What are the 7 mandatory clauses of ISO 27001?

The 7 mandatory clauses which you are required to comply with are clauses 4 to 10.   Clauses 1 to 3 deal with scope of the document, normative references and terms and definitions.

Clause 4

You are required to identify the internal and external issues that are relevant to your organisation’s purpose.  

You are also required to identify any parties that have an interest in your organisation’s ability to provide adequate security for your information and you need to determine what the needs of those parties are.  

Clause 4 also requires that the scope of your ISMS is determined and that not only is the ISMS established and implemented, but that it is also maintained and continually improved.

Clause 5

It requires that your organisation’s top management demonstrates effective information security-related leadership, establishes an information security policy and assigns appropriate roles, responsibilities and authorities.

Clause 6

It requires that your organisation plans how you will take action to address risks and opportunities as well as how you will perform information security-related risk assessments.  

There is also a requirement, at this point, to identify how suitable treatments for the identified risks will be determined.

Another requirement of Clause 6 is that you identify a suitable set of information security objectives.

These objectives need to be aligned with the output of the risk assessment and be consistent with your information security policy and your organisation’s overall business objectives.  You also need to develop plans that detail how the objectives are going to be achieved.

Clause 7

It deals with several requirements that need to be implemented in order to effectively support your ISMS.  

You will need to ensure that people are competent to perform their roles and that appropriate training and awareness is provided.  

There is also a requirement for you to determine communications relevant to your ISMS and to meet various documentation requirements.

Clause 8

You are required to ensure that any processes needed to meet the security requirements of your organisation are planned, implemented and controlled.  

Specifically, you must ensure that plans made in Clause 6 are implemented including the risk assessment process and the risk treatment plan.  You are also required, within Clause 8,  to control planned changes and to keep documentation as evidence of processes being carried out.

Clause 9

It enables you to check to see if your efforts and your ISMS are working.  This is achieved through the use of internal audit, management review and through monitoring, measurement, analysis and evaluation of activities.

Clause 10

You are required to ensure there is continual improvement and any nonconformities you have identified are corrected and prevented from reoccurring.