User
What are ISO 27001 clauses?
Experta
ISO 27001 consists of the following parts:
- clauses 0 to 3 of the main part of the standard are clauses that describe the standard itself, so they are not mandatory for the implementation
- clauses 4 to 10 of the main part of the standard are mandatory because they set the requirements for Information Security Management System
- Annex A that contains 93 safeguards, or “controls” as they are called in the standard, that should be considered when designing the ISMS. Controls are grouped in 4 sections.
Here are the non-mandatory clauses of ISO 27001:
- 0 Introduction - The introductory clause gives a general overview of the standard and its purpose, and explains its compatibility with other ISO standards.
- 1 Scope – It defines the scope of the standard, pointing out that this standard is applicable to all types of organizations.
- 2 Normative references – The second clause, Normative references, and the third clause, Terms and definitions, both refer to ISO 27000 as a standard where information security terms and definitions are given.
- 3 Terms and definitions – Explains the main terminology.
Here are the mandatory clauses of ISO 27001:
- 4 Context of the organization – It requires understanding external and internal issues, interested parties and their requirements, and also defining the ISMS scope.
- 5 Leadership – This section defines top management responsibilities, sets the general roles and responsibilities for the ISMS, and defines the contents of the top-level Information Security Policy.
- 6 Planning - It defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
- 7 Support – This clause defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.
- 8 Operation – It defines the requirement for regular re-assessment and treatment of risks, as well as the implementation of controls and other processes needed to protect the information.
- 9 Performance evaluation – This clause defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
- 10 Improvement – This clause defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
Annex A sections are:
- A.5 Organizational controls
- A.6 People controls
- A.7 Physical controls
- A.8 Technological controls