What the standard demands
ISO 27001 requirements: what you must have in place
The mandatory core of ISO 27001 is clauses 4 to 10: seven clauses defining a working management system. Annex A's controls get the attention, but certifications are won and lost in the clauses. Here is each one, with what the auditor will actually ask to see.
| Clause | What it demands | What the auditor asks to see |
|---|---|---|
| Clause 4: Context | Define what your organisation is, who depends on its security, and what the ISMS covers. | Your scope document, and whether it matches reality when they interview people. |
| Clause 5: Leadership | Top management owns the ISMS: policy approved, roles assigned, resources committed. | The signed policy, and a leader who can talk about the ISMS without a script. |
| Clause 6: Planning | Risk assessment, risk treatment, the Statement of Applicability and measurable objectives. | The risk register, the SoA, and objectives that are actually measured. |
| Clause 7: Support | Competence, awareness, communication and document control. | Training records, awareness evidence, and whether document versions are controlled. |
| Clause 8: Operation | The plans from clause 6 running in practice, including operational risk assessments on change. | Evidence the controls operate routinely: the by-products of normal work. |
| Clause 9: Performance evaluation | Monitoring, measurement, the independent internal audit and management review. | The clause 9.2 internal audit report and clause 9.3 management review minutes, actioned. |
| Clause 10: Improvement | Nonconformities corrected at root cause; the ISMS demonstrably improving. | The corrective action log, and whether the loop actually closes. |
Clauses 1 to 3 are introductory (scope of the standard, references, definitions) and carry no requirements. Everything auditable lives in 4 to 10.
The paperwork, minimised
The documents the standard actually mandates
Template packs love to sell you fifty documents. The standard names roughly a dozen, and auditors judge quality by whether documents are used, not by how many exist. Write the mandated set well, add only what your operation genuinely needs, and resist the rest.
The mandated set
- ISMS scope (clause 4.3)
- Information security policy (5.2)
- Risk assessment methodology and results (6.1.2, 8.2)
- Risk treatment plan and results (6.1.3, 8.3)
- Statement of Applicability (6.1.3d)
- Security objectives (6.2)
- Evidence of competence (7.2)
- Documented operational planning and control (8.1)
- Internal audit programme and results (9.2)
- Management review results (9.3)
- Nonconformities and corrective action records (10.2)
Quick answers
Requirements questions, answered
What are the actual requirements of ISO 27001?
Two layers. Clauses 4 to 10 are mandatory for everyone: scope, leadership, risk-based planning, support, operation, performance evaluation and improvement. Annex A's 93 controls are the second layer, applied selectively through your Statement of Applicability. Certification requires the clauses in full and your justified selection of controls, all evidenced.
Which documents are mandatory?
The standard names a specific documented set, listed on this page: scope, policy, risk methodology and results, the SoA, objectives, competence evidence, operational records, internal audit and management review results, and corrective actions. Beyond those, document what your organisation needs to operate consistently and nothing more; auditors mark bloated document sets down, not up.
Is ISO 27001 a legal requirement in the UK?
No law requires it. Contracts increasingly do: enterprise procurement, public sector frameworks and supplier due diligence commonly make it a condition of doing business, which is why most UK certifications are commercially driven rather than regulatory.
What is the difference between requirements and controls?
Requirements (clauses 4 to 10) define the management system and are non-negotiable. Controls (Annex A) are the security measures the system selects and operates. You cannot exclude a clause; you can exclude a control, with justification.
Measure yourself against this
See how far from the requirements you really are
Our gap analysis scores you against every clause and control in about a week. A free 45 minute scoping call starts it.