What are the key requirements of ISO 27001?

Information security isn’t just a technology problem. It’s a business risk – and increasingly, it’s a board-level responsibility. 

Customers, partners, and procurement teams are asking harder questions about how organisations protect sensitive data. ISO 27001 provides a framework for answering them. 

But what does it actually require? 

What ISO 27001 is – and what it isn’t 

ISO 27001 is the internationally recognised standard for information security management systems (ISMS). It’s not a technical checklist or a fixed set of controls. It’s a management system standard – one that focuses on how an organisation identifies its risks, makes decisions about managing them, and continually improves its approach over time. 

Two organisations can hold ISO 27001 certification while operating very different systems, because the standard is designed to be proportionate and risk-based, not one-size-fits-all. 

The mandatory requirements 

The standard is built around a set of clauses that every organisation seeking certification must demonstrate conformance with: 

• Context – understanding the internal and external environment, the expectations of interested parties, and the scope of the ISMS. 

• Leadership – visible commitment from top management, a clear information security policy, and defined roles and responsibilities. 

• Planning – identifying and assessing information security risks, deciding how to treat them, and setting security objectives. 

• Support – the resources, competence, awareness, and communication needed to operate the ISMS. 

• Operation – implementing the risk treatment plan and managing day-to-day security processes. 

• Performance evaluation – monitoring, internal audits, and management reviews. 

• Improvement – responding to nonconformities and driving continual improvement. 

Risk assessment 

Risk is at the heart of ISO 27001. Organisations must establish a systematic process for identifying threats, vulnerabilities, and the potential consequences of a breach – and then document how they’ve chosen to respond. Every decision must be justified. 

This is what makes the standard meaningful. It requires organisations to think clearly about what they’re protecting and what a proportionate response looks like. Want to check if your current system is up to scratch? Use our free cybersecurity checklist here.  

Annex A and the statement of applicability 

Annex A lists 93 controls across four themes: organisational, people, physical, and technological. Organisations aren’t required to implement every control – but they must consider each one and document their decisions in a Statement of Applicability (SoA). 

Where controls are excluded, there must be a justification. Where they’re included, there must be evidence of effective implementation.  

Leadership isn’t optional 

One of the most common misconceptions about ISO 27001 is that it’s an IT function. It isn’t. The standard requires genuine leadership engagement – top management must take accountability for the ISMS, not delegate it entirely. A well-documented system managed in isolation by an IT team is unlikely to satisfy the requirement. 

People are often the greatest information security risk, and the standard recognises that. Workforce awareness, training, and clear accountability are explicit requirements, not optional extras. 

It doesn’t end at certification 

Certified organisations are expected to monitor performance, conduct internal audits, and respond meaningfully to incidents. Surveillance audits – typically annual – assess whether the ISMS continues to meet requirements. Recertification occurs every three years. 

The standard doesn’t eliminate risk. No framework can. But it provides a structured, evidence-based approach to managing it – and that’s increasingly what customers, regulators, and boards expect. 

Citation Certification delivers accredited certification services against ISO 27001 and a range of other internationally recognised standards. Visit this page to find out more.