Information Security Management
ISO 27001 Requirements
What the Standard Actually Asks of You
A guide to every ISO 27001 requirement — clause by clause, with practical guidance for SMEs.
ISO 27001 sets out a clear set of requirements for building, running and improving an Information Security Management System (ISMS). But the standard itself isn’t always easy to read — and it’s not always obvious what’s genuinely mandatory versus what’s guidance.
This page covers every requirement you need to meet to achieve ISO 27001 certification, explained in plain English, with links to more detail where you need it.
The Two Types of ISO 27001 Requirements
Before diving in, it helps to understand that ISO 27001 requirements come in two distinct forms — and confusing them is one of the most common mistakes organisations make.
Clause Requirements
Clauses 4 to 10 define what your organisation must do to establish and maintain an ISMS. These are non-negotiable. Every organisation seeking certification must meet all of them.
ANNEX A CONTROLS
Annex A contains 93 security controls. You don’t implement all of them — but you must evaluate every one and document your decisions in your Statement of Applicability.
The clauses tell you how to run your ISMS. The controls tell you how to secure your information assets. Both matter for certification.
The Mandatory Clause Requirements (Clauses 4–10)
Clauses 1 to 3 are introductory and don’t contain requirements. Everything from Clause 4 onwards is mandatory.
Clause 4 — Context of the Organisation
You must understand your organisation’s internal and external environment, identify who has a stake in your information security (customers, regulators, partners), and define the scope of your ISMS. Scope is one of the first things an auditor will examine — get it documented clearly.
Explore Clause 4 and Context of the Organisation
Clause 5 — Leadership
Senior management must demonstrate visible commitment to the ISMS. This means establishing a formal Information Security Policy, assigning roles and responsibilities, and ensuring the ISMS gets the resources it needs. ISO 27001 is explicitly a top-down initiative — it cannot be driven by IT alone.
How to demonstrate leadership under ISO 27001
Clause 6 — Planning
This is where you do your risk work. You must define a risk assessment methodology, identify and evaluate information security risks, and produce a risk treatment plan. You also need to set measurable information security objectives and, under the 2022 update, plan for how changes to the ISMS will be managed.
Discover how to approach Planning in ISO 27001
Clause 7 — Support
You must provide the resources needed to operate the ISMS, ensure relevant staff are competent, run security awareness activities, and maintain documented information. This clause is where your documentation requirements live.
Learn about Support under ISO 27001
Clause 8 — Operation
Planning is one thing — Clause 8 requires you to actually implement and operate it. Risk assessments must be carried out at planned intervals and whenever significant changes occur. Everything you said you’d do in Clause 6 must actually be happening in the organisation.
Discover ISO 27001 clause 8: Operation
Clause 9 — Performance Evaluation
You must monitor and evaluate the performance of your ISMS. This means running internal audits at planned intervals and conducting a management review at least annually. Both must be formally documented with outputs.
How Performance Evaluation works under ISO 27001
Clause 10 — Improvement
When audits find gaps or things go wrong, you must take corrective action and document what happened, what you did, and whether it worked. Continual improvement isn’t optional — it’s a core requirement of the standard.
Explore ISO 27001’s continual improvement cycles
The Annex A Control Requirements
Annex A contains 93 controls across four categories. You must evaluate all 93 and document your decisions in your Statement of Applicability — including justifications for any control you exclude.
37
Organisational Controls
Policies, roles, supplier management, incident response planning
8
People Controls
Screening, training, disciplinary processes, remote working
14
Physical Controls
Secure areas, equipment protection, clear desk policies
34
Technological Controls
Access control, encryption, malware protection, logging
The full list of ISO 27001 controls
The Statement of Applicability explained
Use the free Annex A applicability checker
The Documentation Requirements
ISO 27001 requires you to produce and maintain specific documented information. Some documents are explicitly named in the standard. Others are implied — you need them to demonstrate compliance, even if the standard doesn’t name them directly.
Core mandatory documents include your ISMS scope, Information Security Policy, risk assessment and treatment documentation, Statement of Applicability, information security objectives, and records of internal audits and management reviews.
The full list of mandatory documents
What ISO 27001 Doesn’t Require
A lot of anxiety around ISO 27001 comes from misunderstanding what the standard actually mandates. Here’s what it doesn’t require:
ISO 27001 does NOT require
❌ Any specific technology, tool or software
❌ A dedicated information security team or full-time CISO
❌ Any particular document format or template style
❌ A minimum number of policies beyond those explicitly named
❌ Perfection — it requires a working system and evidence of improvement
The standard is deliberately flexible. A two-person startup and a 200-person managed service provider can both be certified — they’ll just have different scopes, risk profiles and control implementations.
How Long Does It Take to Meet the Requirements?
For most SMEs, meeting the ISO 27001 requirements and reaching certification readiness takes between 60 and 120 days when approached with focus and the right guidance. The quickest any of my clients has been certified is 20 days (non-accredited). For a UKAS-accredited certification, the realistic minimum is around 68 days.
How to get ISO 27001 certified
ISO 27001 certification costs in the UK
Get certified in 90 days
Fixed-fee ISO 27001 consultancy for UK SMEs. Pass guarantee included.
Learn about coaching
Or get the free templates
The Clause Requirements
4 Context of the organisation 5 Leadership 6 Planning 7 Suppport 8 Operation 9 Performance Evaluation 10 ImprovementNeed help meeting the ISO 27001 requirements?
I offer fixed-fee ISO 27001 consultancy for UK SMEs — most clients reach certification within 90 days. Or start with the free template toolkit if you’d prefer to work through it yourself.
Book a discovery call Grab the free templatesFAQs
Do I have to implement all 93 Annex A controls?
No. You must evaluate all 93 controls and document your decisions in a Statement of Applicability, but you can exclude controls that are genuinely not applicable — as long as you can justify the exclusion. In practice most SMEs implement the large majority, with only a small number excluded.
What are the mandatory requirements of ISO 27001?
The mandatory requirements are set out in Clauses 4 to 10 of the standard. These cover understanding your context, leadership commitment, risk management, operational implementation, performance evaluation and continual improvement. All organisations seeking certification must meet every clause requirement — there are no optional clauses.
What documents are required by ISO 27001?
The standard explicitly requires several documents including your ISMS scope, Information Security Policy, risk assessment methodology, risk treatment plan, Statement of Applicability, and records of internal audits and management reviews. A number of additional documents are implied by the requirements and expected by auditors.
How is ISO 27001:2022 different from the previous version?
The 2022 update reorganised and consolidated the Annex A controls from 114 to 93, introduced 11 new controls, and added Clause 6.3 (Planning of Changes). The clause structure and core requirements remain the same. Transition from the 2013 version was required by October 2025.
Can a small business meet the ISO 27001 requirements?
Yes — the standard is explicitly designed to be scalable. The requirements are the same regardless of organisation size, but how you meet them is proportionate to your context. A five-person SaaS company will have a much simpler ISMS than a 200-person IT services business, and that’s entirely by design.
What’s the difference between ISO 27001 requirements and controls?
Requirements (Clauses 4–10) define how your ISMS must be structured and operated. Controls (Annex A) define the security measures you select to treat your identified risks. The clauses are about governance; the controls are about security implementation.