ISO 27001 requirements: clauses 4–10 and Annex A

Most first-time ISO 27001 applicants spend months on Annex A and show up to stage 2 missing the one thing the auditor cares about most: evidence that the management system itself is running. Annex A is the famous bit. The mandatory bit is clauses 4 through 10.

This post walks the ISO 27001 requirements the way a certification body reads them. Clauses first, Annex A second, and the three findings we see on almost every first-cycle audit.

The short answer

ISO 27001 requirements are the mandatory clauses 4 through 10 plus the Annex A controls you mark applicable in your Statement of Applicability. Clauses are the management system; Annex A is the reference control set. A certificate attests that both are operating, not that every Annex A control is in place. ISO itself is explicit that "excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity" to the standard (ISO/IEC 27001:2022).

For the higher-level context on what ISO 27001 is and who issues the certificate, see our pillar on ISO 27001 certification and the primer at what is ISO 27001.

Clause 4, Context of the organization

Clause 4 forces you to answer three questions before you design a single control.

First, what is the organization, and what internal and external issues affect its information security. Second, who are the interested parties (customers, regulators, employees, investors) and what do they require of you. Third, where does the ISMS start and end.

That third question, scope, is where first-time applicants get clever in ways the auditor does not reward. Scoping to "the production SaaS platform, its supporting corporate IT, and the engineering and security teams that operate it" is defensible. Scoping to "the login service only" is a red flag that invites a nonconformity.

Write the scope down. Include which locations, which legal entities, which product lines, and which exclusions. The scope statement appears on the certificate itself and your buyers will read it.

Clause 5, Leadership

Clause 5 is the clause that cannot be delegated to the security team.

Top management (CEO, CTO, or equivalent) must demonstrate commitment by approving the information security policy, assigning ISMS roles and responsibilities, and making sure the ISMS has resources. The auditor will ask to see the signed policy, the org chart, and meeting minutes that show leadership actually talking about the ISMS.

The information security policy itself is short. Three to five pages of principles, signed and dated, reviewed at least annually. A twenty-page policy that nobody has read will fail this clause faster than no policy at all.

Clause 6, Planning

Clause 6 is where the ISMS gets its shape: risk assessment, risk treatment, and the Statement of Applicability.

The standard does not prescribe a risk methodology. You pick one, document it, and apply it consistently. A spreadsheet works. A GRC tool works. What does not work is "we talked about risks in a meeting." The auditor wants to see a risk register with identified risks, owners, likelihood and impact ratings, treatment decisions, and residual ratings after treatment.

Risk treatment produces the Statement of Applicability. Every Annex A control is listed with one of two labels: applicable (with justification and implementation status) or excluded (with justification). Excluding a control is fine when the exclusion is defensible. Excluding A.11 Physical controls because you are a remote-first company is defensible. Excluding A.8.28 Secure coding because "we do not have time" is not.

Clause 6 also requires information security objectives. Measurable, with owners, reviewed. "Reduce time to revoke terminated user access to under 24 hours" is an objective. "Be secure" is not.

Clause 7, Support

Clause 7 covers the five things that keep an ISMS alive: resources, competence, awareness, communication, and documented information.

Resources means budget and headcount. Competence means the people running security controls are qualified, with training records to prove it. Awareness means every employee knows the policy exists and what their role in it is, with training completion logs. Communication means you have decided who tells whom about what, internally and externally, when something happens. Documented information means version control, approval, and retention for the policies, procedures, and records the ISMS produces.

The common failure here is awareness training that exists only for engineers. Sales, finance, and the CEO all need to complete the same baseline training. Sampling the wrong employee during stage 2 and finding no training record is one of the faster paths to a nonconformity.

Clause 8, Operation

Clause 8 is deceptively short in the standard and enormous in practice. It requires you to actually operate the controls you committed to in the SoA, execute the risk treatment plan, and control the changes that affect the ISMS.

This is where Annex A lives in real life. Every applicable control in the SoA has to be running, producing evidence, and reviewed when something changes. If the SoA says you perform quarterly access reviews and the auditor asks for four quarters of access review evidence, the answer cannot be "we did three."

Clause 8 also covers outsourced processes. Every vendor that handles data in scope needs to be managed, and that management needs to be documented.

Clause 9, Performance evaluation

Clause 9 contains the two requirements first-time applicants most often skip or fake: internal audit and management review. Neither is optional. Neither can be done the week before stage 2.

Monitoring and measurement comes first. You have to define what you measure about the ISMS (incident counts, training completion, control failures, whatever you chose as objectives in clause 6), measure it on a defined cadence, and report the results to someone who can act on them.

Internal audit is a formal, documented audit of the ISMS performed by someone independent of the function being audited. For a small company that usually means a contracted internal auditor or a cross-team reviewer, not the CISO auditing their own team. The internal audit has a plan, a scope, criteria, findings, and corrective actions. At least one full internal audit covering all clauses and applicable Annex A controls must happen before stage 2.

Management review is a documented meeting of top management where the ISMS is reviewed against a specific agenda set by clause 9.3. Status of previous actions, changes in context, performance trends, audit results, risk treatment progress, improvement opportunities. Minutes, decisions, and action items all captured. Once a year minimum, more often in the first cycle.

Stage 2 auditors open the folder for internal audit and management review before they touch a single Annex A control. If those two folders are thin, the rest of the audit gets harder in a hurry.

Clause 10, Improvement

Clause 10 requires a nonconformity and corrective action process. When something goes wrong (a control fails, an incident happens, an internal audit finds a gap), the process kicks in: document the nonconformity, analyze the cause, decide on corrective action, assign an owner, close with evidence, verify effectiveness.

Continual improvement is the other half. The ISMS is not supposed to stay the same across the three-year cycle. Objectives evolve, risks change, controls mature. The auditor at recertification will compare the ISMS they saw at initial certification against the one in front of them and expect to see movement.

Annex A in the 2022 revision

Annex A in ISO/IEC 27001:2022 lists 93 controls grouped into four themes. The detailed implementation guidance for each of those controls lives in the companion standard ISO/IEC 27002:2022, which auditors and readiness teams treat as the working reference:

• A.5 Organizational controls (37 controls), policies, roles, supplier relationships, threat intelligence, ISMS-adjacent governance.
• A.6 People controls (8 controls), screening, terms of employment, awareness, disciplinary process, remote working.
• A.7 Physical controls (14 controls), secure areas, equipment, clear desk, secure disposal.
• A.8 Technological controls (34 controls), access control, cryptography, system security, network security, secure development, logging and monitoring.

Annex A is a reference set, not a checklist. You do not have to implement all 93. You do have to justify inclusion or exclusion of each in your SoA. Controls like A.8.9 Configuration management or A.8.16 Monitoring activities overlap cleanly with SOC 2 Common Criteria work, which is why most US SaaS companies doing both frameworks reuse evidence. The mapping logic is in SOC 2 vs ISO 27001, and the SOC 2 side of that evidence is described in what is SOC 2 and trust services criteria explained.

Common findings on first certification

Three findings appear on roughly every first-cycle stage 2 audit we see our readiness clients go through.

Missing internal audit evidence. The internal audit happened, but the plan is missing, or the scope was partial, or the findings were never turned into corrective actions. Fix this by running the internal audit at least two months before stage 2, with a documented plan and a real findings register.

SoA exclusions lacking justification. "Not applicable" is not a justification. "Organization is fully remote with no corporate office; physical access controls for A.7.2 are covered by employee home-office agreements and the data center operator's certification" is a justification. Every excluded Annex A control needs a sentence like that, not a blank cell.

Risk register older than twelve months. The risk assessment was run once when the ISMS was stood up and never updated. At stage 2 the auditor asks "when was this last reviewed," the answer is "last February," and the finding writes itself. Clause 6 requires the risk assessment to be updated at planned intervals or when significant change happens. At minimum, review it quarterly and re-run it annually.

---

If you are building an ISMS and want an outside read on whether your clause 4 through 10 evidence will survive stage 2, or you want help mapping one control library across SOC 2 and ISO 27001 before you engage a certification body, we do readiness for exactly that. For the vocabulary and overview of the full ISMS family of standards, ISO publishes ISO/IEC 27000 as a free download. Reach out at hello@securancepro.com, see our compliance services, or browse the full services menu.