ISO 27001 Requirements

What are the ISO 27001 Requirements?

ISO 27001 provides an internationally recognised framework to implement a robust ISMS (information security management system).

Like other popular ISO Standards, ISO 27001 follows the Annex SL structure which ensures consistency across management systems. It is a high-level structure that provides generic clause titles, text, common terms, and core definitions. Whilst the technical content may vary from standard to standard, the framework and structure is the same and applies to the common management systems.

Annex SL consists of 10 clauses and builds on seven quality management principles to ensure you meet customers’ needs consistently.

The Key Quality Management Principles Include:

Context of the Organisation





Performance Evaluation


Context of the Organisation (Clause 4)

You are required to set out the overall purpose of your organisation and determine the internal and external context in which your ISMS operates. This includes identifying the needs and expectations of relevant interested parties.


Leadership (Clause 5)

Directors and senior managers must demonstrate leadership and commitment to the ISMS. This includes establishing an information security policy, defining roles and responsibilities, and ensuring the availability of necessary resources.


Planning (Clause 6)

Organisations must establish a risk assessment process to identify and assess information security risks. They should also define risk treatment plans and establish measurable objectives for managing risks and improving information security.

Support (Clause 7)

Organisations must provide the necessary resources, competencies, awareness, and communication channels to support the implementation and maintenance of the ISMS.

Operation (Clause 8)

This requirement encompasses the implementation of information security controls and measures. It includes areas such as information security risk management, asset management, human resource security, and the management of communications and operations.

Performance Evaluation (Clause 9)

Organisations must establish processes to monitor, measure, analyze, and evaluate the performance of their ISMS. This includes conducting internal audits and management reviews to ensure the effectiveness of the system.

Improvement (Clause 10)

Organisations must implement corrective actions to address nonconformities and continually improve the effectiveness of the ISMS. This involves taking preventive actions to minimise the likelihood of future incidents.

Learn More about ISO 27001

ISO QSL are experts with years of experience in helping companies achieve ISO 27001 status. Our knowledgeable team of consultants have their finger on the pulse of the requirements and can assist with the implementation and ongoing management of your ISMS.

Learn More

  • How many clauses are there for ISO 27001?

    There are 7 quality management principles that are covered in the ISO 27001 accreditation. They are:

    • Context of the Organisation (Clause 4)
    • Leadership (Clause 5)
    • Planning (Clause 6)
    • Support (Clause 7)
    • Operation (Clause 8)
    • Performance Evaluation (Clause 9)
    • Improvement (Clause 10)
  • What does the Risk Assessment for ISO 27001 Include?

    The risk assessment and risk treatment methodology document details how you identify potential threats, how the business mitigates risk and deal with risks when they arise. Risks do not need to be explicitly noted in context, only the processes in place for identifying and applying risk assessments.


    Potential risks you may outline:

    • Improper document storing
    • Unintentional loss
    • Unintentional extermination
    • Unauthorised employee access
    • Unauthorised third party access


    • How risks are identified
    • Who is responsible
    • How the side effects of a risk are calculated
    • How risks are deemed as likely or unlikely
    • The confirmation process once a risk is acknowledged
  • Sounds great, how do I get a quote?

    To obtain a quote either call one of our team on 0330 058 5551 or request a call back below.

  • ISO 27001:2022 has arrived!

    Understand the changes and how to gain compliance in our upcoming ISO 27001 Upgrade Seminar.  Book your place here.

    Introduction to ISO 27001

    Find out more about ISO 27001 Information Security Management System with our 30 minute training module. All you need is an internet connection and a tablet , laptop or PC.

    It sounds great but…

    Don’t let the myths around the ISO 27001 Information Security Management System hold you back. From thick manuals to ten year contracts, we reveal the truth behind the myths.

    Join the club

    You don’t have to be a big business to feel the big benefits that ISO gives you.

    Find out how ISO 27001 helps our clients protect their data.