ISO 27001 requirements frames out the general compliance requirements for organizations to establish a sound ISMS. The core requirements are discussed below. The requirements are broadly spread across seven clauses from 4.1 through 10.2
Clause 4 #
Requirements listed under clauses 4.1 to 4.4 discuss the compliance needs in the context of an organization. Understanding the organization and its business environment, setting up the context for ISMS, defining the compliance needs is the topic of the discussion for these below clauses.-
Clause 4.1 Understanding the Organization and its Context #
It deals with understanding the organization and its context. In requires identification of both internal and external issues. -
Clause 4.2 Understanding the Needs and Expectations of Interested Parties #
It deals with identifying the interested parties and then documenting their documention and needs. -
Clause 4.3 Determining the scope of the Information Security Management System #
Setting the scope for ISMS helps communicating with the employees, auditors, customers, management and stakeholders about the business areas that are covered by thhe ISMS. -
Clause 4.4 Information Security Management System #
It deals with how an organization handles and improves the ISMS.
Clause 5 #
Requirements under clauses 5.1 through 5.3 direct the organizations’ leadership in establishing an effective information security policy and framework and having a clear structure and well-defined roles and responsibilities for the stakeholders. Following are the relevant clauses,-
Clause 5.1 Leadership and commitment #
It requires the top management to showcase leadership and commitment with seriousness. -
Clause 5.2 Information Security Policy #
It requires documentation of information security policy by the top management. -
Clause 5.3 Organizational roles, responsibilities, and authorities #
It requires the top management to to ensure clarity in the organization by determining roles, responsibilities and authorities are clear for THE ISMS.
Clause 6 #
The two clauses 6.1 and 6.2 of this section provide the framework for framing planning for addressing risk by understanding the organizations’ goals.-
Clause 6.1 Actions to address risks and opportunities #
It deals with demonstrating actions to deal with risks. -
Clause 6.2 Information security objectives and planning to achieve them #
It deals with objectives with reference to information securities. It also deals with the process, resource requirements and who will be responsible for it and when it has to be completed.
Clause 7 #
Clause 7 is all about having proper resources, people, information, and communication and storing data for an effective ISMS. Included in clause seven are,-
Clause 7.1 Resources #
It deals with providing resources for establishing, implementing, maintaining and improving the ISMS. -
Clause 7.2 Competence #
It deals with competence of people working on ISMS. It requires determining those who are competent based on training, education and experience. -
Clause 7.3 Awareness #
It requires people to be well aware of the information security policies, the effectiveness of their contribution and consequences if the requirements are not met. -
Clause 7.4 Communication #
It deals with both internal and external communications with regards to ISMS. -
Clause 7.5 Documented information #
It requires documentation and good maintenance of everything related to ISMS.
Clause 8 #
Clause 8 sums up the requirements to implement all the clauses mentioned previously. It deals with measuring the performance of the ISMS in place. Following are the relevant clauses,-
Clause 8.1 Operational planning and control #
It deals with the process of planning, implementing and control to achieve the ISMS objectives. -
Clause 8.2 Information security risk assessment #
It requires organizations to conduct risk assessments of information security and document the same. -
Clause 8.3 Information security risk treatment #
It deals with implementing the information security risk treatment plan and retain documented information on the results.
Clause 9 #
The most important aspect of monitoring, analyzing, and evaluating the organization’s ISMS and continuous review of the outcomes are discussed under this clause.-
Clause 9.1 Monitoring, measurement, analysis, and evaluation #
It deals with the performance and the effectiveness of the ISMS. -
Clause 9.2 Internal audit #
It requires organizations to conduct internal audit to provide information on ISMS if it being properly handled and maintained and if ISMS meets the requirements of the organization. -
Clause 9.3 Management review #
It deals with ensuring the continuous stability, adequacy and effectiveness of the ISMS objectives.
Clause 10 #
Corrective action planning and continuous improvement measures are defined under clauses 10.1 and 10.2. Here organizations are directed to establish proper action plans to deal with anomalies and un-usual incidents. Below mentioned two clauses below sum up the details for the same.-
Clause 10.1 Nonconformity and corrective action #
It deals with the actions taken by an organization to address information security oriented nonconformities -
Clause 10.2 Continual improvement #
It requires organisations to make improvements. It requires organizations to assess, test, review and measure the performance of the ISMS.
