ISO 27001 is a widely respected standard for data security used to demonstrate your organization's strong security posture to prospects, customers, partners, and other stakeholders. The core of ISO 27001 compliance is a comprehensive evaluation of the requirements pertaining to your information security management system (ISMS).
In this guide, we’ll cover what the ISO 27001 requirements are, how they are laid out, and how you can get started on your ISO 27001 certification.
What are the ISO 27001 certification requirements?
The ISO 27001 framework is designed to guide organizations in establishing a robust ISMS and demonstrate confidence to interested parties that information security risks are adequately managed. The standard contains a concrete set of requirements that your business must meet to pass the audit and get ISO 27001 certified.
There are a total of four clauses in the ISO 27001 framework which are referred to as themes and contain the requirements for the certification.
These include:
- Clause 5: Organizational controls (37 controls)
- Clause 6: People controls (8 controls)
- Clause 7: Physical controls (14 controls)
- Clause 8: Technological controls (34 controls)
{{cta_withimage1}}
List of ISO 27001 requirements
Now, we’ll cover the details of the four clauses (ISO 27001 clauses 5-8) that list out the ISO 27001 certification requirements.
Clause 5: Organizational controls
ISO 27001 acknowledges a set of general organizational controls which include requirements around:
- Policies for information security
- Information security roles and responsibilities
- Segregation of duties
- Contact with authorities and special interest groups
- Threat intelligence
- Information security in project management
- Acceptable use of assets
- Classification, labeling, and transfer of information
- Access controls, identity management, and authentication information
- Third-party risk management
- Information security incident handling
- Protection of PII, records, and IP rights
Clause 6: People controls
ISO 27001 also covers general people controls which include requirements around:
- Employee screening, terms and conditions of employment, and disciplinary processes
- Information security awareness, education, and training
- Confidentiality agreements, remote working, and reporting information security events
Clause 7: Physical controls
Physical controls under ISO 27001 can include a myriad of requirements that are sometimes not applicable, especially for remote-first companies and those leveraging cloud infrastructure:
- Physical security of entry points, perimeters, rooms, offices, and facilities
- Protection against physical and environmental threats
- Security of assets on-site and off-site along with storage media
- Protection of cables and utilities along with secure disposal and re-use of equipment
Clause 8: Technological controls
As one of the more detailed ISO 27001 requirements, Clause 8 requires your organization to provide numerous items to be compliant, with controls around:
- Endpoint devices and local software
- Privileged access rights to information, source code, and systems
- Secure authentication and authorization
- Capacity and configuration management
- Technical vulnerabilities
- Data masking, leakage, backups, and deletion
- Audit logging and monitoring
- Network devices, segregation of networks, and the security of network services
- Web filtering, use of cryptography, and specific application security requirements
- Secure system architecture and secure coding principles
- Change management and development, test, and production environments and data
ISO 27001 requirements vs. Annex A
In addition to the requirements listed in the ISO 27001 framework, there is also a second portion to the standard called Annex A.
The ISO 27001 clauses serve more as a guiding framework than a prescriptive list of to-dos. Annex A provides a list of controls and suggested approaches to help you meet the required clauses in ISO 27001. However, Annex A is a catalog of normative controls; pick and choose only those controls that are relevant to your ISMS.
Crush your ISO 27001 certification with Vanta
With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like:
- Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
- Assess your risk holistically from one unified view.
- Identify areas of non-compliance with in-platform notifications.
- Get a checklist of actions to help you make the needed changes.
- Automate evidence collection and centralize all your documents in one place.
- Find a Vanta-vetted auditor within the platform.
- Complete your ISO 27001 certification in half the time.
By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_testimonial2}}
ISO 27001 requirements
Your comprehensive guide to the ISO 27001 requirements
ISO 27001 requirements
ISO 27001 is a widely respected standard for data security used to demonstrate your organization's strong security posture to prospects, customers, partners, and other stakeholders. The core of ISO 27001 compliance is a comprehensive evaluation of the requirements pertaining to your information security management system (ISMS).
In this guide, we’ll cover what the ISO 27001 requirements are, how they are laid out, and how you can get started on your ISO 27001 certification.
What are the ISO 27001 certification requirements?
The ISO 27001 framework is designed to guide organizations in establishing a robust ISMS and demonstrate confidence to interested parties that information security risks are adequately managed. The standard contains a concrete set of requirements that your business must meet to pass the audit and get ISO 27001 certified.
There are a total of four clauses in the ISO 27001 framework which are referred to as themes and contain the requirements for the certification.
These include:
- Clause 5: Organizational controls (37 controls)
- Clause 6: People controls (8 controls)
- Clause 7: Physical controls (14 controls)
- Clause 8: Technological controls (34 controls)
{{cta_withimage1}}
List of ISO 27001 requirements
Now, we’ll cover the details of the four clauses (ISO 27001 clauses 5-8) that list out the ISO 27001 certification requirements.
Clause 5: Organizational controls
ISO 27001 acknowledges a set of general organizational controls which include requirements around:
- Policies for information security
- Information security roles and responsibilities
- Segregation of duties
- Contact with authorities and special interest groups
- Threat intelligence
- Information security in project management
- Acceptable use of assets
- Classification, labeling, and transfer of information
- Access controls, identity management, and authentication information
- Third-party risk management
- Information security incident handling
- Protection of PII, records, and IP rights
Clause 6: People controls
ISO 27001 also covers general people controls which include requirements around:
- Employee screening, terms and conditions of employment, and disciplinary processes
- Information security awareness, education, and training
- Confidentiality agreements, remote working, and reporting information security events
Clause 7: Physical controls
Physical controls under ISO 27001 can include a myriad of requirements that are sometimes not applicable, especially for remote-first companies and those leveraging cloud infrastructure:
- Physical security of entry points, perimeters, rooms, offices, and facilities
- Protection against physical and environmental threats
- Security of assets on-site and off-site along with storage media
- Protection of cables and utilities along with secure disposal and re-use of equipment
Clause 8: Technological controls
As one of the more detailed ISO 27001 requirements, Clause 8 requires your organization to provide numerous items to be compliant, with controls around:
- Endpoint devices and local software
- Privileged access rights to information, source code, and systems
- Secure authentication and authorization
- Capacity and configuration management
- Technical vulnerabilities
- Data masking, leakage, backups, and deletion
- Audit logging and monitoring
- Network devices, segregation of networks, and the security of network services
- Web filtering, use of cryptography, and specific application security requirements
- Secure system architecture and secure coding principles
- Change management and development, test, and production environments and data
ISO 27001 requirements vs. Annex A
In addition to the requirements listed in the ISO 27001 framework, there is also a second portion to the standard called Annex A.
The ISO 27001 clauses serve more as a guiding framework than a prescriptive list of to-dos. Annex A provides a list of controls and suggested approaches to help you meet the required clauses in ISO 27001. However, Annex A is a catalog of normative controls; pick and choose only those controls that are relevant to your ISMS.
Crush your ISO 27001 certification with Vanta
With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like:
- Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
- Assess your risk holistically from one unified view.
- Identify areas of non-compliance with in-platform notifications.
- Get a checklist of actions to help you make the needed changes.
- Automate evidence collection and centralize all your documents in one place.
- Find a Vanta-vetted auditor within the platform.
- Complete your ISO 27001 certification in half the time.
By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_testimonial2}}
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
You want to be compliant every day, not just once a year. Vanta helps you achieve this without slowing your business down.”
Giuseppe Ciotta, VP of Engineering | Belvo
Explore more ISO 27001 articles
Introduction to ISO 27001
ISO 27001 requirements
Preparing for an ISO 27001 audit
Streamlining ISO 27001 compliance
Understanding ISO differences
Get started with ISO 27001
Start your ISO 27001 journey with these related resources.
The ISO 27001 Compliance Checklist
ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.
ISO 27001 Compliance for SaaS
On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.
ISO 27001 vs. SOC 2: Which standard is right for my business?
Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.
