![ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]](/images/blog/iso27001-clauses-cover.webp)
ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]
- ISO 27001 Structure Overview
- Clause Text (Clauses 4-10)
- Annex A (Controls)
- PDCA Cycle Mapping
- Clause-by-Clause Interpretation
- Clause 4: Context of the Organization
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
- Four-Tier Documentation System
- Tier 1: Policies
- Tier 2: Procedures
- Tier 3: Work Instructions
- Tier 4: Records
- Required Documents List
- Annex A Control Highlights
- Organizational Controls (37 items)
- People Controls (8 items)
- Physical Controls (14 items)
- Technological Controls (34 items)
- Statement of Applicability (SoA) Writing
- What is SoA
- How to Determine Applicability
- Valid Reasons for Excluding Controls
- SoA Example Format
- FAQ: Common Clause Questions
- Q1: Must I buy the ISO 27001 standard document?
- Q2: Can I use existing documents?
- Q3: Will auditors check clause by clause?
- Q4: What if I can't complete all controls?
- Q5: Do small companies need this many documents?
- Next Steps
- Further Reading
- References
- Need Professional Cloud Advice?
![ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]](/images/blog/iso27001/iso27001-clauses-hero.webp)
ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]
ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]
The ISO 27001 standard document is only about 30 pages.
But it's hard to understand.
The clauses read like legal text—you recognize every word, but together they don't make sense.
This article explains each clause in plain language, helping you truly understand what ISO 27001 requires.
For a complete introduction to ISO 27001, see ISO 27001 Complete Guide.
ISO 27001 Structure Overview
Clause Text (Clauses 4-10)
The main body of ISO 27001 has two parts:
- Clause text (Clauses 4-10): Tells you how to build the management system
- Annex A: Lists 93 controls
Clause text structure:
| Clause | Name | Key Content |
|---|---|---|
| Clause 4 | Context of the organization | Understanding internal and external environment |
| Clause 5 | Leadership | Top management commitment and responsibility |
| Clause 6 | Planning | Risk assessment, objective setting |
| Clause 7 | Support | Resources, competence, document management |
| Clause 8 | Operation | Actual implementation of controls |
| Clause 9 | Performance evaluation | Monitoring, internal audit, management review |
| Clause 10 | Improvement | Nonconformity handling, continual improvement |
Annex A (Controls)
Annex A lists 93 controls, divided into four themes:
| Theme | Count | Examples |
|---|---|---|
| Organizational controls | 37 | Information security policy, roles and responsibilities |
| People controls | 8 | Personnel screening, awareness training |
| Physical controls | 14 | Physical security, equipment protection |
| Technological controls | 34 | Access control, encryption, backup |
PDCA Cycle Mapping
ISO 27001 is built on the PDCA (Plan-Do-Check-Act) cycle.
| PDCA | Corresponding Clauses | Meaning |
|---|---|---|
| Plan | Clauses 4, 5, 6 | Understand environment, get commitment, plan how to do it |
| Do | Clauses 7, 8 | Prepare resources, actually implement |
| Check | Clause 9 | Monitor effectiveness, audit verification |
| Act | Clause 10 | Handle problems, continually improve |
Key point: This is a cycle, not a one-time thing. It must be continuously executed every year.
Clause-by-Clause Interpretation
Clause 4: Context of the Organization
Original point: Understanding the organization and its context
In plain language:
Before building your ISMS, you need to figure out a few things:
4.1 Understanding the organization and its context
Ask yourself:
- What is the company's business?
- What internal challenges do you face? (Insufficient staff, limited budget)
- What external challenges? (Regulatory requirements, market competition)
4.2 Understanding the needs and expectations of interested parties
| Interested Party | Possible Needs |
|---|---|
| Customers | Data security, service availability |
| Employees | Clear policies, proper training |
| Regulators | Regulatory compliance |
| Shareholders | Risk management, reputation protection |
4.3 Determining the scope of the ISMS
Not the entire company needs to be included. Decide:
- Which departments?
- Which services?
- Which locations?
- Which systems?
4.4 ISMS and its processes
Establish, implement, maintain, and continually improve the ISMS.
Clause 5: Leadership
Original point: Leadership and commitment
In plain language:
Without management support, ISMS won't succeed.
5.1 Leadership and commitment
What top management must do:
- Publicly express support for ISMS
- Ensure sufficient resources (people, money, time)
- Integrate security into daily operations
- Support relevant personnel in performing their duties
5.2 Policy
Establish an "Information Security Policy":
- State the company's commitment to security
- Include objectives or framework for setting objectives
- Commit to meeting requirements and continual improvement
- Make sure all employees know this policy
5.3 Roles, responsibilities, and authorities
Clearly assign:
- Who is responsible for overall ISMS operation
- Who reports to top management
- Security responsibilities for each department/person
Clause 6: Planning
Original point: Actions to address risks and opportunities
In plain language:
This is the core of ISMS—risk assessment.
6.1 Actions to address risks and opportunities
6.1.1 General
Identify:
- What factors might prevent ISMS from achieving objectives (risks)
- What factors can help achieve objectives (opportunities)
6.1.2 Information security risk assessment
This is the most important step:
| Step | Content |
|---|---|
| 1. Identify assets | List information assets to protect |
| 2. Identify threats | Events that could harm assets |
| 3. Identify vulnerabilities | Weaknesses that could be exploited by threats |
| 4. Assess impact | How serious if it happens |
| 5. Assess likelihood | How likely to happen |
| 6. Calculate risk value | Impact × Likelihood |
| 7. Prioritize | Decide which risks to address first |
6.1.3 Information security risk treatment
For each risk, you can choose:
| Treatment | Description | Example |
|---|---|---|
| Mitigate | Implement controls to reduce risk | Install firewall |
| Transfer | Transfer risk to others | Buy cyber insurance |
| Avoid | Don't do this activity | Don't offer certain services |
| Accept | Accept the risk exists | Risk is very low, don't address |
6.2 Information security objectives and planning to achieve them
Set specific security objectives, such as:
- Reduce security incidents by X%
- 100% employee training completion rate
- 99.9% system availability
6.3 Planning of changes (New in 2022 version)
When ISMS needs changes, make them in a planned manner.
Clause 7: Support
Original point: Resources needed for ISMS operation
In plain language:
With a plan, you need resources to execute.
7.1 Resources
The company must provide sufficient:
- Manpower
- Budget
- Time
- Tools
7.2 Competence
People responsible for security work must have adequate competence:
- Obtained through education, training, experience
- Maintain evidence of competence (certificates, training records)
7.3 Awareness
All employees must know:
- The company's information security policy
- Their role in the ISMS
- Consequences of non-compliance
7.4 Communication
Decide:
- What to communicate (content)
- When to communicate (timing)
- With whom to communicate (audience)
- Who communicates (responsible person)
- How to communicate (method)
7.5 Documented information
ISMS needs documents for support:
- Documents required by the standard
- Documents the organization deems necessary
- Documents must be controlled (version, review, release)
Clause 8: Operation
Original point: Operational planning and control
In plain language:
Everything before was planning; this is actually doing it.
8.1 Operational planning and control
Implement what was planned in Clause 6:
- Execute risk treatment plan
- Implement selected controls
- Control planned changes
- Manage outsourced processes
8.2 Information security risk assessment
Re-execute risk assessment periodically:
- At least once a year
- When significant changes occur
- After security incidents
8.3 Information security risk treatment
Execute risk treatment plan, keep records of treatment results.
Clause 9: Performance Evaluation
Original point: Monitoring and measurement
In plain language:
After doing, check if it's working.
9.1 Monitoring, measurement, analysis, and evaluation
Monitor:
- Whether security objectives are achieved
- Whether controls are effective
- Whether ISMS processes operate normally
9.2 Internal audit
Periodically audit yourself:
| Item | Requirement |
|---|---|
| Frequency | At least once a year |
| Scope | Cover all ISMS processes |
| Auditors | Must be independent (can't audit your own work) |
| Results | Must be recorded, improvement must be tracked |
9.3 Management review
Top management must periodically review ISMS:
Inputs (data to review):
- Follow-up items from previous review
- Internal and external changes
- Audit results
- Security performance
- Improvement opportunities
Outputs (decisions to make):
- Whether ISMS needs changes
- Whether resources are sufficient
- Next steps
Clause 10: Improvement
Original point: Nonconformity and continual improvement
In plain language:
When problems are found, fix them. Even without problems, make things better.
10.1 Nonconformity and corrective action
When nonconformity is found:
- Immediate response: Control the problem, reduce impact
- Analyze cause: Find the root cause
- Take corrective action: Prevent recurrence
- Verify effectiveness: Confirm correction worked
- Update documents: Update risk assessment, ISMS if needed
10.2 Continual improvement
ISMS must continuously improve, not just maintain status quo.
Four-Tier Documentation System
ISO 27001 produces many documents, usually organized in four tiers.
Tier 1: Policies
Nature: Highest-level documents, explaining "why" and "direction"
Examples:
- Information Security Policy
- Access Control Policy
- Password Policy
- Remote Work Policy
Characteristics:
- Approved by top management
- Content is brief and principle-based
- Rarely changed
Tier 2: Procedures
Nature: Explaining "what to do" and "who does it"
Examples:
- Risk Assessment Procedure
- Incident Management Procedure
- Access Control Procedure
- Change Management Procedure
Characteristics:
- Applicable across departments
- Describes process steps
- Defines roles and responsibilities
Tier 3: Work Instructions
Nature: Detailed steps on "how to do it"
Examples:
- Backup SOP
- Account Request SOP
- Firewall Configuration Guide
- Incident Reporting Guide
Characteristics:
- For specific tasks
- Detailed specific steps
- Includes screenshots, examples
Tier 4: Records
Nature: Evidence that you did it
Examples:
- Risk Register
- Audit Records
- Training Sign-in Sheets
- Change Request Forms
- Incident Handling Records
Characteristics:
- Records for every activity
- Auditors will review
- Must be properly stored
Required Documents List
Documents explicitly required by ISO 27001:
| Clause | Required Document |
|---|---|
| 4.3 | ISMS scope document |
| 5.2 | Information security policy |
| 6.1.2 | Risk assessment procedure |
| 6.1.3 | Risk treatment plan |
| 6.1.3 | Statement of Applicability (SoA) |
| 6.2 | Information security objectives |
| 7.2 | Evidence of competence |
| 7.5 | Documented information |
| 8.1 | Operational planning and control |
| 8.2 | Risk assessment results |
| 8.3 | Risk treatment results |
| 9.1 | Monitoring and measurement results |
| 9.2 | Internal audit records |
| 9.3 | Management review records |
| 10.1 | Nonconformity and corrective action records |
Annex A Control Highlights
The 2022 version divides 93 controls into four themes.
Organizational Controls (37 items)
Covering organizational-level management controls:
| Number | Control | Key Point |
|---|---|---|
| 5.1 | Information security policies | Must have, publish, regularly review |
| 5.2 | Roles and responsibilities | Clearly assign |
| 5.3 | Segregation of duties | Avoid one person controlling too much |
| 5.7 | Threat intelligence | Proactively collect threat info (New) |
| 5.9 | Inventory of information and assets | List all assets |
| 5.15 | Access control | Who can access what |
| 5.23 | Cloud services security | Cloud usage management (New) |
People Controls (8 items)
Covering personnel-related controls:
| Number | Control | Key Point |
|---|---|---|
| 6.1 | Screening | Background checks |
| 6.2 | Terms of employment | Include security responsibilities in contracts |
| 6.3 | Security awareness training | Everyone must understand |
| 6.4 | Disciplinary process | Violations have consequences |
| 6.5 | Termination/change of employment | Revoke access |
| 6.6 | Confidentiality agreements | NDAs |
Physical Controls (14 items)
Covering physical environment controls:
| Number | Control | Key Point |
|---|---|---|
| 7.1 | Physical security perimeters | Access control |
| 7.2 | Physical entry | Who can enter |
| 7.4 | Physical security monitoring | Cameras, sensors (New) |
| 7.8 | Equipment siting | Place in secure locations |
| 7.10 | Storage media | USB, hard drive management |
| 7.14 | Secure disposal | Clear data when disposing |
Technological Controls (34 items)
Covering technical controls:
| Number | Control | Key Point |
|---|---|---|
| 8.1 | User endpoint devices | Laptop, mobile security |
| 8.5 | Secure authentication | Login verification |
| 8.7 | Protection against malware | Antivirus |
| 8.8 | Technical vulnerability management | Patch vulnerabilities |
| 8.9 | Configuration management | System settings management (New) |
| 8.12 | Data leakage prevention | DLP (New) |
| 8.13 | Backup | Data backup |
| 8.15 | Logging | System log recording |
| 8.24 | Use of cryptography | Encryption |
For more 2022 version change details, see ISO 27001:2022 Update Guide.
Statement of Applicability (SoA) Writing
What is SoA
SoA (Statement of Applicability) is one of ISO 27001's most important documents.
Purpose:
- List all 93 Annex A controls
- State whether each is applicable
- Explain reasons for non-applicability
- Describe implementation status for applicable ones
How to Determine Applicability
For each control, ask:
-
Is it risk-related? Can this control address risks we identified?
-
Is it legally required? Do regulations or contracts require this control?
-
Is it business-needed? Does business operation need this control?
If any answer above is "yes," this control is applicable.
Valid Reasons for Excluding Controls
Controls that don't apply need valid reasons.
Acceptable reasons:
| Reason | Example |
|---|---|
| Technology doesn't exist | Company has no wireless network, so wireless security controls don't apply |
| Business doesn't involve | Company has no software development, so secure development controls don't apply |
| Outsourced | Data center managed by provider, physical security is their responsibility |
| Risk acceptable | Risk assessment shows risk is extremely low |
Unacceptable reasons:
- "No budget"
- "Too troublesome"
- "Don't know how to do it"
SoA Example Format
| Number | Control | Applicable | Reason/Implementation Status |
|---|---|---|---|
| 5.1 | Information security policies | Yes | Established and published, reviewed annually |
| 5.7 | Threat intelligence | Yes | Subscribed to CERT alerts |
| 7.6 | Working in secure areas | No | Company has no secure areas |
| 8.28 | Secure coding | No | Company has no software development |
FAQ: Common Clause Questions
Q1: Must I buy the ISO 27001 standard document?
Not mandatory, but highly recommended.
- Official standard costs about $200
- Many unofficial versions online, but may be incomplete or outdated
- If certifying, recommend buying the official version
Q2: Can I use existing documents?
Yes. ISO 27001 doesn't require specific formats.
If existing documents already cover required content, use them directly; no need to create new ones.
Q3: Will auditors check clause by clause?
Yes. Auditors will audit each clause and applicable controls.
But they won't go deep on everything—they'll decide depth based on risk and sampling.
Q4: What if I can't complete all controls?
Handle in phases:
- First identify high-risk items that must be done immediately
- Put others in improvement plan, complete gradually
- Auditors will check if you have a plan, not require everything complete
Q5: Do small companies need this many documents?
Not necessarily.
ISO 27001 doesn't specify document quantity or format. Small companies can simplify, as long as content covers requirements.
Example: Multiple policies can be combined into one "Information Security Policy."
Next Steps
ISO 27001 clauses look complex, but once you understand the logic, you'll find it's a very systematic framework.
If you're preparing for implementation or certification, recommended:
- First understand the intent of clauses
- Compare with current company status for gap analysis
- Develop action plan
- Gradually build documents and implement controls
Too many clauses, don't know where to start? Contact us to help interpret clauses and plan your implementation strategy.
Further Reading
- For complete standard introduction, see ISO 27001 Complete Guide
- For 2022 version changes, see ISO 27001:2022 Update Guide
- For 27002 implementation guidance, see ISO 27001 vs 27002 Comparison
- For ISMS practical implementation, see ISMS Implementation Practical Guide
References
Need Professional Cloud Advice?
Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help