Blog · The standard explained

ISO 27001 clauses 4 to 10 explained

The requirements of ISO 27001 are set out in clauses 4 to 10. In brief: clause 4 (context) and 5 (leadership) lay the foundation, 6 (planning) covers risks and objectives, 7 (support) covers resources and awareness, 8 (operation) covers how things work, 9 (evaluation) covers measuring and auditing, and 10 (improvement) covers making adjustments. Together they form the PDCA cycle of your ISMS.

Request an audit scan

Clause 4 — Context of the organisation

Determine what is relevant to your information security: internal and external factors, interested parties (clients, regulators) and the scope of the ISMS. This is the foundation; an incorrectly defined scope comes back to haunt the entire audit.

Clause 5 — Leadership

Senior management must be visibly involved: establishing policy, assigning roles and responsibilities and freeing up resources. Information security that is purely "IT's job" does not meet this clause.

Clause 6 — Planning

The heart of the standard: the risk assessment and treatment, plus measurable objectives. This is also where the Statement of Applicability takes shape, linking risks to Annex A controls.

Clause 7 — Support

Provide resources, competent people, awareness, communication and documented information. Awareness is not a one-off training but an ongoing process.

Clause 8 — Operation

The controls run in practice: processes are carried out and risk treatments are applied. This is the "Do" where the auditor looks for the most evidence.

Clause 9 — Performance evaluation

Measuring, monitoring, internal audit and management review. Here you demonstrate that you check whether it works — and this clause features heavily in every audit.

The ISO 27001 audit process in five steps: define the scope, document review, interviews and sampling, findings report, improvement plan and follow-up — The audit process in 5 steps.

Clause 10 — Improvement

Correcting non-conformities, removing root causes and continually improving the ISMS. Without demonstrable follow-up of findings, the cycle is not complete.

ISO/IEC 27001 — official standard page (official source).

FAQ

Frequently asked questions

Short, direct answers — written for people and for AI search functions alike.

Why does ISO 27001 start at clause 4?

Clauses 1 to 3 contain the scope, normative references and terms; these are not requirements. The actual, auditable requirements begin at clause 4 (context) and run through to clause 10 (improvement). That is why auditors speak of 'the requirements of clauses 4 to 10'.

What is the difference between clauses 4-10 and Annex A?

Clauses 4 to 10 describe the requirements for the management system (how you steer and improve information security). Annex A is a list of 93 concrete controls from which you choose based on your risks. The clauses form the system; Annex A provides the building blocks.

Which clause is most important for the audit?

No clause stands alone, but clause 6 (risks and SoA), 8 (operation) and 9 (internal audit and management review) often receive the most attention. There you demonstrate that the system is risk-driven, works in practice and is evaluated and adjusted.