When organizations first approach ISO 27001, they often head straight for the Annex A controls—the “flashy” technical safeguards like encryption and firewalls. However, as auditors, we find that the most resilient security programs are built on the bedrock of the ISO 27001 clauses (4–10). ISO 27001 clauses are the numbered structural sections of the standard that define the management system requirements an organization must meet to achieve certification. These aren’t just administrative hurdles; they are the “how” and “why” behind your entire Information Security Management System (ISMS).
In this post, we’ll break down the mandatory clauses of the 2022 version, highlight the subtle but critical changes from the 2013 standard, and share the common “audit stumbles” we see in the field.
The Bottom Line: While Annex A provides the tools, Clauses 4–10 provide the blueprints. A company cannot achieve a sustainable, certified ISMS without mastering the management requirements that determine its security is proactive rather than reactive.
What Changed in ISO 27001:2022?
The 2022 update was more of a “refinement” than a total overhaul for the main clauses, though the changes carry significant weight for how you document your processes.
- Clause 4.2 (Interested Parties): You are now explicitly required to identify which requirements of your “interested parties” (customers, regulators, etc.) will be addressed through the ISMS.
- Clause 6.3 (Planning of Changes): This is a new, dedicated clause. It mandates that any changes to the ISMS must be planned and carried out in a documented, controlled manner.
- Clause 8.1 (Operational Planning): This now includes a requirement to establish “criteria” for your processes. It’s no longer enough to just “do” the process; you must define what a successful process looks like.
- Clause 7.4 (Simplified Communication): This was streamlined, combining “who” and “how” to communicate into a more flexible requirement. This replaced the more rigid “who, what, when, how” list with a more flexible “determined” communication process.
ISO 27001 Clauses List (1–10)
While Clauses 1–3 provide context (Scope, Normative References, and Terms), the mandatory requirements for certification live in Clauses 4 through 10.
| Clause | Name | Summary |
|---|---|---|
| 4 | Context of the Organization | Defining your “why.” Identifying external/internal issues and setting the ISMS scope. |
| 5 | Leadership | Top management must prove they are “all in” by assigning roles and signing off on policies. |
| 6 | Planning | The risk assessment engine. Identifying risks and setting measurable security objectives. |
| 7 | Support | Ensuring you have the right people (competence), resources, and documented info. |
| 8 | Operation | Executing the plans. Putting your risk treatment and assessments into daily practice. |
| 9 | Performance Evaluation | Checking the “health” of the ISMS via internal audits and management reviews. |
| 10 | Improvement | Reacting to nonconformities and finding ways to make the system better over time. |
The Clauses (4–10), Reframed
Instead of thinking of these as requirements, think of them as a system:
- Design the System
- Clause 4: Context – Why does your ISMS exist?
- Clause 5: Leadership – Who owns it and drives it?
- Define the Direction
- Clause 6: Planning – What risks matter? What are you trying to achieve?
- Enable Execution
- Clause 7: Support – Do you have the people, skills, and evidence?
- Run the System
- Clause 8: Operation – Are you actually doing what you planned?
- Prove It Works
- Clause 9: Performance Evaluation – Can you demonstrate effectiveness?
- Improve It
- Clause 10: Improvement – Are you learning and adapting?
This is the difference between a compliance exercise and a living system.
Real-World Audit Scenarios: Where the Rubber Meets the Road
Understanding the clauses is one thing; applying them consistently is another. These are among the most common places we see organizations stumble during an audit.
The “Paper Tiger” Pitfall (Clause 6)
We recently audited a tech firm that had a beautiful Risk Treatment Plan on paper. However, when we looked at their Clause 6.2 (Security Objectives), they were all vague—things like “Improve security awareness”.
Without measurable criteria, they couldn’t prove they were meeting their goals. As auditors, we need to look for specific metrics. Instead of “improving awareness,” an example of a measurable goal is: “Achieve a 95% completion rate on quarterly phishing simulations with a click rate under 5%.”
The “Siloed Leadership” Syndrome (Clause 5 & 9)
One of the most common issues occurs during the Management Review. We often see situations where the CISO runs the meeting, but the executive leadership is absent or merely “rubber-stamping” the minutes.
ISO 27001:2022 emphasizes that leadership must demonstrate active commitment. If leadership isn’t involved in reviewing the results of internal audits or resource needs, the ISMS becomes a siloed IT project rather than a business-wide security culture.
Considerations for Your ISO 27001 Journey
As a company prepares for its audit, the compliance group should keep these considerations in mind:
- Define the “Interested Parties” early: Don’t just list them; document what they expect from you (e.g., SOC 2 reports or GDPR compliance).
- Evidence is king: For Clause 7.2 (Competence), simply saying your team is “smart” isn’t enough. We look for training certificates, resumes, or performance reviews.
- Plan your changes: Use a change management log. If you migrate from an on-prem server to the cloud for policy documentation retention, Clause 6.3 requires you to show how that change was planned within the ISMS.
Common ISO 27001 Clause Questions, Answered
We hear a lot of the same questions from organizations preparing for their first ISO 27001 audit. Here are the ones that come up most often.
What Are the Mandatory Clauses for ISO 27001?
Clauses 4 through 10 are the mandatory management system requirements. While Annex A controls can be excluded if they don’t apply to your environment, you cannot exclude any part of Clauses 4–10 and remain compliant.
How Many Clauses Are Defined in ISO 27001?
There are 11 total clauses (numbered 0 to 10). However, the first four (0–3) are introductory. The actual “rules” you must follow start at Clause 4 and end at Clause 10.
What Is the New Clause in ISO 27001:2022?
Clause 6.3, “Planning of Changes,” is the most notable addition. It requires organizations to ensure that changes to the ISMS are handled deliberately and with consideration for the integrity of the security system.
Your ISMS Clauses Should Work for You, Not Against You
If your ISO 27001 program feels like a checklist, it probably is. And that’s exactly what auditors and attackers will expose; take the time to set up your company clauses so that they add value and enhance your ISMS. The organizations that struggle most during audits aren’t always the ones with Annex A gaps; they’re the ones who were never fully engaged with Clauses 4 through 10.
Are you ready to see how your ISMS measures up? Whether you are recertifying or starting from scratch, our accredited team at Linford & Co. is here to provide the expertise and certification services you need. Contact us today to learn more about our ISO 27001 audit services.
Rhonda is a Partner at Linford & Co. delivering risk services, compliance attestations, and certification engagements. Rhonda has her CPA, CISSP, CISA, ISO Lead Auditor Certification, and her PMP certification. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance and delivers excellent client service. Rhonda actively supports clients in all industries and focuses on compliance frameworks such as SOC 1, SOC 2, HIPAA, HITECH, ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018, NIST 800-171, and HITRUST.