ISO 27001 Clauses 4-10: A Complete Guide

ISO 27001 Clauses

ISO/IEC 27001  is an international standard for creating an information security management system (ISMS). It provides a systematic approach for organisations to manage and protect their sensitive information.

This standard is broken down into Clauses and Security Controls (Annex A) which every organisation that intends to be ISO 27001 compliant is required to follow. The clauses are best described as the pillars of your ISMS, a sort of paint-by-numbers system, where each organisation will choose colours that best suit their business interests and risk appetite.

In October 2022, a revision of ISO/IEC 27001 was published titled – ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection. The updates in the ISMS Clauses 4 – 10 included minor wording and structural changes.

There were changes to Clause 6: Removing ambiguity and outdated language (i.e., control objectives), and some structural changes, for example, Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. The requirements remain the same as for ISO/IEC 27001:2013.

Another change to note was that Clause 9.3: Management Review was split into three subsections:

  • 9.3.1: General.
  • 9.3.2: Management Review Inputs.
  • 9.3.3: Management Review Results.

The 2022 version also introduced a new Clause which is 6.3: Planning for Changes. Otherwise, the processes and requirements remain the same.

Although the clauses stretch from 1-10, we will focus on clauses 4-10, which contain the specific requirements themselves. It can all get complicated if you are getting into the world of ISO 27001, but we will break it down into its sizeable chunks for easy understanding. Let’s get started!

ISO 27001 Clause 4 – 10

Clause 4 – Context of the Organisation

Think of your organisation as an individual. Just like any individual, no one is an island: your organisation doesn’t exist in isolation. It’s influenced by various internal and external factors.

Maybe it’s the waves of market trends, the storm of the socio-political environment, or the internal shifting sands of the workforce.

All these can and will influence how your information security system will function. That’s what the context means.

PESTLE and Your Organisation’s Context: Adding Colour to Clause 4

When diving further into understanding an organisation’s context in Clause 4.1, a handy framework many turn to is the PESTLE analysis. By weaving a PESTLE analysis into your exploration of Clause 4 you’re painting a fuller picture of your organisation’s context. It’s like plotting your ship’s course with a detailed map instead of just a compass.

This clause asks organisations to be introspective and contemplative. To look around, both inside and out. Ask yourself: What’s going on in our industry? What’s the buzz among our employees?

The intent is simple but crucial: to identify any factor, big or small, that affects your ability to protect your information assets.

It’s a bit like checking the weather before heading out – know what’s coming so you can dress accordingly. There’s no point bringing your brolly when it’s hurricane season.

Clause 5: Leadership

Every project carried out by an organisation requires a leader to literally “take the lead”. You will want a consultant within the Information Security industry with a demonstrated commitment to ensuring the goal of being ISO 27001 compliant is attained.

In partnership with the leader who in some cases is the Chief Information Security Officer, top management should be brought on board in this process. This will ensure that the ISO 27001 standard is not just a tick-in-the-box exercise but a consolidated effort on every leadership level and across all departments.

Leaders will be responsible for the following.

  • Ensuring that responsibilities for implementation and maintenance are assigned.
  • Ensuring objectives of the information security policies are met and integrated into every business process.
  • Establishing an Information Security Policy that is fit for purpose.
  • Communicating the importance of implementation.
  • Ensuring that responsibilities for implementation and maintenance are assigned.
  • Ensuring resources for maintenance are available.

Clause 6: Planning

As the popular saying goes…if you fail to plan, you plan to fail.

In the advent of a security breach, what do you do? Do you hurriedly go online to search for a quick template to get started on your Information Security journey? Probably not.

This clause highlights the importance of identifying risks associated with your business, documenting how they will be addressed, and then analysing, evaluating, and prioritising those risks. This is what we call conducting a Risk Assessment and is the basis for the development of a Risk Treatment Plan.

  1. Risk Assessment: Here you will have to think of the following.
  • Determine your risk criteria, including risk acceptance criteria.
  • Establish criteria for performing information security risk assessments.
  • Ensure repeated risk assessments produce consistent, valid, and comparable results.
  • Identify the information security risks.
  • Analyse the information security risks.
  • Evaluate the information security risks by comparing the results of risk analysis with the risk criteria established.
  • Prioritise the analysed risks for risk treatment.
  1. Risk Treatment: Having completed the above, you will proceed to work on the following.
  •  Select appropriate information security risk treatment options, considering the results of the risk assessment above.
  •  Are there any controls not in Annex A that you need to put in place? Verify that no necessary controls have been left out.
  •  If no? Have you produced a Statement of Applicability to justify? Remember, you must justify every control in Annex A in your SoA, whether you include it, or in the rare case, one is excluded.
  •  Formulate an information security risk treatment plan.
  •  Obtain the risk owner’s approval of the risk treatment plan and acceptance of the residual information security risks obtained.
  •  Finally, all documented information on the risk treatment process should be retained.

Clause 6 concludes by emphasising that if your organisation wants to make changes to the ISMS, it is essential they are carried out in a planned and organised manner.

Clause 7: Support

Attaining ISO 27001 Compliance is no easy fit, except of course – you are following a template. The idea behind this standard is to ensure information security is embedded into your daily processes and fit for purpose.

To achieve this, you need to determine if you have competent persons and resources for the implementation, maintenance, and improvement of the ISMS. Otherwise, you may want to implement an education and training plan to fill this gap.

Having competent staff is crucial for compliance. It is equally important to have evidence of their competence. Additionally, it is necessary to document any actions taken in response and ensure that relevant staff understand the ISMS, policies, and their responsibilities.

Clause 8: Operation

This clause stipulates the processes needed to implement Clause 6. (Planning). According to the standard, you will need to:

  • Establish criteria for the process.
  • Implement control of the process in accordance with the criteria.

This involves documenting the process to ensure confidence in the execution of the planned processes. The organisation must control planned changes and review the consequences of unintended changes – acting to mitigate any adverse effects.

Also, the Standard states that Risk Assessment shall be performed at ‘planned intervals’ or after ‘significant changes’ and keep documented information regarding the activity. The phrase ‘planned intervals’ often confuses people as it sounds arbitrary and vague.

The reason the Standard has it this way is because the ‘planned intervals’ should meet your organisation’s risk appetite. The word ‘planned’ is important – it shows there is foresight and that the process has been thought through.

Clause 9: Performance Evaluation

Here, we investigate what to monitor so that we can measure the results of the ISMS. It’s in this part of your ISMS that you will describe what you will monitor, the methods for doing so, who will be responsible for what and when the monitoring and evaluation/analysis will occur.

Two other critical components under this clause include an Internal Audit Program and a Management Review. The clause states that your organisation is required to conduct planned internal audits to make sure your ISMS complies with the requirements of the standard and is effectively implemented. In conducting an Internal Audit, you will want to consider the following.

  • The audit criteria and scope
  • Selection of independent auditors for objectivity
  • Reporting of results to management

Once this has been presented to the relevant management, you are looking for two main things: areas for non-conformities and feedback on opportunities for continual improvement. 

The idea is to prevent the problem from reoccurring elsewhere. The thing to remember is that your first audit may not be perfect.

Clause 10: Improvement

With all the hard work from documenting your ISMS to conducting either an internal or external audit, having a non-conformity can be frustrating especially when close to meeting the requirements of ISO 27001.

To make progress, you need to look at non-conformities another way. They can find weaknesses in your ISMS that, if fixed, can protect your organisation from events like data breaches.

To initiate this process, your first port of call is undertaking a ‘Root Cause Analysis’. Keep asking ‘why’ until you get to a foundational cause that you can address with a program of corrective action to prevent the issue from reoccurring.

Sometimes, this may require making changes to your ISMS and once implemented, you’ll want to review the effectiveness of the corrective action.

In Conclusion

ISO 27001 requires a meticulous, documented and risk-based approach to ensure compliance and certification. If you are getting started with the standard, you can find a summary of the ISO 27001 documentation required in this checklist or you can access more resources for further reading below.

Risk Crew