‘What does ISO 27001 require?’ is the question every team asks first, and the answer is more structured than the intimidating document suggests. The standard has a clear shape: a set of mandatory management requirements (Clauses 4–10) and a menu of controls (Annex A) selected by risk. Understand that shape and the requirements stop feeling like a wall.
This guide walks through the requirements in the order you will meet them — from scope and risk to controls, audits, and improvement — so you know exactly what is expected on the path to iso 27001 certification.
Two kinds of requirement
ISO 27001 contains two distinct types of requirement, and confusing them causes most early missteps. The first is the management-system clauses (4–10), which are mandatory in full and describe how you run the ISMS. The second is Annex A controls, which you select based on your risk assessment.
You must satisfy every clause, but you implement only the controls your risks justify, documenting the rest as excluded. Keeping this distinction clear focuses your effort correctly.
The clauses are the non-negotiable backbone; the controls are the tailored muscle. The sections below follow the clause order, since that is how the requirements unfold.
Requirement: understand context and scope (Clause 4)
You must determine the internal and external issues relevant to your ISMS and identify interested parties and their requirements. From this you define the ISMS scope — the boundaries of what the system covers.
Scope is one of the most consequential requirements, because it determines how much you protect and evidence. Too broad and you create needless work; too narrow and you may not satisfy buyers.
The deliverables are a context analysis and a documented scope statement, both reviewed early in the audit.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Requirement: leadership and policy (Clause 5)
Top management must demonstrate commitment to the ISMS, establish an information security policy aligned with the organisation’s direction, and assign and communicate security roles and responsibilities.
This is a genuine requirement, not a formality: auditors look for real engagement, evidenced through management reviews and resourcing decisions. An ISMS without leadership backing lacks the authority to function.
Satisfy it with an approved policy, a clear roles-and-responsibilities definition, and records of leadership involvement.
Requirement: risk assessment and treatment (Clause 6)
You must define and apply a documented information security risk assessment process, evaluate risks consistently, and decide how to treat each one. From this you produce a risk treatment plan and a Statement of Applicability.
You must also set measurable information security objectives and plan how to achieve them. This clause is effectively the design of your ISMS and the source of most core audit evidence.
Because risk drives control selection, getting this requirement right makes everything downstream defensible.
Requirement: support and resources (Clause 7)
The standard requires you to provide the resources the ISMS needs, ensure staff are competent for their security roles, raise awareness across the organisation, manage communication, and control documented information.
In practice this means training programmes, awareness activities, and a version-controlled document set covering your policies, procedures, and records. Document control prevents the chaos of outdated or untraceable information.
These requirements ensure the ISMS has the people, knowledge, and information management to actually operate.
Requirement: operation (Clause 8)
You must operate the processes needed to meet your security requirements, perform risk assessments at planned intervals and when changes occur, implement the risk treatment plan, and control planned changes and outsourced processes.
This is the clause under which your selected Annex A controls actually run day to day, producing the operational evidence auditors sample at Stage 2.
The requirement, in essence, is to do what you planned — consistently and with records to prove it.
Requirement: performance evaluation (Clause 9)
You must monitor and measure your security performance, conduct internal audits of the ISMS, and hold management reviews at planned intervals. These activities prove the system is working and being governed.
Internal audit and management review are explicit, non-optional requirements, and among the most scrutinised at the external audit. They are the ‘Check’ that keeps the ISMS honest.
Expect to produce monitoring metrics, internal audit reports, and management-review minutes as evidence.
Requirement: improvement (Clause 10)
When nonconformities occur, you must react: correct them, investigate root causes, and take corrective action to prevent recurrence. The standard also requires a commitment to continually improve the ISMS.
A healthy nonconformity and corrective-action log reassures auditors that the system detects and fixes problems rather than hiding them. This requirement is what makes ISO 27001 a system that strengthens over time.
Satisfy it with a documented process for handling issues and evidence of improvements made.
Requirement: select and apply Annex A controls
Driven by your risk assessment, you must select appropriate controls from Annex A’s 93 options, implement them, and record your decisions (including exclusions) in the Statement of Applicability. ISO 27002 guides how to implement each one.
This is the risk-based half of the requirements: you are not obliged to implement every control, only those your risks justify. The discipline is in linking each control to a risk and each exclusion to a sound reason.
Done well, the result is a focused control set that is both effective and efficient to maintain.
Requirement: mandatory documentation
ISO 27001 specifies documented information you must maintain: the ISMS scope, information security policy, risk assessment and treatment process, the Statement of Applicability, security objectives, and various records evidencing operation, audits, and reviews.
The documentation requirement is often underestimated. It is not bureaucracy for its own sake; it is the memory and proof of the management system, and auditors examine both the documents and the records.
Using templates and documenting as you build keeps this requirement manageable rather than overwhelming.
How the requirements fit a project
In a real project the requirements unfold in order: scope and context first, then leadership and policy, then risk assessment and control selection, then implementation and operation, then evaluation and improvement. Each requirement builds on the previous one.
Seen this way, the requirements are not a checklist to dread but a logical sequence that produces a working ISMS. Tackling them out of order is the main reason first attempts feel chaotic.
Mapping your project plan directly onto these requirements keeps you aligned with exactly what the auditor will assess.
The bottom line
ISO 27001’s requirements are the mandatory management-system clauses (4–10) plus a risk-selected set of Annex A controls, all underpinned by specified documentation. Satisfy every clause, select controls from real risk, document and evidence everything, and you meet the standard.
The structure is more approachable than it first looks: understand the two kinds of requirement, follow the clause order, and the path becomes clear.
ISpectra maps your project to these requirements end to end — clauses, controls, and documentation — with free VAPT and a multi-framework discount, so nothing required is missed and nothing unnecessary is added.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.