Information Security Management
ISO 27001 Clauses Explained
A clause-by-clause and sub-clause-by-sub-clause guide to the structure of ISO 27001:2022
ISO 27001 is structured around ten main clauses, but only seven of them contain requirements. Clauses 4 to 10 define how an organisation establishes, operates and improves an Information Security Management System (ISMS).
This page walks through each clause and its sub-clauses, explaining how the standard is actually built.
Written by Alan Parker, ISO 27001 Consultant
Date of Last Revision: 25/4/26
A note on positioning. This page covers the structure of the clauses and what each one contains. If you want a guide to what’s mandatory and how to meet it (with practical examples and common pitfalls), see ISO 27001 Requirements. If you’re new to ISO 27001 entirely, start with ISO 27001 Explained.
Explore Each ISO 27001 Clause in More Detail by Selecting One to View
How IOS 27001 Is Structured
ISO 27001 follows the High-Level Structure shared by all modern ISO management standards. If you’ve worked with ISO 9001 or ISO 22301, the shape will be familiar.
The standard contains:
- Clauses 1 to 3 – introductory references (Scope, Normative References, Terms and Definitions). No requirements. Skip it!
- Clauses 4 to 10 – the core requirements. Every certified organisation must meet all of them.
- Annex A – 93 security controls grouped into four themes. These are evaluated and applied based on your risk assessment.
Each of the clauses 4 to 10 maps onto the Plan-Do-Check-Act cycle:
- Plan – Clauses 4, 5 and 6
- Do – Clauses 7 and 8
- Check – Clause 9
- Act – Clause 10
By continuing to review and repeat the activities, your ISMS will grow in maturity and be a very different beast in a year or two than it is when you first start.
The diagram below shows every clause and sub-clause in ISO 27001:2022 in a single reference. The written sections that follow add the consultant commentary the diagram can’t carry.
Below, I’m going to summarise each clause and subclause, then link to articles on those areas for more detail.
Clause 4 – Context of the Organisation
Clause 4 sets the foundations for the ISMS. It asks you to understand your environment, identify your interested parties, define the ISMS scope, and confirm the ISMS exists as a real management system – not just a folder of documents.
The four sub-clauses build on each other:
Clause 4.1 captures the issues affecting your information security; Clause 4.2 captures who has a stake; Clause 4.3 turns these into a documented ISMS scope; Clause 4.4 confirms the ISMS itself is established. Of these, Clause 4.3 is the artefact auditors examine first – your scope statement tells them exactly what they’re auditing.
For a typical SME engagement, the scope might be as tight as “the production hosting environment, the engineering team’s laptops, and the customer support function” – rather than the whole company. Tighter scopes are easier to manage, easier to audit, and faster to certify.
Clause 4.3 is where most engagements either start well or start badly. I talk about this a lot (I know!), but a scope that’s too broad could become unmanageable, or at least a burden, and a scope that’s too narrow might get challenged in the first audit. It is a balancing act, but consider “What are we protecting, for whom, and why?”
What auditors look for in Clause 4:
- A documented scope statement with clear boundaries
- Evidence that interested parties were genuinely analysed, not just listed
- Internal/external issues recorded and recent (not last reviewed two years ago)
- The ISMS treated as a real management system, not just a policy folder
Explore Clause 4 in more detail →
Clause 5 – Leadership
Clause 5 is the top-down clause. ISO 27001 cannot be delegated solely to IT or to a single junior champion – the standard explicitly requires top management to demonstrate leadership and commitment, and audit findings here are common when leadership delegation is too aggressive.
The clause splits into three areas: leadership and commitment from top management (5.1), with nine specific activities the standard requires top management to demonstrate; the Information Security Policy itself (5.2), which must be appropriate, documented, communicated and made available to interested parties; and the assignment of organisational roles, responsibilities and authorities (5.3), including two specifically named responsibilities – ensuring the ISMS conforms to the standard, and reporting on ISMS performance to top management.
In a 30-person SaaS company, “top management” usually means the founder or CEO plus one or two direct reports. I certainly experience this a lot. It’s often tricky in smaller organisations (even worse in micro orgs) to cleanly separate out R&Rs. The standard doesn’t require a formal CISO role – it requires demonstrable leadership engagement, which a small team can deliver if the right people show up.
I quickly learned that auditors care about evidence, not statements of your good intentions. A signed policy on a shelf is the start; minutes showing leadership engaged with ISMS performance is what gets you through.
What auditors look for in Clause 5:
- A signed, dated and communicated Information Security Policy
- Evidence of top management engagement (review minutes, decisions, sponsorship of action)
- Roles and responsibilities documented and known to the people holding them
- The CEO or equivalent able to describe what the policy covers when asked
Explore Clause 5 in more detail →
Clause 6 – Planning
Clause 6 is where the engineering of the ISMS happens. Risk assessment, risk treatment, the Statement of Applicability, information security objectives, and (new in 2022) planning of changes all live here.
Clause 6.1 (Actions to Address Risks and Opportunities) is the largest sub-clause in the standard. It contains the risk assessment requirements (6.1.2) – which must establish acceptance criteria, ensure repeatable results, and identify risks to confidentiality, integrity and availability with named owners – and the risk treatment requirements (6.1.3), which produce the Statement of Applicability. The SoA must list all 93 Annex A controls with justifications for inclusion or exclusion, and the risk treatment plan must be approved by risk owners.
In my opinion, a good risk register at certification time has 30-60 entries (at least in an SME), not 300. The point is that the risks listed are real, current and tied to actual business activity, not that the register is exhaustive.
Clause 6.2 (Information Security Objectives) asks for measurable objectives with six specific planning elements: what will be done, what resources are needed, who is responsible, when it will be completed, how results will be evaluated, and how it will be monitored.
Clause 6.3 (Planning of Changes) is the new sub-clause introduced in 2022. Brief, but a sensible addition – it closes a gap where ad-hoc changes could undermine the system.
In any project I run, I’m acutely aware that Clause 6 is where ISMSs are either built properly or built on paper. The risk assessment is the engine; everything in Annex A flows from it. It’ll take the most amount of time (assuming you already have reasonable security controls in place) – and it should do.
What auditors look for in Clause 6:
- A risk assessment methodology that’s documented and consistently applied
- A risk register with named risk owners, scores and treatment decisions
- A Statement of Applicability covering all 93 Annex A controls with justifications
- Measurable, monitored security objectives – not vague aspirations
Explore Clause 6 in more detail →
Clause 7 – Support
Clause 7 covers the support structures the ISMS needs to operate: resources, people, communication and documentation.
The first three sub-clauses are concise: 7.1 requires you to provide adequate resources, 7.3 requires staff awareness of the policy and their role, and 7.4 requires you to determine internal and external communications relevant to the ISMS.
Clause 7.2 (Competence) is meatier than it looks. The organisation must determine the necessary competence of people doing work that affects information security, ensure they’re competent on the basis of education, training or experience, take action where there’s a gap, and retain documented evidence. “Documented evidence” is what auditors check most often here – generic training records aren’t enough.
For a small team, this often means a simple matrix listing each role, the security responsibilities attached to it, and how that competence is evidenced – induction notes, certifications, or recorded training. Auditors are pragmatic about format; they’re firm about content.
Clause 7.5 (Documented Information) is where the standard’s documentation requirements live. It splits into three: 7.5.1 (general – what documents must exist, including those the standard mandates and those the organisation determines are necessary); 7.5.2 (creating and updating – identification, format, and approval requirements); and 7.5.3 (control – availability, access, retrieval, storage, change control, retention and disposition). This sub-clause is why version control, document approval and naming conventions matter to auditors as much as the content of the documents themselves.
Awareness (7.3) is where audits frequently will get a finding. A generic PowerPoint presentation you’ve emailed to staff isn’t enough; auditors want role-specific understanding. What do your developers need to know? What do HR need to know, etc.
What auditors look for in Clause 7:
- Evidence of competence per role (training records, certifications, induction)
- Awareness activity that’s role-specific, not just generic e-learning
- A communications approach that’s documented and visibly happening
- Document control: version numbers, approval records, retention rules
Explore Clause 7 in more detail →
Clause 8 – Operation
Clause 8 is where Clause 6 gets executed. Planning is one thing; operation is whether the organisation actually does what it said it would do.
The three sub-clauses are clear: 8.1 covers operational planning and control of ISMS processes, including outsourced ones; 8.2 requires risk assessments to be performed at planned intervals or when significant changes occur; 8.3 requires the risk treatment plan to be implemented with documented evidence of results.
For SMEs, ongoing operation usually means quarterly risk register reviews, monthly check-ins on key controls, and an annual full pass. Anything less and the audit will spot it; anything more and you’re over-engineering.
I think clause 8 is where Stage 2 audits are often won or lost. Stage 1 checks your documents; Stage 2 checks whether you actually do what they say. A risk assessment performed once, six months before the audit, is a finding waiting to happen.
What auditors look for in Clause 8:
- Risk assessments performed at planned intervals – not just once before audit
- Evidence the risk treatment plan is being implemented, not just written
- Records showing controls are operating, not just designed
- Outsourced processes identified and controlled, not invisible
Explore Clause 8 in more detail →
Clause 9 – Performance Evaluation
Clause 9 covers monitoring, internal audit and management review – the three mechanisms by which you check that your ISMS is working. All three must be formally documented with outputs.
Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation) asks you to determine what to monitor, the methods used, when monitoring takes place, when results are analysed, and who is responsible. The methods chosen must produce comparable and reproducible results to be valid.
Clause 9.2 (Internal Audit) splits into 9.2.1 (general principles, requiring audits to determine conformance with both the standard and the organisation’s own requirements) and 9.2.2 (the audit programme itself – frequency, methods, responsibilities, planning, reporting). The standard explicitly requires that auditors are independent of the area being audited – so internal audit cannot be done by the team that runs the controls.
Clause 9.3 (Management Review) is one of the most prescriptive sub-clauses in the entire standard. 9.3.1 requires top management to review the ISMS at planned intervals. 9.3.2 specifies nine inputs that the review must consider, including the status of previous actions, changes in external and internal issues, changes in interested parties’ needs, feedback on information security performance (including nonconformities, monitoring results, audit results and objectives achievement), feedback from interested parties, results of risk assessment and risk treatment plan status, and opportunities for continual improvement. 9.3.3 requires the outputs to be documented, including decisions on continual improvement and any need for changes to the ISMS.
Most businesses run management reviews quarterly rather than annually, which is the minimum I would recommend – it’s easier to gather inputs in smaller batches than to compile a year’s worth in one sitting. The standard sets a minimum frequency, not a target.
A note from experience. Management review minutes that record decisions nobody can remember taking get flagged immediately. The standard tells you what must be on the agenda – so use that as your template.
What auditors look for in Clause 9:
- Internal audits conducted by someone independent of the area being audited
- Audit results reported to management with clear actions
- Management review minutes covering all required inputs (the standard names them)
- Monitoring methods that produce comparable, reproducible results
Explore Clause 9 in more detail →
Clause 10 – Improvement
Clause 10 is the engine of continual improvement. It tells you what to do when things go wrong, and how to keep the ISMS evolving.
10.1 requires continual improvement of the ISMS’s suitability, adequacy and effectiveness – short, but binding. 10.2 covers nonconformity and corrective action: when something goes wrong, the organisation must react, evaluate the need to address root causes, implement action, review effectiveness, and update the ISMS where needed – all with documented evidence.
A workable corrective action register in a smaller business has 5-15 active or recently-closed items at any time. If you’ve got two, you’re probably under-recording; if you’ve got 50, your ISMS is likely creaking under its own weight.
When I audit (and I do internally audit), I can usually tell within a minute or two whether a corrective action log is alive or just paperwork. Living systems show evidence of root-cause thinking; dead ones show generic fixes that don’t address why things actually went wrong.
What auditors look for in Clause 10:
- A live corrective action register, not a museum piece
- Evidence of root-cause analysis, not just generic “we’ll be more careful next time”
- Effectiveness checks – did the corrective action actually work?
- Updates to the ISMS where corrective actions identified systemic issues
Explore Clause 10 in more detail →
Clauses At a Glance
A quick reference summary of all seven mandatory clauses:
| Clause | Name | What It Covers | PDCA |
|---|---|---|---|
| 4 | Context of the Organisation | Issues, interested parties, scope, ISMS itself | Plan |
| 5 | Leadership | Commitment, policy, roles | Plan |
| 6 | Planning | Risk assessment, risk treatment, SoA, objectives, change | Plan |
| 7 | Support | Resources, competence, awareness, communication, documents | Do |
| 8 | Operation | Operational control, risk assessment execution, risk treatment | Do |
| 9 | Performance Evaluation | Monitoring, internal audit, management review | Check |
| 10 | Improvement | Continual improvement, nonconformity, corrective action | Act |
What Changed in ISO 27001:2022 at the Clause Level
The 2022 update preserved the core clause structure – Clauses 4 to 10 still cover the same areas – but made three changes worth knowing if you’re moving from the 2013 version:
Clause 6.3 – Planning of Changes – is new. It asks you to manage changes to the ISMS in a controlled way. A small addition, but a sensible one – it closes the gap where ad-hoc changes could undermine the system without anyone noticing.
Clause 9.2 (Internal Audit) was restructured into 9.2.1 and 9.2.2. The content is broadly the same – it just splits the general principles from the audit programme requirements more clearly.
Clause 9.3 (Management Review) was restructured into 9.3.1, 9.3.2 and 9.3.3. Again, the substance is similar, but the inputs (9.3.2) and results (9.3.3) are now explicitly separated. This makes the structure easier to follow and audit against.
Beyond the clause structure, the 2022 update also reorganised Annex A from 114 controls in 14 categories down to 93 controls in 4 themes, and introduced 11 new controls. Those changes are covered in detail on the ISO 27001 Requirements page.
The transition deadline of 31 October 2025 has now passed. If you’re certified, you should already be on the 2022 version.
Where to Next
If you’ve understood the structure, the next step depends on what you’re trying to do:
If you’re trying to understand what you have to do to certify → ISO 27001 Requirements
If you want to understand the controls that go alongside the clauses → Annex A Controls
If you want the documentation templates that satisfy the clauses → Free ISO 27001 Toolkit
If you want help building an ISMS that meets all of this → ISO 27001 Consultancy
FAQ: ISO 27001 Clauses
Why does everyone skip clauses 1 to 3?
Because they are references, not requirements of the standard, all the good stuff starts at clause 4. So, when an auditor or consultant talks about ISO 27001, they only ever talk about clauses 4 to 10.
Are Clauses 4–10 mandatory for certification?
Yes – every certified organisation must address each clause in its ISMS.
How do Clauses relate to the Annex A controls?
The clauses set management requirements; Annex A lists security controls to treat risks identified under Clause 6.
Can small businesses skip parts of the clauses?
No, but the amount of documentation and evidence can scale with size and complexity. It is the ‘controls’ of ISO 27001 that can be designated ‘not applicable’ if there is a business reason for doing so.
What changed in ISO 27001:2022 at the clause level?
The clause structure stayed the same – Clauses 4 to 10 still cover the same areas – but three changes are worth knowing. Clause 6.3 (Planning of Changes) is new, requiring you to manage ISMS changes in a controlled way. Clause 9.2 (Internal Audit) was restructured into 9.2.1 and 9.2.2 to separate general principles from the audit programme. Clause 9.3 (Management Review) was restructured into 9.3.1, 9.3.2 and 9.3.3 to separate the review itself from its inputs and outputs. The 2022 update also reorganised Annex A and introduced 11 new controls – those changes are covered on the ISO 27001 Requirements page.
Which clause has the most documentation requirements?
Clause 7.5 (Documented Information) sets the rules for how you create, control and maintain documents, but Clause 6 generates the most actual artefacts you have to produce – the risk assessment methodology, the risk register, the risk treatment plan, the Statement of Applicability, and the security objectives. Clause 9 is a close second, requiring internal audit reports, management review minutes and monitoring records. In my experience, around 60-70% of an SME’s ISMS paperwork comes from Clauses 6 and 9 combined.
Can I be certified if I fail one clause?
Not for the clauses themselves. Every certified organisation has to address every clause from 4 to 10 – there’s no opt-out. What you can do is exclude specific Annex A controls from your Statement of Applicability if they’re genuinely not applicable to your organisation, with a documented justification. But the clauses are non-negotiable. If your audit identifies a major nonconformity against a clause, you’ll need to fix it before the auditor can recommend you for certification – which is why a thorough internal audit before your Stage 2 audit is so valuable.
Author Background
This article was written by Alan Parker, an ISO 27001 consultant and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less, often without a dedicated security team or a large budget.
With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally.
Qualifications: ITIL v3 Expert, ITIL v4 Bridge, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done.
Connect on LinkedIn or Bluesky, or explore his free ISO 27001 tools and templates at iseoblue.com. B.Sc (Hons) Information Systems, CISMP certified.
