ISO 27001 Implementation Guide: ISMS Scope, Risk Assessment, Annex A Controls, and Certification

ISO 27001 has two parts: the mandatory clauses (4 through 10) that define ISMS requirements, and Annex A, which lists 93 controls that the organization must consider but may exclude with documented justification.

Mandatory clauses:

• Clause 4 (Context): Understanding the organization's context, stakeholders, and ISMS scope
• Clause 5 (Leadership): Top management commitment, information security policy, roles and responsibilities
• Clause 6 (Planning): Risk assessment process, risk treatment plan, information security objectives
• Clause 7 (Support): Resources, competence, awareness, communication, documented information
• Clause 8 (Operation): Implementing the risk treatment plan, operational planning and control
• Clause 9 (Performance Evaluation): Monitoring, measurement, internal audit, management review
• Clause 10 (Improvement): Nonconformity and corrective action, continual improvement

All clause requirements are mandatory. An ISMS that does not satisfy any mandatory clause requirement cannot receive certification regardless of how many Annex A controls are implemented.

Annex A controls (ISO 27001:2022 structure): The 93 controls are organized into four themes:

• A.5 Organizational controls (37 controls): policies, roles, threat intelligence, supply chain security, incident management
• A.6 People controls (8 controls): screening, terms of employment, awareness, disciplinary process, offboarding
• A.7 Physical controls (14 controls): physical security, clear desk, equipment security, disposal
• A.8 Technological controls (34 controls): access control, authentication, encryption, vulnerability management, logging, network security

New controls in the 2022 revision (11 additions): Threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28).

Statement of Applicability: The Statement of Applicability (SoA) is the mandatory document that lists all 93 Annex A controls, states whether each is applicable to your ISMS scope, provides justification for exclusions, and documents the current implementation status of each included control. The SoA is the central evidence document for certification audits.

The ISMS scope defines which assets, processes, locations, and organizational units are included in the certification. Scope definition is one of the most consequential decisions in an ISO 27001 implementation because it determines audit effort, certification cost, and the organizational breadth of required controls.

Scope options:

Full organizational scope: All information assets, all departments, all locations. Highest certification credibility; highest implementation and audit cost. Appropriate for organizations seeking to demonstrate enterprise-wide security posture to customers.

Product or service scope: A specific product line, service, or system with defined boundaries. Example: "The development, operation, and support of the [Product Name] SaaS platform and associated customer data." Limits scope to the systems and people directly involved in the product. Appropriate for SaaS companies seeking certification for a specific customer-facing product.

Geographic or departmental scope: Specific offices or business units. Appropriate for multi-national organizations certifying a specific region or business division that faces specific regulatory requirements.

Defining scope boundaries: ISO 27001 Clause 4.3 requires that the scope consider:

• Internal and external issues relevant to the organization's purpose
• Requirements of interested parties (customers, regulators, partners)
• Interfaces and dependencies with other organizational units outside scope

Interfaces with out-of-scope systems must be documented. If your in-scope product relies on HR systems managed by an out-of-scope department, the connection must be identified and the security controls at that interface must be addressed.

Common scoping mistakes: Scoping too broadly increases certification effort without proportional benefit: a startup with 50 employees attempting enterprise-wide certification will spend more time on documentation and audit preparation than on actual security improvement. Scoping too narrowly may not satisfy customer requirements: if a customer requires that their data processing environment is covered, excluding the production database infrastructure from scope will not satisfy their requirement.

ISO 27001 Clause 6.1 requires a documented risk assessment process. The standard does not prescribe a specific methodology, but ISO 27005:2022 provides the risk management framework that most practitioners use.

Risk assessment steps:

Step 1: Establish risk criteria Define what constitutes an acceptable risk level for the organization. Establish likelihood and impact scales (typically 1-5 or 1-3 for each) and the risk matrix that combines them. Document the risk acceptance criteria: risks scoring above a defined threshold must be treated; risks scoring below may be accepted.

Step 2: Asset inventory Identify all information assets within the ISMS scope: information assets (databases, documents, IP), software assets (applications, systems), hardware assets, services (cloud services, utilities), and people. Document the asset owner, custodian, and business impact if the asset were compromised.

Step 3: Threat and vulnerability identification For each asset, identify applicable threats (unauthorized access, malware infection, data exfiltration, natural disaster, hardware failure) and vulnerabilities (unpatched software, weak authentication, inadequate access controls). ISO 27005 Annex C provides a threat catalog; ENISA's threat landscape reports provide current threat actor data.

Step 4: Risk analysis Calculate risk scores by combining likelihood and impact. Likelihood reflects both threat probability and vulnerability severity. Impact reflects the CIA (confidentiality, integrity, availability) consequences of the threat materializing. Document risk scores for each asset-threat combination.

Step 5: Risk evaluation and treatment For risks above the acceptance threshold, select a treatment option:

• Risk modification (implement controls to reduce likelihood or impact)
• Risk avoidance (discontinue the activity that creates the risk)
• Risk sharing (transfer risk via insurance or contract)
• Risk retention (accept the risk with documented justification)

For risks treated by control implementation, map the selected treatment to the relevant Annex A controls. This mapping produces the SoA.

Risk assessment frequency: ISO 27001 Clause 8.2 requires risk assessments at planned intervals and when significant changes occur. Annual risk assessment is the standard minimum; assessments should also be triggered by significant infrastructure changes, security incidents, new product launches, and changes in the threat landscape.

ISO 27001 requires specific documented information as evidence that the ISMS is implemented and operating. Missing mandatory documents will result in nonconformities during the certification audit.

Mandatory documents (ISO 27001:2022 clause references):

• ISMS Scope (Clause 4.3): Document defining the scope boundaries, context, and interfaces
• Information Security Policy (Clause 5.2): Top-level policy approved by leadership, available to all employees
• Risk Assessment Process (Clause 6.1.2): Documented methodology for risk identification, analysis, and evaluation
• Risk Treatment Process (Clause 6.1.3): Methodology for selecting and implementing controls
• Statement of Applicability (Clause 6.1.3): All 93 Annex A controls with applicability decisions and justifications
• Risk Treatment Plan (Clause 6.1.3): Specific actions, owners, and deadlines for treating identified risks
• Information Security Objectives (Clause 6.2): Measurable objectives aligned to the security policy
• Evidence of Competence (Clause 7.2): Training records, certifications, qualifications for ISMS-relevant roles
• Asset Inventory (Annex A.5.9): Register of all in-scope information assets with owners
• Acceptable Use Policy (Annex A.5.10): Rules for employee use of information assets
• Access Control Policy (Annex A.5.15): Principles governing access provisioning and review
• Incident Management Procedure (Annex A.5.24-5.28): Documented incident response process
• Business Continuity Plans (Annex A.5.29-5.30): Recovery procedures for critical services
• Internal Audit Program and Results (Clause 9.2): Audit schedule and findings documentation
• Management Review Records (Clause 9.3): Minutes documenting leadership review of ISMS performance
• Corrective Action Records (Clause 10.2): Documentation of identified nonconformities and resolution

Document control requirements: All mandatory documents must be version-controlled, dated, have an approved owner, and be accessible to personnel who need them. Document management platforms (Confluence, SharePoint, Vanta, Drata) support these requirements. Physical binder-based document control is still permissible but creates significant overhead.

ISO 27001 Clause 9 requires that the ISMS be subject to regular internal audit and management review before certification. These are not optional activities; auditors will request evidence of both.

Internal audit requirements: Conduct at least one complete internal audit of the ISMS before the Stage 2 certification audit. The internal audit must cover all clauses and applicable Annex A controls. Internal auditors must be independent from the area being audited (an employee can audit departments they are not responsible for). Document: the audit plan, audit criteria, audit scope, auditor names and independence declarations, findings, and corrective actions raised.

Common internal audit findings: The findings most frequently cited in pre-certification internal audits are: risk assessment documentation that does not demonstrate the required methodology, Statement of Applicability exclusions without adequate justification, missing evidence that information security objectives are being monitored and measured, and access review records that do not cover all in-scope systems.

Management review: ISO 27001 Clause 9.3 requires that top management review the ISMS at planned intervals. The management review must address: status of actions from previous reviews, changes in external and internal issues, ISMS performance (audit results, nonconformities, KPIs), risk assessment results, and opportunities for continual improvement. Document the review in meeting minutes with date, attendees, agenda, and decisions.

Certification audit: Stage 1 and Stage 2:

Stage 1 (document review, typically 1-2 days): The certification auditor reviews your ISMS documentation to determine readiness for Stage 2. They review mandatory documents against clause requirements, identify documentation gaps, and confirm that all Annex A control exclusions in the SoA are justified. Stage 1 typically results in either a Stage 2 readiness confirmation or a list of issues to address before Stage 2.

Stage 2 (on-site audit, typically 2-5 days depending on scope): The auditor evaluates whether the ISMS is implemented and operating effectively through interviews with personnel, review of records and evidence, and testing of selected controls. The auditor will interview employees at multiple levels: management, IT staff, HR, finance, and operations. Prepare staff for interviews by briefing them on the ISMS, their role in it, and the types of questions to expect.

Post-certification: ISO 27001 certification is issued for 3 years. Surveillance audits (typically 1 day) occur annually in years 1 and 2 to verify the ISMS is maintained. A full recertification audit occurs in year 3. Maintain the ISMS continuously: run the risk assessment annually, conduct internal audits twice per year, hold quarterly management reviews, and address corrective actions promptly to avoid nonconformities at surveillance audits.