The official ISO/IEC 27001:2022 standards document is broken into several sections, called clauses, and appendices called annexes. The ones you need to know about are clauses 4-10 and Annex A.

Clauses 4-10 list every requirement an information security management system (ISMS) must meet before it can be ISO 27001 certified. Annex A lists 93 security controls that an organization can implement to meet those requirements. 

In this article, we’ll go through the clauses. For details on the security controls of Annex A, check out our article on ISO 27001 controls.

Clause 4: Context of the organization

The ISMS should clearly document its purpose and scope. Why does your organization handle information assets? What kinds of data do you manage, and for what purpose? An auditor can only assess the effectiveness of your ISMS once they understand its goals.

For example, a company maintaining a guest registry will require a very different ISMS than a tax preparation firm managing Social Security numbers.

To meet the requirements of Clause 4, make sure you’ve clearly defined what your organization does, what customers expect from you, and which assets fall under the scope of your ISMS. That scope statement becomes a cornerstone of your audit.

Clause 5: Leadership

For an ISMS to be effective, it has to have the full support of senior management. 

ISO 27001 auditors will want to see that senior management takes accountability for the ISMS and doesn’t consider themselves exempt from its policies.

If top executives aren’t directly managing security activities, dedicated leaders should be appointed to oversee implementation, testing, and continuous improvement of the ISMS. There should never be confusion about who owns responsibility for each area of information security.

Demonstrate leadership buy-in with tangible evidence such as policies signed by executives, records of management reviews, or clear security objectives communicated company-wide.

Clause 6: Planning

Clause 6 centers on risk management. Your documentation must show:

• How you identify and analyze each information security risk
• Your process for choosing how to respond to each risk
• What risk avoidance, tolerance, and mitigation look like for your team

But planning goes beyond risk. This clause also requires you to define ISMS objectives and make actionable plans to achieve them. It’s about setting a vision for how your security program should mature over time.

Tip: Use SMART goals (specific, measurable, achievable, relevant, and time-bound) when defining ISMS objectives. Auditors will be looking for clarity, not vague aspirations.

Clause 7: Support

Clause 7 is all about ensuring your ISMS has the support it needs to function. That includes resources like human expertise, budget, and technology. It also requires training and awareness programs to make sure employees understand their role in protecting information.

Equally important is communication. You must establish reliable channels for security-related communication, whether that’s a dedicated Slack channel, ticketing system, or formal incident reporting process.

Think beyond tools. Support also means building a security culture where employees feel empowered to speak up about risks and know exactly where to turn when issues arise.

Clause 8: Operations

Clause 8 focuses on execution. You’ve identified risks (Clause 6) and secured resources (Clause 7) and now you need to put those plans into action.

This means implementing risk treatment plans, applying the right security controls, and keeping records of those actions. Documentation is key: auditors will expect evidence of your processes, not just good intentions.

Treat Clause 8 as your ISMS “playbook.” If someone new joined your security team tomorrow, they should be able to follow your documented procedures and keep the ISMS running smoothly.

Clause 9: Performance evaluations

The final two clauses, 9 and 10, are a matched set. They require you to document how you plan to continually improve your organization’s ISMS. That includes:

• Defining metrics for effectiveness
• Conducting internal audits
• Running technical tests, such as penetration tests or vulnerability scans

The key here isn't just to collect data, it's also to show how data drives decision-making and improvements. Auditors will be looking for evidence that your ISMS isn’t just operating but evolving based on real performance insights.

Clause 10: Continuous Improvement

Clause 10 is all about keeping your ISMS effective over time. That means investigating and correcting nonconformities, whether they stem from human error, process breakdowns, or external threats.

Once you’ve resolved an issue, how do you shore up the system so it doesn’t happen again? A certifiable ISMS must be in a constant state of growth and improvement.

Document your corrective actions carefully. Auditors want to see not only how you fixed an issue but also what you did to prevent it from happening again. A strong improvement cycle demonstrates maturity and resilience.

ISO 27001:2022: Updates to Annex A

An update to the ISO 27001 standard was officially published in October 2022, titled ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection. The updates in the ISMS Clauses 4-10 include minor wording and structural changes. 

• Clause 6.3: Planning for Changes was added to provide clearer guidance on updating the ISMS over time.
• Clause 9.2 (Internal audit) was split into 9.2.1 (General) and 9.2.2 (Internal audit programme).
• Clause 9.3 (Management review) was divided into 9.3.1 (General), 9.3.2 (Inputs), and 9.3.3 (Results).

These changes don’t introduce new requirements, but provide greater clarity and structure to existing ones.