The following are the mandatory clauses of ISO 27001:
- 4 Context of the organization – It requires understanding external and internal issues, interested parties and their requirements, and also defining the ISMS scope.
- 5 Leadership – This section defines top management responsibilities, sets the general roles and responsibilities for the ISMS, and defines the contents of the top-level Information Security Policy.
- 6 Planning - It defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
- 7 Support – This clause defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.
- 8 Operation – It defines the requirement for regular re-assessment and treatment of risks, as well as the implementation of controls and other processes needed to protect the information.
- 9 Performance evaluation – This clause defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
- 10 Improvement – This clause defines requirements for nonconformities, corrections, corrective actions, and continual improvement.