The requirements for an organization’s Information Security Management System (ISMS) in ISO 27001 are outlined in Clauses 4 to 10. These clauses are:

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

The following is a brief description of each of these clauses.

Clause 4: Context of the organization

An organization’s ISMS needs to document its purpose. It states requirements like:

  • 4.1) The organization needs to identify internal and exteral issues relevant to it and it’s ability to have a successful ISMS.
  • 4.2 a) The organization needs to identify stakeholders.
  • 4.2 b) The organization needs to identify each stakeholder’s needs.
  • 4.3) The scope of the ISMS needs to be defined based on the above and made available as documented information.

Clause 5: Leadership

For an ISMS to be effective it needs support and commitment from top management. It states requirements like:

  • 5.1 c) Top management will demonstrate leadership by ensuring that there are sufficient resources available for the ISMS to be successful.
  • 5.2 a) There is an Information Security Policy that is appropriate for the organization.
  • 5.2 f) The Information Security Policy will be made known to people within the organization.
  • 5.3 a) Top management will assign responsibility and authority to people to ensure that the ISMS meets its requirements.

Clause 6: Planning

For an ISMS to be well-designed, it needs to be planned, factoring in risks, opportunities, and security objectives. It states requirements like:

  • 6.1.1 a) When planning the ISMS, the organization needs to address the issues and requirements identifed in Clause 4 to ensure that the ISMS can achieve its intended outcomes.
  • 6.1.2 b) The organization needs an information security risk assessment process that ensures assessments are consistent, valid and comparable.
  • 6.1.3 d) The organization needs an information security risk treatment process with a Statement of Applicability. It should list the controls, provide justifications for their inclusion or exclusion, and indicate the current status of each control.
  • 6.2 a) The organization needs to establish information security objectives that are consistent with the Information Security Policy.
  • 6.3) When there is a need to change the ISMS, it will be done in a planned manner.

Clause 7: Support

For an ISMS to be successful it requires appropriate human resources who are well-informed, capable of effective communication, and have access to the necessary documented information on the ISMS. It states requirements like:

  • 7.1) The organization must determine and provide the resources needed for the ISMS.
  • 7.2 b) People working within the ISMS are competent, with the appropriate training and experience.
  • 7.3 c) People working within the ISMS are aware of the implications of not conforming with the requirements of the ISMS.
  • 7.5.1 a) The ISMS includes documented information required by ISO 27001.
  • 7.5.2 c) When documented information is created or updated it is reviewed and approved to ensure suitability and adequacy.
  • 7.5.3 b) Documented information is adequately protected from things like loss of confidentiality, improper use, or loss of integrity.

Clause 8: Operation

For an ISMS to be functional, it needs to implement and control the necessary processes to meet its requirements. It states requirements like:

  • 8.1) The organization must plan, implement, and control the processes required by the ISMS. This includes ensuring that documented information is available to confirm that processes are carried out as planned and reviewing the impact of any unintended changes.
  • 8.2) The organization must perform and retain the results of information security risk assessments regularly or when significant changes are planned or occur.
  • 8.3) The organization must implement the information security risk treatment plan and retain the results.

Clause 9: Performance evaluation

For an organization to be confident that their ISMS is effective, they need to evaluate its performance. It states requirements like:

  • 9.1 a) The organization needs to determine what needs to be monitored and measured.
  • 9.2.1 b) The organization needs to conduct internal audits at planned intervals to check that the ISMS is effectively implemented and maintained.
  • 9.2.2 b) The organization needs an audit programme with auditors who conduct audits that are objective and impartial.
  • 9.3.1) Top management must review the ISMS at planned intervals.
  • 9.3.3) The results of top management’s reviews of the ISMS must include decisions on continual improvement or any other need for change.

Clause 10: Improvement

For an ISMS to have continued success, the organization needs to continually improve it, which includes identifying nonconformities and taking corrective actions to prevent their recurrence. It states requirements like:

  • 10.1) The organization will continually improve the ISMS.
  • 10.2 a) When a nonconformity occurs the organization will take action to control, correct it, and deal with the consequences.
  • 10.2 b) The organization will review nonconformities, identify their causes, determine if similar issues could or do exist, and evaluate actions to eliminate the chances of recurrence.
  • 10.2 f) Documented information must be available on nonconformities and any relevant actions taken.