The 7 mandatory clauses which you are required to comply with are clauses 4 to 10. Clauses 1 to 3 deal with scope of the document, normative references and terms and definitions.
Clause 4
You are required to identify the internal and external issues that are relevant to your organisation’s purpose.
You are also required to identify any parties that have an interest in your organisation’s ability to provide adequate security for your information and you need to determine what the needs of those parties are.
Clause 4 also requires that the scope of your ISMS is determined and that not only is the ISMS established and implemented, but that it is also maintained and continually improved.
Clause 5
It requires that your organisation’s top management demonstrates effective information security-related leadership, establishes an information security policy and assigns appropriate roles, responsibilities and authorities.
Clause 6
It requires that your organisation plans how you will take action to address risks and opportunities as well as how you will perform information security-related risk assessments.
There is also a requirement, at this point, to identify how suitable treatments for the identified risks will be determined.
Another requirement of Clause 6 is that you identify a suitable set of information security objectives.
These objectives need to be aligned with the output of the risk assessment and be consistent with your information security policy and your organisation’s overall business objectives. You also need to develop plans that detail how the objectives are going to be achieved.
Clause 7
It deals with several requirements that need to be implemented in order to effectively support your ISMS.
You will need to ensure that people are competent to perform their roles and that appropriate training and awareness is provided.
There is also a requirement for you to determine communications relevant to your ISMS and to meet various documentation requirements.
Clause 8
You are required to ensure that any processes needed to meet the security requirements of your organisation are planned, implemented and controlled.
Specifically, you must ensure that plans made in Clause 6 are implemented including the risk assessment process and the risk treatment plan. You are also required, within Clause 8, to control planned changes and to keep documentation as evidence of processes being carried out.
Clause 9
It enables you to check to see if your efforts and your ISMS are working. This is achieved through the use of internal audit, management review and through monitoring, measurement, analysis and evaluation of activities.
Clause 10
You are required to ensure there is continual improvement and any nonconformities you have identified are corrected and prevented from reoccurring.
It’s one thing having the required technical knowledge, it’s another thing for a consultant to apply that knowledge to the context of our organisation. To use a sporting analogy, we view cyber and information security as a marathon not a sprint. I am not a believer in doing everything all at once. Our approach has been risk based and incremental, remediating our biggest risks first before moving on. I believe this approach is far more sustainable and effective. And URM’s consultants fully understand this and are very pragmatic and tailored in their guidance and advice. They know we are not implementing ISO 27001 purely for the certificate, but more as a framework for continual improvement, and at a pace where new systems and processes can be fully understood and absorbed by our team and be business as usual.
Brand distributor
Book FREE Consultation
URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Find out more
related BLog
ISO 27001 Clause 5.1: Leadership and Commitment Explained
Published on
8 Sep
2025
URM’s blog explores Clause 5.1 of ISO 27001, what you must do to meet its requirements, and why leadership & commitment are vital to an effective ISMS.
Read more
Cyber Security
Published on
29/8/2025
Critical Cyber Security Practices to Defend Against Ransomware AttacksURM’s blog examines how ransomware occur, and highlights practical cyber security measures you can implement to reduce your exposure and mitigate security risk.
Read more
Information Security
Published on
29/8/2025
ISO 27001: How Certification WorksURM’s blog breaks down the ISO 27001 certification process, the roles of certification bodies and UKAS, what auditors look for during assessments, and more.
Read more
Information Security
Published on
7/8/2025
ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)URM’s blog explores the ISO 27001 business continuity controls, why they matter, & how they can be effectively implemented to ensure conformance to the Standard
Read more
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.