ISO27001 - Clauses 4 to 10
The ISO27001 standard consists of two parts:
- ISO27001 - Clauses 4 to 10
- Annex A - 93 (normative) measures
Both parts are important in the implementation of your ISMS. In this document we explain the first part: Clauses 4 to 10.
You can find all Clauses and Annex A controls in your Tidal environment. Visit the Frameworks page and select 'ISO27001'. All clauses including guidance are listed there.
Clauses 4 to 10 describe what is expected of you as management of the organization (see below for a summary of each clause). These are given requirements.
However, as part of designing and implementing clauses 4 to 10 you will mostly be defining the necessary measures for the operation of your Information Security Management System (ISMS) yourself.
An example. Clause 9.1 states that “The organization shall evaluate the information security performance and the effectiveness of the information security management system.” There is nothing in ISO27001 that says that you must have an information security committee that meets on a monthly basis. However, if you decide that you need one, and you say that it must meet every month then you have just created a new requirement. So it must meet every month!
This means that whatever you say you are going to do to operate your ISMS you must do. The certification auditors will simply check this and if you are not doing what you said you would do then you will get a non conformity.
This works both ways. For example, consider a situation where Management has concluded that a certain technical measure that appears in the standard does not mitigate any of the risks that the organisation hsa identified, and decides to not implement it. The ISMS is working properly, so this will not result in a non-conformity!
This make the clauses both the most important and the most flexible requirements of the Standard. Use this knowledge wisely!
The following chapters summarise the content of each Clause.
Clause 4 - Context of the organisation
One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organisation. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond. With this in mind, the organisation needs to define the ISMS scope.
Clause 5 - Leadership
The requirements of ISO 27001 for adequate leadership are manifold. The commitment of the top management is mandatory for a management system. Objectives need to be established according to the strategic direction and objectives of the organisation. Providing resources needed for the ISMS, as well as supporting persons in their contribution to the ISMS, are other examples of the obligations to meet.
Furthermore, the top management needs to establish a top-level policy for information security. The company’s ISO 27001 Information Security Policy should be documented, as well as communicated within the organisation and to interested parties.
Roles and responsibilities need to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.
Clause 6 - Planning
Planning in an ISMS environment should always take into account risks and opportunities. An information security risk assessment provides a key foundation to rely on. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned with the company’s overall objectives, and they need to be promoted within the company because they provide the security goals to work toward for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in Annex A.
Clause 7 - Support
Resources, competence of employees, awareness, and communication are key for supporting the ISMS. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as being controlled. A suitable set of documentation needs to be maintained in order to support the success of the ISMS.
Clause 8 - Operation
Processes are mandatory to implement information security. These processes need to be planned, implemented, and controlled. Risk assessment and treatment – which need to be on top management’s minds, as we learned earlier – have to be put into action.
Clause 9 - Performance evaluation
The requirements of the ISO 27001 standard expect monitoring, measurement, analysis, and evaluation of the Information Security Management System. In addition to monitoring of its effectiveness, the company needs to conduct internal audits. Finally, at defined intervals, the top management needs to review the organisation’s adherence to its ISMS and ISO 27001.
Clause 10 - Improvement
Improvement follows the evaluation. Non-conformities need to be addressed by taking action and eliminating their causes. Moreover, a continual improvement process should be implemented. Even though the PDCA (Plan-Do-Check-Act) cycle is no longer explicitly mentioned in ISO 27001, it is still recommended, as it offers a solid structure and fulfils the requirements of ISO 27001.