Requirements for Achieving ISO 27001 Certification

Luke Irwin 29th November 2022

Please note new versions of ISO 27001 and ISO 27002 have now been published.

To learn more about what these updates mean for your organisation, and to buy your copies of ISO 27001:2022 and ISO 27002:2022, please visit our information pages.

AlthoughISO 27001is built around implementing an ISMS (information security management system), none of its controls are universally mandatory for compliance.

That’s because the Standard recognises that every organisation is unique and has its own information security requirements.

Mandatory ISO 27001 requirements

The most important activities when implementing ISO 27001 are:

Scoping your ISMS

Documenting the ISMS scope means defining what information assets need to be protected.

There will almost certainly be more information and more locations where information is kept than you initially think of, so you must take the time to identify every relevant part of your organisation.

The requirements for doing this are outlined in Clause 4.3 of the Standard.

Conducting a risk assessment

Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.

An information security risk assessment is a formal, top management-driven process and sits at the core of the ISMS.

Defining a risk treatment methodology

An RTP (risk treatment plan) is an essential part of an organisation’sISO 27001implementation process, as it documents the way your organisation will respond to identified threats.

Organisations can determine the best way to modify a risk by looking at the controls listed inAnnex A of ISO 27001.

And the Annex A controls?

Annex Aoutlines the controls that are associated with various risks. Depending on the controls your organisation selects, you will also be required to document:

Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management (clause A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3).

The Statement of Applicability

TheSoA (Statement of Applicability) is another essential piece of documentation within the information risk treatment process.

The SoA outlines which Annex A controls you have selected or omitted and explains why you made those choices. It should also include additional information about each control and link to relevant documentation about its implementation.

Tackling the documentation process

As you begin your compliance project, you’ll notice that the documentation process is the most time-consuming part of your ISO 27001 compliance project.

Each clause comes with its own documentation requirements, meaning IT managers and implementers will have to deal with hundreds of documents. Each policy and procedure must be researched, developed, approved, and implemented, which could take months.

Requirements for Achieving ISO 27001 Certification - IT Governance UK Blog (1)

Organisations can simplify the compliance process with ourISO 27001 Toolkit.

This set of customisable templates was designed by information security experts, providing simple guidance to help you meet the Standard’s documentation requirements.

You can embed the documentation directly in your organisation, saving you time and money.

Get started

A version of this blog was originally published on24 March 2016.

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

Requirements for Achieving ISO 27001 Certification - IT Governance UK Blog (2024)