ISO27001 | Notion

https://docs.google.com/spreadsheets/d/1iKiFYwdDX_VCFjPa2sVnJGgnLeNbbi3T9CKUKTAs_Mc/edit?gid=1083042030#gid=1083042030

Mandatory Clauses

ISO 27001 contains 11 clauses (0-10), with clauses 4-10 being mandatory for compliance[1]. These clauses outline the core requirements for an ISMS:

Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement

These clauses define the broader requirements for an ISMS but do not specify individual controls[2].

Annex A Controls

The second component of ISO 27001 is Annex A, which contains a list of 93 security controls grouped into four themes[1][2]:

Organizational Controls (37 controls): These focus on policies, procedures, and organizational-level measures for effective information security[2].
People Controls (8 controls): These address the human component of information security, including awareness, training, and personnel security[2].
Physical Controls (14 controls): These cover the physical environment and security of tangible assets[2].
Technological Controls (34 controls): These encompass technical measures such as malware protection, backups, and network security[2].

Organizations select and implement controls from Annex A based on their risk assessment. The selection process is documented in the Statement of Applicability (SoA), which lists all Annex A controls, justifications for their inclusion or exclusion, and their implementation status[2][3].

It's important to note that while Annex A provides a comprehensive set of controls, organizations are not required to implement all of them. The selection should be based on the organization's specific risks and needs, as determined by the risk assessment process[3][4].

By following this structure, ISO 27001 provides a flexible yet robust framework for organizations to manage information security risks and demonstrate their commitment to protecting sensitive data[5].