ISO 27001 remains the globally recognised benchmark for building, maintaining and improving an Information Security Management System (ISMS). Yet many organisations misunderstand what the standard truly requires in practice. Implementation is often approached as a checklist exercise, but ISO 27001 is fundamentally a governance and risk management framework that supports long-term resilience.
This article explains the requirements in a clear and comprehensive way. It covers Clauses 4 to 10, breaks down Annex A controls, clarifies which controls matter most for different types of organisations and outlines how these elements support NIS 2 compliance across the European Union.
What Is ISO 27001?
A comprehensive introduction for EU organisations.
Understanding clauses 4 to 10 in simple terms
Clauses 4 to 10 form the core of the ISO 27001 standard. They define how an organisation must design, operate and continuously improve its ISMS.
Below is a detailed interpretation of what each clause means in practice.
Clause 4: Context of the organisation
This clause requires organisations to deeply understand the environment in which they operate. It involves identifying internal and external issues, understanding the needs of stakeholders and defining the scope of the Information Security Management System.In practice, this means:
- assessing legal obligations
- identifying strategic risks
- determining boundaries of the ISMS
- recognising dependencies on infrastructure, third parties and technology
- assessing whether climate change and environmental hazards could affect information assets
Failure to define the scope correctly, including climate-related risks, creates blind spots that weaken the entire ISMS and constitute a non-conformity
Clause 5: Leadership
Leadership involvement is a cornerstone of ISO 27001. This clause requires demonstrable commitment from executive management. They must approve policies, allocate resources and define security roles.They also must show evidence of accountability through:
- participation in reviews
- oversight of risk decisions
- alignment of security objectives with business goals
- understanding their responsibilities and role within the ISMS, supported by formal training on information security and ISMS basics
This aligns well with NIS 2, which explicitly holds leadership accountable for cybersecurity decisions. Clause 5 ensures security is integrated into governance rather than delegated without oversight.
Clause 6: Planning
Clause 6 introduces the risk management process. Organisations must define how they identify, analyse and treat risks. They must also establish security objectives that are measurable, evidence-based and aligned with business needs.This involves:
- selecting a risk assessment methodology
- analysing threats and vulnerabilities
- prioritising risks based on impact and likelihood
- choosing and documenting risk treatment plans
This clause forms the backbone of the ISMS. It ensures that controls are not implemented blindly but selected based on actual risk exposure.
Clause 7: Support
Clause 7 focuses on the resources that make the ISMS function. It requires organisations to ensure that people, technology and documented information support the ISMS objectives.This includes:
- defining competence requirements
- providing training
- maintaining communication plans
- documenting all relevant information
Documentation must be controlled, kept up to date and accessible. Many organisations underestimate the effort required to maintain accurate records. In audits, lack of documentation is one of the most common areas of nonconformity.
Clause 8: Operation
Clause 8 describes the day-to-day activities required to run the ISMS. It includes the operational implementation of controls, management of suppliers, handling of incidents and execution of risk treatment actions.Key activities include:
- operationalising policies and procedures
- collecting evidence of control performance
- performing change management
- executing the incident response plan
- monitoring third-party risks
This clause forces organisations to demonstrate that security is not theoretical. There must be observable evidence that controls function properly.
Clause 9: Performance evaluation
Clause 9 requires organisations to continuously evaluate the performance of the ISMS. This includes monitoring, internal audits and management reviews.Activities include:
- defining metrics
- reviewing control performance
- conducting internal audits
- reporting findings to leadership
Performance evaluation ensures the ISMS remains relevant, effective and aligned with organisational goals.
Clause 10: Improvement
Clause 10 requires a structured approach to continual improvement. Organisations must address nonconformities, correct root causes and ensure lessons are incorporated into future processes.
This continuous improvement mindset keeps the ISMS aligned with evolving threats and organisational changes.
Annex A controls: what they really mean for your organisation
Annex A contains 93 controls split across four themes. These controls provide the operational and technical foundation that supports the ISMS. Many organisations assume that Annex A is a checklist. In reality, controls must be selected based on risk.
Below is a high-level explanation of what each control domain represents.
A.5: Organisational controls
These controls focus on governance, policies, supplier management, roles and responsibilities. They ensure that the organisation has structure and clear accountability.Examples include:
- information security policies
- roles and responsibilities
- supplier risk management
- secure project management
These controls create the organisational foundation required for effective cybersecurity governance.
A.6: People controls
These controls ensure that employees, contractors and third parties understand their responsibilities and act securely.Examples include:
- screening and vetting
- training
- disciplinary measures
- segregation of duties
People controls reduce the likelihood of human error or insider threats.
A.7: Physical controls
These controls protect physical access to facilities, equipment and sensitive areas.Examples include:
- physical access management
- secure disposal
- protection against environmental threats
Despite modern cloud adoption, physical security remains essential for compliance and risk reduction.
A.8: Technological controls
These controls manage the security of systems, applications and networks.Examples include:
- configuration management
- logging and monitoring
- cryptography
- secure development
- identity and access management
- vulnerability management
These are often the most resource-intensive controls and require strong technical governance.
How to Implement ISO 27001
A step-by-step guide for EU Organisations
Which ISO 27001 controls matter most for SMEs, enterprises and governments
All organisations must apply a risk-based approach. However, certain controls commonly have a greater impact depending on the organisation type.
For SMEs
SMEs benefit most from controls that create structure and prevent common incidents. Priority controls typically include:- access control
- asset management
- patching and vulnerability management
- incident response
- supplier management
- backup and recovery
SMEs often lack dedicated security teams, which makes consistency in these areas essential.
For enterprises
Large organisations require a blend of governance and advanced technical management. Key emphasis areas include:- secure development practices
- change management
- threat intelligence
- continuous monitoring
- delegated responsibilities
- forensic readiness
Enterprises must also manage large, diverse supplier ecosystems, which increases third-party risk.
For government organisations
Public sector bodies must manage higher levels of accountability and often face nation-state threats. They require stronger governance, documentation and resilience capabilities.Critical controls include:
- business continuity
- incident reporting
- role-based access control
- physical security
- redundancy and availability measures
- compliance-specific documentation
Government organisations often align with additional national frameworks, such as Belgium’s CyFun®.
Mandatory ISO 27001 documentation
ISO 27001 requires several documents that must be maintained and controlled. Key mandatory documents include:- scope of the ISMS
- risk assessment and treatment methodology
- Statement of Applicability
- risk treatment plan
- information security objectives
- procedures for incident management
- evidence of competence and training
- audit reports
- management review minutes
Documentation provides the evidence needed to demonstrate compliance to auditors and regulators.
Common misconceptions about ISO 27001 requirements
Many organisations approach ISO 27001 with incorrect assumptions. Common misconceptions include:
1. ISO 27001 requires all 93 controls
This is not correct. Organisations are not obliged to use any of the Annex A controls. Controls must be selected based on risk assessment and proportional to organisational context. Organisations are free to choose their own controls or apply alternative frameworks, such as CyFun®, as long as the selection is justified through documented risk assessment.
2. ISO 27001 is only for large enterprises
SMEs can benefit greatly from structured governance and reduced operational risk.
3. ISO 27001 is purely technical
Most of the standard is governance and process-oriented rather than technical.
4. Certification ensures security
Certification verifies the management system. It does not guarantee immunity from threats.
How these requirements map to NIS 2
NIS introduces legal obligations for cybersecurity. ISO 27001 supports these requirements by providing measurable governance, structure and evidence. While the frameworks are not identical, there is strong alignment across several areas.Examples include:
- governance expectations align with Clause 5
- risk management aligns with Clause 6
- operational controls support NIS 2 security measures
- incident response aligns with response obligations
- supplier management aligns with supply chain expectations
- business continuity aligns with resilience requirements
ISO 27001 does not replace NIS 2 but creates a structured foundation for meeting the directive’s obligations.
Next step: building an implementation plan
A successful ISO 27001 implementation requires structure, prioritisation and clarity. Organisations can begin with the following approach:
1. Define ISMS scope
2. Perform a risk assessment
3. Select applicable controls
4. Document policies and procedures
5. Implement controls operationally
6. Provide training and awareness
7. Conduct internal audits
8. Prepare for external certification
A phased method reduces complexity and improves adoption.
