There is 11 clause in the ISO 27001 starting from 0-10.
Clauses 0-3 are guidance clauses and not mandatory.
Clauses 4-10 are mandatory and must be implemented in an organization that wants to achieve compliance.
The ISO 27001 clauses are best implemented using the PDCA (Plan Do Check and Act) cycle.
Clauses 4-7 are the plan phase
Clause 8 is the do phase
Clause 9 is the check phase
Clause 10 is the act phase
Clause 4 Context of the Organization.
This is the plan phase. This clause helps to identify and understand issues, needs, and expectations that may be relevant to the business of the organization before establishing an information security management system (ISMS). The scope of the ISMS should be clarified using boundaries.
Clause 5 Leadership
It defines the responsibilities of the top-level management and what is required. The top-level management must allocate responsibility and authority to appropriate people to carry out their roles. Commitment, effective communication, conditions, and resources to ISMS are made.
Clause 6 Planning
Still part of the planning phase of the PDCA cycle. It addresses risks and opportunities. It provides the basic ideas to address the risk assessment and treatment process. The risk assessment process covers risk identification, analysis, evaluation, confidentiality, and integrity. The information security risk treatment process identifies the available options and develops controls for them. The information security objectives and plans to achieve them are outline and documented.
Clause 7 Support
It deals with the allocation of resources. It may include skills, size, and confidence of the people. All steps taken must be documented to ensure that resources are completely handled and managed. There should be awareness and understanding to all personnel under the organization so that they understand their roles. Under the communication needs section of support, it ensures that the communication procedure is under the organization’s control and determines who receives what.
Clause 8 Operation of Information Security Management System (ISMS)
This is the Do (execution) phase of all the procedures and preparations already established in the previous clauses. It is further subdivided into 3.
- Operational planning and control. This deals with adequate control of critical security controls.
- Information security risk assessments. This deals with the circumstances associated with significant or radical changes made to the organization ISMS. There are 5 different levels associated with it, level 5 catastrophic, level 4 critical, level 3 marginal, level 2 minor, and level 1 negligible.
- Information security risk treatment. This deals with the aftermath of the discovery of unacceptable risk identified during the information security risk assessments.
Clause 9 Performance Evaluation
This is the check phase of the PDCA cycle. This is about management, audit, and the review of the performance of the ISMS. Monitoring, measurement, analysis, and evaluation ensure that the company is capable of effectively managing the ISMS after its implementation. Internal audit and management review have to be in place to ensure that the ISMS can be kept continuously suitable, adequate, and effective.
Clause 10 Improvement
This is the act phase of the PDCA cycle. Continual improvement ensures that the organization shows clear commitment. While nonconformity and corrective action ensure that organization has procedures to prevent and correct any nonconformities.