People often fixate on Annex A’s 93 controls and overlook the part of ISO 27001 that auditors care about most: the management-system clauses. Clauses 4 through 10 define how you run the ISMS, and they are mandatory — there is no risk-based opt-out the way there is for individual controls.
This guide walks through each clause in plain language, explaining what it requires and how to satisfy it, so the management-system backbone of your iso 27001 certification is solid rather than an afterthought.
How the clauses fit together
Clauses 1 to 3 are introductory (scope, references, terms) and contain no requirements. The auditable requirements live in Clauses 4 to 10, which follow the common high-level structure shared by ISO management-system standards, so they map neatly onto ISO 9001 and others if you hold multiple certifications.
Read together, the clauses describe a complete management cycle: understand your context, lead, plan, resource, operate, evaluate, and improve. They are the ‘management system’ in Information Security Management System.
Crucially, you must address all of them. Annex A controls can be excluded with justification; the clauses cannot.
Clause 4: Context of the organisation
Clause 4 asks you to understand your organisation and its environment before designing security. You identify the internal and external issues relevant to your ISMS, and the ‘interested parties’ — customers, regulators, partners, employees — together with their requirements.
From this you define the scope of the ISMS: the boundaries of what it covers. Scope is one of the most consequential decisions in the whole project, because it determines how much you must protect and evidence.
The deliverables are a context analysis and a clear scope statement, both of which a Stage 1 auditor reviews early.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Clause 5: Leadership
Clause 5 makes top management accountable. Leaders must demonstrate commitment to the ISMS, establish an information security policy aligned with the organisation’s direction, and ensure roles and responsibilities are assigned and communicated.
This clause is why ISO 27001 cannot be a purely technical, bottom-up exercise. Without visible leadership ownership, the system lacks the authority and resources to function, and auditors probe for genuine engagement rather than a signature on a policy.
Satisfying it means an approved policy, defined roles, and evidence — such as management-review records — that leaders are actually involved.
Clause 6: Planning
Clause 6 is where risk takes centre stage. You must establish a process to assess information security risks, evaluate them consistently, and decide how to treat them. You then produce a Statement of Applicability and a risk treatment plan linking risks to the controls that address them.
The clause also requires you to set measurable information security objectives and plan how to achieve them. This turns vague intentions into targets the management system can track.
Clause 6 is effectively the design phase of the ISMS, and its outputs — risk assessment, treatment plan, SoA, and objectives — are core audit evidence.
Clause 7: Support
Clause 7 covers the resources that make the ISMS work: people, infrastructure, and budget. It requires you to ensure staff are competent for their security responsibilities, to raise awareness across the organisation, and to manage internal and external communication about security.
It also sets out requirements for documented information — how you create, control, and protect the documents and records the ISMS depends on. Good document control prevents the chaos of outdated policies and untraceable records.
In practice this clause is satisfied through training programmes, awareness campaigns, and a tidy, version-controlled document set.
Clause 8: Operation
Clause 8 is where plans become action. You must operate the processes needed to meet your security requirements, carry out the risk assessments at planned intervals and when changes occur, and implement the risk treatment plan you defined in Clause 6.
It also requires control over planned changes and over outsourced processes, ensuring that what you operate stays aligned with what you designed. This is the clause under which your Annex A controls actually run day to day.
Evidence here is operational: records showing controls functioning, risk assessments being repeated, and changes being managed.
Clause 9: Performance evaluation
Clause 9 is about knowing whether the ISMS works. It requires monitoring and measurement of your security performance, a programme of internal audits covering the ISMS over time, and periodic management reviews where leadership examines results and makes decisions.
These activities are the ‘Check’ in Plan-Do-Check-Act. They are also among the most scrutinised in an external audit, because they prove the organisation actively governs its security rather than setting it and forgetting it.
Expect to produce internal audit reports, management-review minutes, and metrics that show the system being evaluated.
Clause 10: Improvement
Clause 10 closes the loop. When nonconformities occur — a control fails, an audit finds a gap, an incident reveals a weakness — you must act: correct the issue, investigate the root cause, and take corrective action to stop it recurring. The standard also requires a commitment to continual improvement of the ISMS.
Far from being a sign of failure, a healthy nonconformity and corrective-action log reassures auditors that the system detects and fixes problems. A system that never records an issue often means no one is looking.
This clause is what makes ISO 27001 a system that gets stronger over time rather than decaying after certification.
Mandatory vs optional: a common confusion
A frequent misunderstanding is treating Annex A controls as mandatory and the clauses as background. It is the reverse. The clauses (4–10) are mandatory in full; the Annex A controls are selected based on your risk assessment, with justified exclusions allowed.
So you can legitimately exclude a control that does not apply to you, but you cannot skip, say, internal audit or management review. Getting this distinction right focuses your effort where the standard actually demands it.
Many first-time projects under-invest in the clauses and over-invest in chasing every control — precisely the wrong balance.
The bottom line
Clauses 4 to 10 are the mandatory management system at the core of ISO 27001: context, leadership, planning, support, operation, performance evaluation, and improvement. Satisfy all of them and you have the governance backbone the standard certifies; neglect them and no amount of Annex A control work will save the audit.
Treat the clauses as the priority they are, produce the documents and records each one expects, and the Annex A controls slot in as the operational detail.
ISpectra builds the full clause framework with you — policy, risk process, audit and review programmes, and improvement loop — alongside the controls, with free VAPT and a multi-framework discount, so nothing mandatory is left to chance.
A practical clause-by-clause checklist
To keep the mandatory clauses from slipping through the cracks, it helps to hold a simple checklist: for Clause 4, a context analysis and scope statement; for Clause 5, an approved policy and assigned roles; for Clause 6, a risk assessment, treatment plan, SoA, and objectives.
For Clause 7, competence and awareness records plus document control; for Clause 8, evidence of controls and risk processes operating; for Clause 9, monitoring data, internal audit reports, and management-review minutes; and for Clause 10, a nonconformity and corrective-action log.
If you can point to a tangible artefact for each clause, your management system is complete in the eyes of the standard — which is exactly what a Stage 1 auditor sets out to confirm. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.