled for an organisation to comply with the ISO 27001 standard, and are the prerequisites for an organisation to strengthen its security controls and protect its information. 

Take the first step towards securing your organization's information with our ISO 27001 Foundation course – register now! 

Back to top