Book a Demo

ISO 27001 Requirements

Understanding ISO 27001 Certification

ISO 27001 sets out the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). These requirements are defined in Clauses 4 through 10 of the standard and are supported by Annex A, which includes 93 controls.

For context, clauses 0-3 provide helpful background (scope, terminology, and the Plan-Do-Check-Act model) but do not introduce additional requirements. 

iso 27001 requirements

Mandatory Clause-by-Clause Breakdown

iso mandatory clauses

Clause 4: Context of the Organization

  • 4.1: Understand your internal and external context, business model, legal landscape, partners, and threat landscape.
  • 4.2: Identify relevant stakeholders and understand their expectations (customers, regulators, partners, etc.).
  • 4.3: Define the ISMS scope based on locations, systems, data types, and business units.
  • 4.4: Establish and maintain the ISMS with appropriate governance and oversight.

Clause 5: Leadership

  • 5.1: Executive leadership must actively support and participate in the ISMS.
  • 5.2: Develop and approve a formal information security policy that aligns with strategy and risk.
  • 5.3: Define and communicate roles and responsibilities to ensure accountability and avoid conflicts of interest.

Clause 6: Planning

  • 6.1: Identify and address information security risks and opportunities.
  • 6.2: Set SMART (Specific, Measurable, Achievable, Relevant, Time-bound) security objectives that align with organizational goals.

Clause 7: Support

  • 7.1: Ensure sufficient resources (staff, budget, tools) are available to support the ISMS.
  • 7.2: Maintain competency through training, hiring, or outsourcing.
  • 7.3: Promote awareness so staff understand their responsibilities and the impact of nonconformity.
  • 7.4: Establish a communication plan that defines what, when, how, and to whom security matters are communicated.
  • 7.5: Keep documented information to demonstrate consistent and repeatable processes.

Clause 8: Operation

  • 8.1: Plan and control ISMS operations, with documented procedures and alignment to risk treatment plans.
  • 8.2: Perform information security risk assessments regularly and after major changes.
  • 8.3: Implement risk treatment plans based on assessment outcomes and monitor control effectiveness.

Clause 9: Performance Evaluation

  • 9.1: Monitor, measure, analyze, and evaluate ISMS performance (KPIs, dashboards, incident trends).
  • 9.2: Conduct internal audits to validate conformance and effectiveness (detailed below).
  • 9.3: Perform management reviews at planned intervals to evaluate the ISMS holistically.

Clause 10: Improvement

  • 10.1: Identify and correct nonconformities and document root causes and corrective actions.
  • 10.2: Establish a continual improvement process to evolve the ISMS over time.

ISO 27001 Requirements Checklist Must-Dos

ISO 27001 tucks a few mandates in side notes and sub-clauses that are often missed:

1. Statement of Applicability (SoA) – 6.1.3 d

 Map all 93 Annex A controls, justify exclusions, and link each inclusion to a risk.

2. Risk Treatment Plan – 6.1.3 e

Schedule, budget, and assign ownership for every control you need but don’t yet have.

3. Documented Information – 7.5

Keep version-controlled evidence for everything above (policies, logs, minutes, test results).

4. Competence Records – 7.2 & 8.1

Prove people can do the jobs you’ve assigned them, training logs, certifications, CVs.

5. Change Management – 8.1

Document and risk-assess significant changes (mergers, cloud migrations, new apps).

6. Information Security Objectives Tracking – 6.2 & 9.1

Show measurable progress; abandon the “set-and-forget” trap.

7. Corrective-Action Register – 10.1

Log, investigate, and close every nonconformity, including those found in internal audits.

ISO 27001 Audit Requirements (Clause 9.2): Validating Your ISMS From the Inside Out

Internal audits are one of the most rigorous and often misunderstood requirements of ISO 27001. They serve as a critical feedback loop for your ISMS, offering an internal assurance mechanism to validate that your policies, controls, and processes are actually working as intended.

What Clause 9.2 Requires

Clause 9.2 of ISO 27001 outlines the mandatory elements of an internal audit program. These audits must be performed at planned intervals and are designed to answer three essential questions:

  1. Does your ISMS conform to your own internal requirements (e.g., policies, risk appetite, stakeholder expectations)?
  2. Does it conform to the requirements of ISO 27001?
  3. Is the ISMS effectively implemented and maintained over time?

To meet these ISO 27001 criteria, you’ll need more than a simple walkthrough. Internal audits must review:

  • The full ISMS framework
  • All applicable Annex A controls listed in your Statement of Applicability (SoA)
  • Supporting policies, procedures, and performance evidence

Clause 9.2 vs. Clause 9.1: What’s the Difference?

Although both fall under “Performance Evaluation,” Clause 9.1 and Clause 9.2 serve distinct but connected roles in ISO 27001 compliance:

Clause 9.1Clause 9.2
Focuses on monitoring, measuring, and analyzing ISMS performance metrics and trendsFocuses on a formal internal audit program to assess conformance and effectiveness
Typically includes dashboards, KPIs, incident logs, and trend reportsIncludes documented audit findings, risk control testing, and SoA verification
Performed by teams with operational oversightMust be performed by independent, competent personnel
Inputs into the management reviewResults are reported as part of the management review

Together, they provide a dual lens: Clause 9.1 shows performance health, while Clause 9.2 validates system conformance.

Frequently Asked Questions on ISO 27001 Certification Requirements

How long does ISO 27001 implementation usually take?

Most small-to-mid-size organizations reach Stage 2 certification in 6–12 months. Timelines stretch when scoping is vague, risk assessments stall or leadership engagement is weak.

How often must we perform internal audits (Clause 9.2)?

The standard says “at planned intervals.” In practice, auditors expect at least one full ISMS cycle every 12 months, with higher-risk areas reviewed more frequently.

What’s the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard, clauses and high-level control objectives. ISO 27002 is a guidance document that explains how to meet those control objectives with detailed implementation tips.

What documents are auditors most interested in?

  • Risk assessment & treatment methodology (Clause 6.1)
  • Statement of Applicability (SoA)
  • ISMS policy and scope statement
  • Evidence logs

What are the most common non-conformities during certification audits?

  • Risk assessments that don’t use defined criteria
  • SoAs that don’t match the actual control environment
  • Internal audits performed by non-independent personnel
  • Management reviews that are cursory or undocumented
  • Missing evidence that objectives are tracked and measured

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content