What Are the ISO 27001 Requirements?

What Are the ISO 27001 Requirements?

ISO 27001 doesn't hand you a fixed checklist of named documents and call it done. What it requires is a functioning Information Security Management System (ISMS) — and the standard defines that system through specific clauses (4–10) and a set of controls (Annex A) that have to be demonstrably in place, not just described. This page breaks down what those requirements actually are at a structural level. For step-by-step depth on any individual piece, the linked pages below go further than this overview is meant to.

The ISMS Core: Six Requirement Areas

Every certified organization has to address six components of the ISMS, mapped to specific clauses of the standard:

Leadership and governance (Clause 5). Top management has to demonstrably commit to the ISMS — approving policy, assigning roles, and reviewing performance — not just delegate it to a security team and sign off once. This is one of the most common stage 1 audit gaps: governance that exists on paper but has no evidence of leadership actually engaging with it.

Risk management (Clause 6). A formal risk assessment methodology, a documented risk treatment plan, and a Statement of Applicability justifying every Annex A control decision — included or excluded. For the mechanics of running this, see Conducting an ISO 27001 Risk Assessment.

Policies and procedures (Clause 7, Annex A organizational controls). Documented information covering security policy, access control, incident response, and several other domains — with version control, ownership, and review cadence, not just the document text itself. Building ISO 27001 Policies with Templates covers what each policy needs to contain to survive audit scrutiny.

Internal audits (Clause 9.2). A required, recurring check of the ISMS's own effectiveness — independent of whoever implemented the controls being audited. Running an ISO 27001 Internal Audit covers how to structure this so it surfaces real gaps rather than rubber-stamping existing controls.

Management reviews (Clause 9.3). Distinct from Clause 5 leadership commitment — this is a structured, periodic review of ISMS performance, audit results, and risk changes, with documented decisions and action items.

Corrective actions (Clause 10). A systematic process for closing nonconformities, including root cause analysis and verification that the fix actually worked — not just that a finding was logged.

Together, these six areas form the operating system the rest of ISO 27001 runs on. Annex A's 93 controls are what you implement; Clauses 4–10 are how you manage and prove it. For the full breakdown of what each clause requires, see Exploring ISO 27001 Clauses 4-10, and for how the ISMS scope itself gets defined before any of this work starts, see Understanding the ISO 27001 ISMS.

Mandatory Documents and Records

Beyond the six requirement areas, ISO 27001 specifies documentation that auditors will ask for by name:

• Information security policy

• Statement of Applicability, mapping every Annex A control to an implementation decision

• Risk assessment methodology and treatment plan

• Evidence of competence and awareness — training records and role-based security awareness documentation under Clause 7.2/7.3

• Internal audit results and management review minutes

• Records of corrective actions, including root cause and closure evidence

These documents matter less for their existence than for what they prove: that the six requirement areas above aren't theoretical. A Statement of Applicability with no corresponding evidence trail, or audit results with no follow-up corrective actions, reads as a management system that exists on paper but not in practice — which is exactly what stage 2 audits are designed to catch.

If you want a working checklist format for these requirements rather than a narrative breakdown, see ISO 27001 Compliance Checklist Essentials.

Continuous Improvement Isn't Optional

ISO 27001 certification isn't a one-time achievement — Clause 10 makes continual improvement a standing requirement, verified at annual surveillance audits. A risk assessment frozen at the certification date, or policies that haven't been reviewed since, are themselves nonconformities regardless of how compliant the original implementation was. Maintaining ISO 27001 Compliance Year-Round covers what ongoing compliance actually requires between audit cycles.

This continuous-improvement structure isn't unique to ISO 27001 — it overlaps substantially with SOC 2 and PCI DSS, and supports the evolving obligations under GDPR and HIPAA. Organizations managing multiple frameworks often find that ISO 27001's ISMS structure becomes the backbone the others attach to, rather than a parallel, separate effort.