Skip to main contentChat with us

ISO 27001:2022  ·  Mandatory Requirements

Clauses 4–10: The Requirements You Cannot Exclude

Annex A controls can be excluded with justification — clauses 4 through 10 cannot. They define the management system itself: scope, leadership, risk assessment, the Statement of Applicability, internal audits, and management review. Every clause below links to a full guide covering what it requires, the documents it demands, and what auditors check.

ISO 27001 HubAnnex A Controls (93)Mandatory Documents Checklist
4

Clause 4: Context of the Organization

Understand what shapes your ISMS and where its boundaries lie.

4.1

Understanding the organization and its context

Identifying the internal and external issues that shape your ISMS — the context analysis every later decision traces back to.

4.2

Understanding the needs and expectations of interested parties

Determining your stakeholders, their security-relevant requirements, and which of those the ISMS will address.

4.31 required doc

Determining the scope of the ISMS

Drawing the ISMS boundary — locations, services, assets, and interfaces — and writing the scope statement auditors check first.

4.4

Information security management system

Establishing, implementing, maintaining, and continually improving the ISMS and the processes that interact within it.

5

Clause 5: Leadership

Top management owns the ISMS — policy, roles, and visible commitment.

5.1

Leadership and commitment

What top management must visibly do for the ISMS — set direction, provide resources, and integrate security into business process.

5.21 required doc

Information security policy

Writing and maintaining the information security policy: commitments, objectives framework, approval, communication, and review.

5.3

Organizational roles, responsibilities and authorities

Assigning and communicating ISMS roles — who operates it, who reports on its performance, and how authority is delegated.

6

Clause 6: Planning

Risk assessment, risk treatment, the SoA, and measurable objectives.

6.13 required docs

Actions to address risks and opportunities

The risk engine of ISO 27001: risk assessment methodology, risk treatment, and the Statement of Applicability (SoA).

6.21 required doc

Information security objectives and planning to achieve them

Setting measurable information security objectives and planning who will do what, with what resources, by when.

6.3

Planning of changes

Carrying out changes to the ISMS in a planned manner — the discipline the 2022 revision made explicit.

7

Clause 7: Support

Resources, competence, awareness, communication, and document control.

7.1

Resources

Determining and providing the resources the ISMS needs to be established, implemented, maintained, and improved.

7.21 required doc

Competence

Ensuring the people doing ISMS work are competent — defined needs, training or hiring to close gaps, and retained evidence.

7.3

Awareness

Making everyone working under the ISMS aware of the policy, their contribution, and the consequences of nonconformity.

7.4

Communication

Determining what to communicate about information security, when, to whom, and through which channels — internal and external.

7.5

Documented information

Creating, updating, and controlling ISMS documentation — versioning, approval, availability, and protection of every required document.

8

Clause 8: Operation

Run the plans: operational control and the live risk cycle.

8.11 required doc

Operational planning and control

Executing the plans: controlling security processes, managing planned changes, and governing externally provided processes.

8.21 required doc

Information security risk assessment

Performing information security risk assessments at planned intervals and on significant change, and retaining the results.

8.31 required doc

Information security risk treatment

Implementing the risk treatment plan and retaining the results — where Annex A controls become operational reality.

9

Clause 9: Performance Evaluation

Measure, internally audit, and review the ISMS at the top.

9.11 required doc

Monitoring, measurement, analysis and evaluation

Deciding what to measure, how, and when — then evaluating ISMS performance and control effectiveness from the results.

9.22 required docs

Internal audit

Running an internal audit programme that objectively tests the ISMS against the standard and your own requirements.

9.31 required doc

Management review

Top management reviewing the ISMS at planned intervals — the required inputs, the decisions, and the retained minutes.

10

Clause 10: Improvement

Fix nonconformities at the root and keep the ISMS improving.

10.1

Continual improvement

Continually improving the suitability, adequacy, and effectiveness of the ISMS — beyond just fixing what broke.

10.22 required docs

Nonconformity and corrective action

Reacting to nonconformities, finding root causes, correcting them, and verifying the fix actually worked.

Keep Exploring

Related Reading

ISO 27001

ISO 27001 Knowledge Hub

All 93 Annex A controls, all clauses, every guide in the cluster.

Read more
ISO 27001

ISO 27001 Controls Library

Browse all 93 Annex A controls with implementation guidance.

Read more
ISO 27001

Annex A Controls Overview

All 93 controls across organizational, people, physical and tech domains.

Read more
ISO 27001

ISO 27001 Requirements

Clauses 4–10 and the 93 Annex A controls, explained.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
ISO 27001

ISO 27001 Overview

The ISMS standard — the baseline certificate global buyers ask for.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations