ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]

The ISO 27001 standard document is only about 30 pages.

But it's hard to understand.

The clauses read like legal text—you recognize every word, but together they don't make sense.

This article explains each clause in plain language, helping you truly understand what ISO 27001 requires.

For a complete introduction to ISO 27001, see ISO 27001 Complete Guide.

---

ISO 27001 Structure Overview

Clause Text (Clauses 4-10)

The main body of ISO 27001 has two parts:

1. Clause text (Clauses 4-10): Tells you how to build the management system
2. Annex A: Lists 93 controls

Clause text structure:

Clause	Name	Key Content
Clause 4	Context of the organization	Understanding internal and external environment
Clause 5	Leadership	Top management commitment and responsibility
Clause 6	Planning	Risk assessment, objective setting
Clause 7	Support	Resources, competence, document management
Clause 8	Operation	Actual implementation of controls
Clause 9	Performance evaluation	Monitoring, internal audit, management review
Clause 10	Improvement	Nonconformity handling, continual improvement

Annex A (Controls)

Annex A lists 93 controls, divided into four themes:

Theme	Count	Examples
Organizational controls	37	Information security policy, roles and responsibilities
People controls	8	Personnel screening, awareness training
Physical controls	14	Physical security, equipment protection
Technological controls	34	Access control, encryption, backup

PDCA Cycle Mapping

ISO 27001 is built on the PDCA (Plan-Do-Check-Act) cycle.

PDCA	Corresponding Clauses	Meaning
Plan	Clauses 4, 5, 6	Understand environment, get commitment, plan how to do it
Do	Clauses 7, 8	Prepare resources, actually implement
Check	Clause 9	Monitor effectiveness, audit verification
Act	Clause 10	Handle problems, continually improve

Key point: This is a cycle, not a one-time thing. It must be continuously executed every year.

---

Clause-by-Clause Interpretation

Clause 4: Context of the Organization

Original point: Understanding the organization and its context

In plain language:

Before building your ISMS, you need to figure out a few things:

4.1 Understanding the organization and its context

Ask yourself:

• What is the company's business?
• What internal challenges do you face? (Insufficient staff, limited budget)
• What external challenges? (Regulatory requirements, market competition)

4.2 Understanding the needs and expectations of interested parties

Interested Party	Possible Needs
Customers	Data security, service availability
Employees	Clear policies, proper training
Regulators	Regulatory compliance
Shareholders	Risk management, reputation protection

4.3 Determining the scope of the ISMS

Not the entire company needs to be included. Decide:

• Which departments?
• Which services?
• Which locations?
• Which systems?

4.4 ISMS and its processes

Establish, implement, maintain, and continually improve the ISMS.

Clause 5: Leadership

Original point: Leadership and commitment

In plain language:

Without management support, ISMS won't succeed.

5.1 Leadership and commitment

What top management must do:

• Publicly express support for ISMS
• Ensure sufficient resources (people, money, time)
• Integrate security into daily operations
• Support relevant personnel in performing their duties

5.2 Policy

Establish an "Information Security Policy":

• State the company's commitment to security
• Include objectives or framework for setting objectives
• Commit to meeting requirements and continual improvement
• Make sure all employees know this policy

5.3 Roles, responsibilities, and authorities

Clearly assign:

• Who is responsible for overall ISMS operation
• Who reports to top management
• Security responsibilities for each department/person

Clause 6: Planning

Original point: Actions to address risks and opportunities

In plain language:

This is the core of ISMS—risk assessment.

6.1 Actions to address risks and opportunities

6.1.1 General

Identify:

• What factors might prevent ISMS from achieving objectives (risks)
• What factors can help achieve objectives (opportunities)

6.1.2 Information security risk assessment

This is the most important step:

Step	Content
1. Identify assets	List information assets to protect
2. Identify threats	Events that could harm assets
3. Identify vulnerabilities	Weaknesses that could be exploited by threats
4. Assess impact	How serious if it happens
5. Assess likelihood	How likely to happen
6. Calculate risk value	Impact × Likelihood
7. Prioritize	Decide which risks to address first

6.1.3 Information security risk treatment

For each risk, you can choose:

Treatment	Description	Example
Mitigate	Implement controls to reduce risk	Install firewall
Transfer	Transfer risk to others	Buy cyber insurance
Avoid	Don't do this activity	Don't offer certain services
Accept	Accept the risk exists	Risk is very low, don't address

6.2 Information security objectives and planning to achieve them

Set specific security objectives, such as:

• Reduce security incidents by X%
• 100% employee training completion rate
• 99.9% system availability

6.3 Planning of changes (New in 2022 version)

When ISMS needs changes, make them in a planned manner.

Clause 7: Support

Original point: Resources needed for ISMS operation

In plain language:

With a plan, you need resources to execute.

7.1 Resources

The company must provide sufficient:

• Manpower
• Budget
• Time
• Tools

7.2 Competence

People responsible for security work must have adequate competence:

• Obtained through education, training, experience
• Maintain evidence of competence (certificates, training records)

7.3 Awareness

All employees must know:

• The company's information security policy
• Their role in the ISMS
• Consequences of non-compliance

7.4 Communication

Decide:

• What to communicate (content)
• When to communicate (timing)
• With whom to communicate (audience)
• Who communicates (responsible person)
• How to communicate (method)

7.5 Documented information

ISMS needs documents for support:

• Documents required by the standard
• Documents the organization deems necessary
• Documents must be controlled (version, review, release)

Clause 8: Operation

Original point: Operational planning and control

In plain language:

Everything before was planning; this is actually doing it.

8.1 Operational planning and control

Implement what was planned in Clause 6:

• Execute risk treatment plan
• Implement selected controls
• Control planned changes
• Manage outsourced processes

8.2 Information security risk assessment

Re-execute risk assessment periodically:

• At least once a year
• When significant changes occur
• After security incidents

8.3 Information security risk treatment

Execute risk treatment plan, keep records of treatment results.

Clause 9: Performance Evaluation

Original point: Monitoring and measurement

In plain language:

After doing, check if it's working.

9.1 Monitoring, measurement, analysis, and evaluation

Monitor:

• Whether security objectives are achieved
• Whether controls are effective
• Whether ISMS processes operate normally

9.2 Internal audit

Periodically audit yourself:

Item	Requirement
Frequency	At least once a year
Scope	Cover all ISMS processes
Auditors	Must be independent (can't audit your own work)
Results	Must be recorded, improvement must be tracked

9.3 Management review

Top management must periodically review ISMS:

Inputs (data to review):

• Follow-up items from previous review
• Internal and external changes
• Audit results
• Security performance
• Improvement opportunities

Outputs (decisions to make):

• Whether ISMS needs changes
• Whether resources are sufficient
• Next steps

Clause 10: Improvement

Original point: Nonconformity and continual improvement

In plain language:

When problems are found, fix them. Even without problems, make things better.

10.1 Nonconformity and corrective action

When nonconformity is found:

1. Immediate response: Control the problem, reduce impact
2. Analyze cause: Find the root cause
3. Take corrective action: Prevent recurrence
4. Verify effectiveness: Confirm correction worked
5. Update documents: Update risk assessment, ISMS if needed

10.2 Continual improvement

ISMS must continuously improve, not just maintain status quo.

---

Four-Tier Documentation System

ISO 27001 produces many documents, usually organized in four tiers.

Tier 1: Policies

Nature: Highest-level documents, explaining "why" and "direction"

Examples:

• Information Security Policy
• Access Control Policy
• Password Policy
• Remote Work Policy

Characteristics:

• Approved by top management
• Content is brief and principle-based
• Rarely changed

Tier 2: Procedures

Nature: Explaining "what to do" and "who does it"

Examples:

• Risk Assessment Procedure
• Incident Management Procedure
• Access Control Procedure
• Change Management Procedure

Characteristics:

• Applicable across departments
• Describes process steps
• Defines roles and responsibilities

Tier 3: Work Instructions

Nature: Detailed steps on "how to do it"

Examples:

• Backup SOP
• Account Request SOP
• Firewall Configuration Guide
• Incident Reporting Guide

Characteristics:

• For specific tasks
• Detailed specific steps
• Includes screenshots, examples

Tier 4: Records

Nature: Evidence that you did it

Examples:

• Risk Register
• Audit Records
• Training Sign-in Sheets
• Change Request Forms
• Incident Handling Records

Characteristics:

• Records for every activity
• Auditors will review
• Must be properly stored

Required Documents List

Documents explicitly required by ISO 27001:

Clause	Required Document
4.3	ISMS scope document
5.2	Information security policy
6.1.2	Risk assessment procedure
6.1.3	Risk treatment plan
6.1.3	Statement of Applicability (SoA)
6.2	Information security objectives
7.2	Evidence of competence
7.5	Documented information
8.1	Operational planning and control
8.2	Risk assessment results
8.3	Risk treatment results
9.1	Monitoring and measurement results
9.2	Internal audit records
9.3	Management review records
10.1	Nonconformity and corrective action records

---

Annex A Control Highlights

The 2022 version divides 93 controls into four themes.

Organizational Controls (37 items)

Covering organizational-level management controls:

Number	Control	Key Point
5.1	Information security policies	Must have, publish, regularly review
5.2	Roles and responsibilities	Clearly assign
5.3	Segregation of duties	Avoid one person controlling too much
5.7	Threat intelligence	Proactively collect threat info (New)
5.9	Inventory of information and assets	List all assets
5.15	Access control	Who can access what
5.23	Cloud services security	Cloud usage management (New)

People Controls (8 items)

Covering personnel-related controls:

Number	Control	Key Point
6.1	Screening	Background checks
6.2	Terms of employment	Include security responsibilities in contracts
6.3	Security awareness training	Everyone must understand
6.4	Disciplinary process	Violations have consequences
6.5	Termination/change of employment	Revoke access
6.6	Confidentiality agreements	NDAs

Physical Controls (14 items)

Covering physical environment controls:

Number	Control	Key Point
7.1	Physical security perimeters	Access control
7.2	Physical entry	Who can enter
7.4	Physical security monitoring	Cameras, sensors (New)
7.8	Equipment siting	Place in secure locations
7.10	Storage media	USB, hard drive management
7.14	Secure disposal	Clear data when disposing

Technological Controls (34 items)

Covering technical controls:

Number	Control	Key Point
8.1	User endpoint devices	Laptop, mobile security
8.5	Secure authentication	Login verification
8.7	Protection against malware	Antivirus
8.8	Technical vulnerability management	Patch vulnerabilities
8.9	Configuration management	System settings management (New)
8.12	Data leakage prevention	DLP (New)
8.13	Backup	Data backup
8.15	Logging	System log recording
8.24	Use of cryptography	Encryption

For more 2022 version change details, see ISO 27001:2022 Update Guide.

---

Statement of Applicability (SoA) Writing

What is SoA

SoA (Statement of Applicability) is one of ISO 27001's most important documents.

Purpose:

• List all 93 Annex A controls
• State whether each is applicable
• Explain reasons for non-applicability
• Describe implementation status for applicable ones

How to Determine Applicability

For each control, ask:

1. Is it risk-related? Can this control address risks we identified?

2. Is it legally required? Do regulations or contracts require this control?

3. Is it business-needed? Does business operation need this control?

If any answer above is "yes," this control is applicable.

Valid Reasons for Excluding Controls

Controls that don't apply need valid reasons.

Acceptable reasons:

Reason	Example
Technology doesn't exist	Company has no wireless network, so wireless security controls don't apply
Business doesn't involve	Company has no software development, so secure development controls don't apply
Outsourced	Data center managed by provider, physical security is their responsibility
Risk acceptable	Risk assessment shows risk is extremely low

Unacceptable reasons:

• "No budget"
• "Too troublesome"
• "Don't know how to do it"

SoA Example Format

Number	Control	Applicable	Reason/Implementation Status
5.1	Information security policies	Yes	Established and published, reviewed annually
5.7	Threat intelligence	Yes	Subscribed to CERT alerts
7.6	Working in secure areas	No	Company has no secure areas
8.28	Secure coding	No	Company has no software development

---

FAQ: Common Clause Questions

Q1: Must I buy the ISO 27001 standard document?

Not mandatory, but highly recommended.

• Official standard costs about $200
• Many unofficial versions online, but may be incomplete or outdated
• If certifying, recommend buying the official version

Q2: Can I use existing documents?

Yes. ISO 27001 doesn't require specific formats.

If existing documents already cover required content, use them directly; no need to create new ones.

Q3: Will auditors check clause by clause?

Yes. Auditors will audit each clause and applicable controls.

But they won't go deep on everything—they'll decide depth based on risk and sampling.

Q4: What if I can't complete all controls?

Handle in phases:

1. First identify high-risk items that must be done immediately
2. Put others in improvement plan, complete gradually
3. Auditors will check if you have a plan, not require everything complete

Q5: Do small companies need this many documents?

Not necessarily.

ISO 27001 doesn't specify document quantity or format. Small companies can simplify, as long as content covers requirements.

Example: Multiple policies can be combined into one "Information Security Policy."

---

Next Steps

ISO 27001 clauses look complex, but once you understand the logic, you'll find it's a very systematic framework.

If you're preparing for implementation or certification, recommended:

1. First understand the intent of clauses
2. Compare with current company status for gap analysis
3. Develop action plan
4. Gradually build documents and implement controls

Too many clauses, don't know where to start? Contact us to help interpret clauses and plan your implementation strategy.

---

Further Reading

• For complete standard introduction, see ISO 27001 Complete Guide
• For 2022 version changes, see ISO 27001:2022 Update Guide
• For 27002 implementation guidance, see ISO 27001 vs 27002 Comparison
• For ISMS practical implementation, see ISMS Implementation Practical Guide

---

References

• ISO 27001:2022 Official Standard
• ISO 27002:2022 Official Standard
• BSI
• ISACA