---

Implementing ISO 27001:2022 can feel daunting, especially for small and medium-sized enterprises (SMEs). I get it—resources are limited, time is valuable, and the ISO 27001 standard comes across as a pretty dry reading open to interpretation.

But I’m here to help, and have a solid decade of experience in this under my belt, so let’s review the standard and examine each clause at a high level. I can provide a more detailed exploration of each one if you need it, and before you know it, you’ll be ISO 27001 compliant.

---

What Are the Clauses of ISO 27001?

The 27001 standard is organised into clear requirements (called clauses) that form the framework of your Information Security Management System (ISMS). In ISO 27001, clauses 4 through 10 contain all the mandatory ISO 27001 requirements your ISMS must meet for certification.​

My Step-By-Step Guides to Implementing ISO 27001

---

Annex A, on the other hand, is an appendix at the end of 27001, and is a list of security controls that you select based on your identified risks.

It’s important to understand the difference between “Controls” and “Clauses”;

• Clauses refer to the sections or chapters outlining the requirements of ISO 27001.
• Annex A contains 93 controls, grouped into four categories: Organisational, Physical, People, and Technological.

We need only concern ourselves with ISO 27001 clauses 4-10. Clauses 1-3 are like the preamble or blurb in a book. 

Let’s take a look then at the control objectives for each one.

---

ISO 27001 Clause 4: Context of the Organisation

Overview of Clause 4: Context of the Organisation

Clause 4 is about understanding your organisation’s context and defining your ISMS’s scope. 

In simple terms, ISO 27001 Clause 4 asks you to paint the big picture: 

• What does your organisation do? 
• What are the internal and external factors affecting information security in your business? 
• Who are the interested parties (stakeholders) that care about your info security, and what do they expect?

Finally, based on all that, what is the scope of your ISMS (which parts of the organisation are included in the ISMS)?

According to the standard, to meet Clause 4, you should “document what your organisation does, what customers need from you, and the scope of your ISMS.”​

In my ISO 27001 toolkit, I have a workbook document that walks you through the scope and defines all these aspects.

---

Understanding the Organisation & its Context (4.1)

In effect, the standard is asking you here to look at all the factors that shape how your organisation will look at information security and document the internal and external factors that contribute to that. For example; GDPR might influence how you handle data in your organisation, or you might be in a very competitive market, and good information security acts as a differentiator.

You’ll need to explore these factors and list capture them as the ‘context’ within which your ISMS operates.

---

Understanding the Needs & Expectations of Interested Parties (4.2)

Who has a vested interest in your ISMS? Customers, employees, shareholders, regulators, etc.

Capture these and determine what their interests are and, therefore, what they might need from the ISMS.

---

Determining the Scope of the Information Security Management System (4.3)

This is where you bring together your influences (internal and external factors from 4.1) and the interested parties from 4.2, and document the scope of your ISMS.

In practice, this means figuring out things like your business environment and regulatory and customer requirements and then explicitly writing down what will be covered by your ISMS (and hot tip: I recommend being explicit about what’s not covered).

This clause sets the foundation for everything else: if you skip understanding your context or set a fuzzy scope, you’ll struggle later.

---

---

ISO 27001 Clause 5: Leadership

Overview of Clause 5: Leadership

Clause 5 focuses on leadership and commitment.

An ISO 27001 ISMS is a top-down initiative, so Clause 5 concerns ensuring that leadership is on board and accountable. 

ISO 27001 Clause 5 ensures that top management drives the ISMS, not just the IT department. 

Practically, this includes establishing an information security policy (a high-level commitment to security and guidance for staff and contractors) and assigning roles and responsibilities for information security, and often an information security statement from the CEO or similar. 

---

Leadership & Commitment (5.1)

The standard requires senior management involvement in the ISMS. They must show leadership and commitment by providing direction, resources, and support. In other words, your executives must not only approve the ISMS but actively promote it.

In my experience, if you don’t have that level of support, you’re looking at trouble when implementing 27001. You’ll be enacting a significant change in attitude towards data and procedure/processes, so you’ll need to ensure someone is standing behind you when you tell people why they need to adapt.

---

Policy (5.2)

An Information Security Policy is required, which should be endorsed by the senior team, perhaps even signed by the CEO. This is the principle policy for security within the organisation and may point to others (e.g. Bring-Your-Own-Device, Access Control, Password Policy, etc).

---

Organisational Roles & Responsibilities & Authorities (5.3)

The management team should set clear roles (e.g., appoint an ISMS manager or team) and make sure everyone understands that information security is a priority. From there other roles & responsibilities should be defined, but 27001 is reasonably relaxed about exactly which R&Rs are documents, but there are a couple that must be fulfilled.

---

ISO 27001 Clause 6: Planning

Overview Of Clause 6: Planning

Clause 6 is the “planning” phase of your ISMS – largely centred on risk management and security objectives. 

Here’s where you systematically identify and address information security risks and opportunities. 

---

Actions to Address Risks & Opportunities (6.1)

You need to assess information security risks, decide how to treat them, and then plan actions to mitigate them. This process results in a risk assessment report, a risk treatment plan, and the all-important Statement of Applicability (SoA), which lists which security controls (Annex A controls) you’ve chosen to implement and why. 

It’s up to you to determine your organisation’s risk appetite and which risks you will and won’t address. The great thing about 27001 is that it can be tailored to each organisation.

---

Information Security Objectives (6.2)

Additionally, Clause 6 requires setting information security objectives (Clause 6.2)—concrete goals for your ISMS (for example, “reduce average incident resolution time by 20% next year”) and plans for achieving them. 

---

Planning of Changes (6.3)

A new addition in ISO 27001:2022 is Clause 6.3 (Planning for Changes), which simply asks you to manage changes to the ISMS in a controlled manner (so when you make improvements or modifications, you consider any impacts). 

---

In summary, under Clause 6, you’ll be doing formal risk management and planning improvements. It’s a critical clause – essentially the “Plan” in the Plan-Do-Check-Act cycle.

ISO 27001 Clause 7: Support

Overview of Clause 7: Support

Clause 7 is all about providing support to make the ISMS work. Even the best plans (Clause 6) will fail if you don’t have the right resources, people, and information. ISO 27001 Clause 7 covers a range of supportive elements.

---

Resources (7.1)

---

Competence (7.2)

People involved in the ISMS (from the security team to any staff with ISMS responsibilities) must be competent.

You’ll need to determine what skills are needed and fill any gaps with training or hiring. For example, if you appoint an internal auditor, ensure they’re trained in ISO 27001 auditing.

---

Awareness (7.3)

Everyone in the organisation (within scope) should be aware of the ISMS to the extent relevant—especially of the information security policy, their responsibilities, and the consequences of not following the rules.

In practice, this means running security awareness programs so that employees understand why information security matters and how they can help.

---

Communication (7.4)

You must plan for internal and external communications regarding the ISMS. This includes what to communicate, when, who will communicate, and with whom.

For example, internally, you might have a schedule for security briefings or a policy communication plan; externally, you might decide how to communicate security information to customers or regulators.

Clause 7.4 ensures that important information flows to the right stakeholders.

One crucial aspect is making sure the people responsible for information security have open channels to discuss and report on ISMS matters (no ISMS should operate in a silo).

---

Documented Information (7.5)

ISO’s way of saying “document control and record-keeping.” You must create and maintain the documentation required by the standard (policies, procedures, plans, etc.) and control them (approve documents, keep them up to date, manage changes).

Additionally, you need to keep records as evidence (for example, training records, monitoring logs, and audit reports).

Clause 7.5 has sub-parts on how to create and update documents and control them (e.g. making sure the latest versions are used and old ones are archived).

---

In short, Clause 7 ensures your ISMS is supported with people, knowledge, and paperwork. 

A lot of this is common-sense management: make sure people know what to do, have the skills to do it, and have the resources to do it – and keep good records. 

ISO 27001 Clause 8: Operation 

Overview of Clause 8: Operation

Clause 8 is where things move into action, putting controls and mitigation actions into effect—this is the “Do” part of the ISMS. 

After planning in Clause 6 and organising support in Clause 7, Clause 8 requires you to implement and operate the ISMS processes. 

To be ISO 27001 certified, Clause 8 requires you to carry out risk assessment and risk treatment in practice continuously. The 2022 version breaks Clause 8 into a few sub-clauses:

---

Operational Planning and Control (8.1)

This general requirement says to execute your plans from Clause 6 and manage your ISMS operations.

You should have processes in place to address information security risks in day-to-day operations. In other words, ensure that everything you said you would do (risk treatments, security controls, policies, procedures) is actually being done in the organisation.

---

Information Security Risk Assessment (8.2)

You must perform security risk assessments at planned intervals or when significant changes happen. This means risk assessment isn’t a one-time activity from Clause 6 – it’s ongoing.

For example, you might do a full risk assessment annually and a fresh assessment if you undergo a big change (like adopting a new technology or a major organisational change).

Clause 8.2 ties back to 6.1.2 (how you perform risk assessment), but here, it’s the regular execution of that process.

---

Information Security Risk Treatment (8.3)

Similarly, you must implement the risk treatment plan – i.e., put in the controls or other treatments for the risks you’ve identified – and maintain that up to date. If new risks are found or some treatments are ineffective, you adjust accordingly.

Essentially, 8.3 ensures that the risk treatments (controls) are implemented and that you’re keeping your Statement of Applicability and risk treatment plans current.

---

Think of Clause 8 as the “operationalisation” (is that a word?) of your ISMS. 

If Clause 6 created a game plan, Clause 8 is about executing that game plan and managing the day-to-day security operations. 

For instance, if your plan said, “We will deploy encryption to protect laptops” (risk treatment for an identified risk), under Clause 8, you would roll out that encryption and perhaps keep records that it’s done. 

ISO 27001 Clause 9: Performance Evaluation 

Overview of Clause 9: Performance Evaluation

Clause 9 concerns checking and reviewing how well your ISMS is performing (the “Check” in PDCA). It has three key parts: monitoring and measurement, internal audit, and management review.

---

Monitoring, Measurement, Analysis and Evaluation (9.1)

Clause 9.1 requires you to determine what needs to be monitored and measured in your ISMS, when and by whom, and to analyse and evaluate those results. This means defining and tracking some metrics or Key Performance Indicators (KPIs) for your ISMS.

For example, you might monitor the number of security incidents per quarter, the percentage of staff that have completed training, average time to respond to incidents, results of phishing tests, etc. You should also evaluate those results – are things improving, getting worse, or meeting your security objectives?

Essentially, Clause 9.1 is about building a feedback mechanism so you know if your ISMS is effective.

Tip: Don’t go overboard – pick meaningful metrics for your business that are EASY to measure (especially when starting out). A handful of measures (like incident counts, audit findings, etc.) are enough to gauge performance if you’re an SME.

---

Internal Audit (9.2)

You need to conduct internal audits of your ISMS at planned intervals.

An internal audit is a self-check where someone (ideally independent of the audited area) reviews your ISMS against the ISO 27001 requirements and your own policies/procedures. 27001 splits this into 9.2.1 and 9.2.2, but the essence remains: you must have an audit programme (a plan/schedule covering the scope and frequency of audits), carry out audits, report the findings, and keep records.

For a first-timer, you should perform a full internal audit of the ISMS at some point before your certification audit. The internal audit will typically find gaps, allowing you to fix them (through Clause 10’s corrective actions) before the external auditor comes.

Auditors will expect to see at least one completed internal audit and an ongoing plan for future ones.

---

Management Review (9.3)

Top management must review the ISMS periodically (usually annually) to ensure its continuing suitability, adequacy, and effectiveness.

The standard lists specific inputs that must be considered during a management review. These include things like the status of previous action items, changes in internal/external issues that might affect the ISMS (recall Clause 4 context – has anything changed?), results of monitoring and measuring (Clause 9.1 data), audit results (Clause 9.2), status of corrective actions (Clause 10 issues), fulfilment of objectives (Clause 6.2), and any suggestions for improvement. Management review outputs are decisions and actions related to improving the ISMS, needed changes, and resource needs.

In plain English, a management review is a meeting (or series of meetings) where leadership takes a high-level look at the ISMS “health check” and steers it as needed. You should document these reviews, typically in meeting minutes or a report.

For example, your management review might result in decisions like “increase the security training budget next year” or “add a new objective to cover cloud security” based on the inputs discussed.

---

Clause 9 ensures that you continually evaluate and improve the ISMS. It forces you to step back to see if it works and produces the desired results. 

ISO 27001 Clause 10: Improvement 

Overview of Clause 10: Improvement

Clause 10 is the final clause, closing the loop by focusing on the continual improvement of the ISMS. 

Even a well-functioning ISMS can always be improved, and inevitably, problems or nonconformities need correction. Clause 10 covers both of those aspects:

---

Continual Improvement (10.1)

You are required to continually improve the suitability, adequacy, and effectiveness of the ISMS. This is a general but important principle – it means ISO 27001 isn’t a one-and-done project but an ongoing journey.

Continual improvement can take many forms: maybe you streamline a process, further reduce risk in an area, improve user awareness year over year, etc.

For an SME, this could be as simple as holding a post-incident discussion and updating procedures to prevent future issues.

Clause 10.1 reminds you to always look for ways to improve the ISMS and adapt it as your organisation or the threat landscape changes.

---

Nonconformity and Corrective Action (10.2)

Despite your best efforts, things will go wrong – maybe a policy wasn’t followed, or an audit finds a gap, or an incident happens indicating a failure in a control.

Clause 10.2 establishes a formal process to handle these nonconformities. Whenever you find a nonconformity (i.e., something in the ISMS that does not meet requirements or wasn’t implemented properly), you need to react (take containment action, fix the issue temporarily if needed), analyse the cause, and then take corrective action to eliminate the cause and prevent recurrence.

For example, suppose an internal audit finds that backups weren’t performed as scheduled (nonconformity to your backup procedure). In that case, you might immediately perform a backup (containment), investigate why it was missed (perhaps a staff change or lack of oversight), and then implement a fix (maybe retrain the team or automate a backup reminder system).

You also must record the results of corrective actions. Clause 10.2 is a mini PDCA cycle for each issue: find the root cause, fix it, check that it worked, and keep a record. Many companies maintain a corrective action log or register to track these.

Clause 10 ensures your ISMS is in a “constant state of growth and improvement”​

It’s where you capture lessons learned and improve the ISMS over time. 

An auditor will be interested in how you approach improvements – for instance, do you patch issues ad hoc or systematically address root causes? – and that you have records of issues and improvements. 

---

FAQs

---