Published on: May 4, 2021
| Updated: Mar 27, 2025
ISO 27001 - Mandatory Clauses
Developing an ISO 27001 compliant Information Security Management System (ISMS) requires a highly planned and coordinated approach. To help you lay the groundwork of your system, we previously covered the core activities required when planning the implementation of a cohesive ISMS, including leadership support, project scope, and the Statement of Applicability.
Now we are ready to discuss the practical steps of ISO certification and how to develop your system: exploring the mandatory clauses your ISMS must satisfy and the supporting documents that need to be created.
ISO 27001 Structure
ISO 27001 is structured into two separate parts. The first, central part, consists of 11 clauses beginning with clause 0 extending to clause 10. The second part, Annex A, provides a framework composed of 114 controls that forms the basis of your Statement of Applicability (SoA).
Check out the ISO 27001:2022 changes here!
In clauses 0 to 3, you will find the general "metadata" of the standard. These clauses provide general information about the standard, including:
Introduction
Scope
Normative references
Terms and definitions
The following clauses, 4 to 10 are mandatory requirements. So if your company is aiming for ISO 27001 certification, these are the required processes, documents, and policies that need to be included or created to deliver a compliant system.
Ensuring Compliance
To ensure compliance with ISO 27001:2022, companies have a couple of efficient options:
ISO 27001:2022 Documentation Toolkit: Opting for a documentation toolkit can be hugely beneficial. These toolkits come packed with all mandatory documents and records, along with commonly used non-mandatory documentation. This toolkit helps streamline your compliance efforts by ensuring you have all the necessary documentation at your fingertips.
ISO 27001 Software: Another effective path is using specialized software. Choose dedicated software, such as a holistic GRC platform like StandardFusion, not only includes all required documents but also provides help complete those documents swiftly. This choice can greatly accelerate the compliance process and help you avoid potential setbacks during the certification audit.
By selecting the right toolkit or software, companies can significantly ease their journey to ISO 27001 compliance, making the process more efficient, and reducing the risks of errors. Select the option that best fits your organization's needs and resources to ensure a smooth path to ISO 27001:2022 certification.
Mandatory Requirements & Required Documents
Clause 4: Context of the organization
Understanding and documenting the context of the organization is a vital part of implementing an ISMS. Creating a document that lists external and internal stakeholders, regulatory environments, client lists, competitors, and other industry standards will help you systematically maintain your updated inputs.
The only mandatory documentation under Clause 4 is the ISMS Scope (4.3) that must set the boundaries of your system and the applicability of the controls.
Clause 5: Leadership
Commitment from the leadership team is so important to compliance that engagement from top management is mandatory for an ISO 27001 certified ISMS. Executive stakeholders being interviewed is a required part of the ISO audit. Top management is also responsible for documenting and communicating a Policy Statement with employees and clients (5.2). Teams that play a role in the ISMS maintenance must be described, and internal roles and responsibilities must be assigned.
Clause 6: Planning
Careful planning is critical and cannot be overstated. As mentioned before, ISO 27001 applies a risk-based approach to information security, as detailed in clause 6.1, which covers the security risk assessment and management process (6.1).
Based on these risks and opportunities, objectives need to be established, measured and monitored (6.2). The best way to manage these objectives is to have them align with the company's strategic goals.
Clause 7: Support
The core of this requirement is to understand how the organization is committed to providing the resources needed to establish, implement, and maintain the ISMS, based on the following foundational activities that must be documented:
Competence
Awareness
Communication
Documented Information
Records (that must be kept)
It is essential to highlight that all documents must be controlled with the date and revision number.
Mandatory Records for ISO 27001:2022
To ensure compliance, here are the essential records specified by ISO 27001:
Trainings, skills, experience, and qualifications
ISO 27001 Reference: Clause 7.2
Usually Recorded Through: Training certificates and CVs
Monitoring and measurement results
ISO 27001 Reference: Clause 9.1
Usually Recorded Through: Measurement Report
Internal audit program
ISO 27001 Reference: Clause 9.2
Usually Recorded Through: Internal Audit Program
Results of internal audits
ISO 27001 Reference: Clause 9.2
Usually Recorded Through: Internal Audit Report
Results of the management review
ISO 27001 Reference: Clause 9.3
Usually Recorded Through: Management Review Minutes
Results of corrective actions
ISO 27001 Reference: Clause 10.2
Usually Recorded Through: Corrective Action Form
Logs of user activities, exceptions, and security events
ISO 27001 Reference: Control A.8.15*
Usually Recorded Through: Automatic logs in information systems
Clause 8: Operation
Clause 8 asks for documented processes to mitigate the risks that might arise as a result of your company's scoped operations. It is a high-level requirement that all security controls be assessed and used to mitigate threats. The Fulfillment of this requirement will result in:
Clause 9: Performance evaluation
The first requirement (9.1) is to establish a procedure for monitoring and measurement of records. The process for monitoring and measurement must determine:
What needs to be monitored and measured.
The methods for monitoring.
When the monitoring is performed.
Who will complete the process.
Clause 9 also requires a documented process for the performance of internal audits and management reviews. Both processes must be conducted at least once a year.
Clause 10: Improvement
Clause 10 includes improvement follow ups on the evaluations covered in Clause 9 and is an essential principle for any organization. Creating a documented process to log recommendations for improvement and nonconformities will help your organization take action, improve your services, and eliminate problems.
Impact of ISO 27001:2022 on Mandatory Documents and Records
The ISO 27001:2022 revision introduces a streamlined approach to mandatory documentation, simplifying compliance for organizations.
Reduced Documentation Requirements: This latest revision mandates fewer documents than its predecessor, the ISO 27001:2013. This change alleviates the administrative burden on organizations while ensuring compliance remains robust.
Handling New Security Controls: Although the 2022 update introduces 11 new security controls, it doesn't require the creation of new documents. Organizations can efficiently adapt by incorporating these controls into their existing documentation. Simply add new sections to reflect the updated security measures within the frameworks established in the earlier version.
Summary
ISO 27001 can be broken down into 2 groups: clauses 4-10, followed by the controls in Annex A. Clauses 4 to 10 are mandatory requirements that must be satisfied by your ISMS which would contain the appropriate supporting documents and records.
It is critical for Information Security Managers to understand how the standard is structured and how the controls are organized. Under each clause and subclause, there are a set of rules to be followed to achieve compliance. Paying attention to the requirements in terms of activities, processes, and documents is vital to distinguish which controls or policies must be deployed or improved.
New Security Controls in ISO 27001:2022
The latest update to ISO 27001 introduces several new security controls designed to bolster information security management systems. Here's a breakdown of these controls and where they can typically be integrated within your existing documentation:
Enhance your Incident Management Procedure with insights and data to proactively manage potential threats.
Cloud Services Security (A.5.23)
Address information security risks associated with the use of cloud services in your Supplier Security Policy.
ICT Readiness for Business Continuity (A.5.30)
Ensure that your Disaster Recovery Plan includes measures for keeping information and communication technology operational during disruptions.
Physical Security Monitoring (A.7.4)
Integrate monitoring protocols into Procedures for Working in Secure Areas, ensuring physical areas remain safeguarded.
Configuration Management (A.8.9)
Security Procedures for your IT Department should manage and maintain configuration integrity.
Incorporate processes into your Disposal and Destruction Policy to ensure secure and thorough deletion of information.
Protect sensitive information during development through the Secure Development Policy, using techniques like data masking.
Data Leakage Prevention (A.8.12)
Update Security Procedures for IT Department with strategies to prevent unauthorized data transfers.
Monitoring Activities (A.8.16)
Implement comprehensive monitoring to detect and respond to security incidents quickly, guided by IT department procedures.
Enhance your procedures with web filtering capabilities to control access to harmful or inappropriate websites.
Ensure that Secure Development Policies include guidelines for writing code that is robust against vulnerabilities and attacks.
By integrating these controls into your existing GRC practices, organizations can achieve a more resilient security posture in line with the latest ISO 27001 standards.
Understanding the Changes in Documentation Requirements: ISO 27001:2022 vs 2013
When evaluating the changes in documentation requirements between ISO 27001:2022 and its earlier 2013 revision, the updates present a streamlined approach:
Reduced Documentation Mandates: The 2022 revision reduces the number of mandatory documents. This shift allows organizations to meet compliance standards more efficiently without cumbersome paperwork compared to the 2013 revision.
Introduction of New Security Controls: Although there are 11 new security controls introduced in the latest version, there's no need to create entirely new documents. Instead, organizations can integrate new sections addressing these controls into their existing documentation crafted under the 2013 standards.
By embracing these updates, businesses can maintain compliance while minimizing administrative overhead and leveraging existing resources.
How Can StandardFusion Help?
With StandardFusion, you can create, control, and share your documentation across your organization's entire network of employees, stakeholders, and third parties. Develop your documentation from the ground up within StandardFusion's GRC platform, update it as needed, and keep track of historical versions. Equipped with dashboards, automated reporting, and objective management, users can easily monitor document creation, track acceptance, and align company policies and procedures with organizational information security goals.
Check out our downloadable, comprehensive ISO 27001 Compliance Checklist, designed to support your journey toward ISO 27001 certification. It ensures your organization's ISMS practices align with global best practices and regulatory requires to foster resiliency in your operations.
