Most teams chasing ISO 27001 spend ninety percent of their energy on Annex A. They build a control matrix, argue about whether they need a clear-desk policy, and treat the rest of the standard as a cover sheet.
Then the auditor shows up and spends the first day on clauses 4 through 10, and the team realizes the part they treated as boilerplate is the part being certified.
The certificate on your wall says you run an Information Security Management System. The ISMS is not your firewall config or your access-review cadence. It is the management system described in clauses 4 to 10: how you set scope, assess risk, decide what controls apply, run audits, and fix what breaks. Annex A is a menu you select from. Clauses 4-10 are the machine that does the selecting and keeps it honest.
This is an operator's walk-through of that machine. Every clause requirement below is paraphrased from ISO/IEC 27001:2022 in my own words; pull the standard itself for exact wording.
What is the ISMS, and why do Clauses 4-10 matter more than the Annex A controls?
Annex A is a reference list of controls. The standard is explicit that it is a possible set, not exhaustive, and that you are meant to check your chosen controls against it to confirm you have not missed anything obvious. You can add controls from any source. You can exclude Annex A controls you can justify excluding.
That word "justify" is the whole game, and the justification lives in clauses 4-10, not in Annex A.
The management-system clauses define the operating loop:
- Clause 4 sets the boundary of what you are protecting.
- Clause 5 puts leadership and a policy on the hook.
- Clause 6 runs the risk assessment and treatment that decides which controls you need.
- Clause 7 supplies competence, awareness, and document control.
- Clause 8 turns the plan into operation.
- Clause 9 measures it through monitoring, internal audit, and management review.
- Clause 10 closes the loop with corrective action and continual improvement.
An auditor who finds a missing Annex A control writes a minor finding. An auditor who finds your risk assessment does not actually drive your control selection writes a major nonconformity against clause 6, because the engine that is supposed to produce your controls is not running. That is the difference in weight.
How do you set ISMS scope and boundaries under Clause 4 (context, interested parties, scope)?
Clause 4 asks four things, and skipping the first two is where most scoping work quietly fails.
First, you determine the external and internal issues relevant to your purpose that affect whether the ISMS can achieve its intended outcome. In plain terms: what is going on around you and inside you that bears on information security. Regulatory pressure, a cloud migration, a recent acquisition, staff turnover in your security team. Write it down, because clause 6 planning reads back from it.
Second, you identify the interested parties relevant to the ISMS, their relevant requirements, and which of those requirements you will address. Interested parties include customers, regulators, and contractual counterparties. The standard notes that their requirements can include legal, regulatory, and contractual obligations. This is the clause where your regulatory obligations formally enter the ISMS instead of living in a separate compliance spreadsheet.
Third, you determine the boundaries and applicability to establish the ISMS scope, considering those issues, those interested-party requirements, and the interfaces and dependencies between what you do and what other organizations do on your behalf. The scope must exist as documented information.
Fourth, you establish, implement, maintain, and continually improve the ISMS itself.
Here is the gotcha that costs companies their certificate scope. Teams draw the boundary to exclude the messy part: "the ISMS covers the SaaS platform but not corporate IT." Fine, until the auditor asks how the SaaS platform authenticates engineers, and the answer routes through the corporate identity provider you scoped out. The interfaces-and-dependencies requirement exists precisely to catch this. If a dependency crosses your boundary, you either pull it inside the scope or you document and control the interface. A scope statement that ignores a real dependency is not a tighter scope. It is a gap with a certificate.
What does Clause 5 actually demand from leadership, the policy, and assigned roles?
Clause 5 is short and it is where auditors test whether the ISMS is real or theater.
Leadership and commitment (5.1) makes top management responsible for specific, checkable things: that the policy and objectives align with strategic direction, that ISMS requirements are integrated into business processes, that resources are available, and that the system achieves its intended outcomes. "Top management was unaware" is not a defense under this clause. It is a finding.
The policy (5.2) must be appropriate to the organization, include or frame the information security objectives, commit to satisfying applicable requirements, and commit to continual improvement. It has to be documented, communicated internally, and available to interested parties as appropriate. A two-page policy nobody has read since the last audit fails the "communicated" test the moment an auditor interviews an engineer who has never seen it.
Roles and responsibilities (5.3) require top management to assign and communicate the authority for two things in particular: ensuring the ISMS conforms to the standard, and reporting ISMS performance back up to top management. Name people, not the "security team."
The failure mode here is the policy that commits to continual improvement while no mechanism produces improvement. The auditor will trace that commitment forward to clause 10 and ask to see the corrective actions. If the loop is empty, the policy was a promise you did not keep.
How do Clause 6 risk assessment, risk treatment, and the Statement of Applicability connect?
This is the heart of the standard. Clause 6 is where risk assessment and risk treatment produce your controls, and where most of the real audit time is spent.
The risk assessment process (6.1.2) has to do specific work, in order:
- Establish and maintain risk criteria, including risk acceptance criteria and the criteria for when you run assessments. Define what "acceptable" means before you start scoring, not after.
- Produce consistent, valid, and comparable results on repetition. Two assessors running the same method should land in the same place.
- Identify risks to confidentiality, integrity, and availability for information within the ISMS scope, and identify a risk owner for each.
- Analyze each risk: assess the consequences if it materialized, assess the realistic likelihood, and determine the risk level.
- Evaluate risks against your criteria and prioritize them for treatment.
You retain documented information about the process.
Risk treatment (6.1.3) then runs:
- Select treatment options based on the assessment results.
- Determine all controls necessary to implement the chosen options. The standard says you can design controls or take them from any source, not only Annex A.
- Compare your necessary controls against Annex A and confirm you have not omitted any necessary control. Annex A is the cross-check, not the starting point.
- Produce a Statement of Applicability.
- Formulate a risk treatment plan.
- Get risk owners to approve the plan and accept the residual risks.
The Statement of Applicability is the artifact auditors live in. It lists your necessary controls, the justification for including each, whether each is implemented, and the justification for excluding any Annex A control. The direction of travel matters: risk assessment determines treatment, treatment determines necessary controls, and the SoA records the result with the Annex A cross-check applied. If your SoA reads like the Annex A list with "applicable / not applicable" ticked next to each item and no line back to a risk, you built it backwards and a competent auditor will see it in two minutes.
The exclusion column is the single most common place to fail. "We exclude this control because it does not apply to us" is not a justification. "We exclude physical entry controls for data-center facilities because all production runs in a cloud provider whose facility controls we govern through the supplier-management process, evidenced by their current attestation" is a justification. Every exclusion you cannot defend by tracing to a risk decision and a residual-risk acceptance is a finding waiting to happen.
What does Clause 7 require for competence, awareness, communication, and documented information?
Clause 7 is the support layer. It is unglamorous and it is where audits get won or lost on evidence.
Resources (7.1): determine and provide what the ISMS needs to be established, run, maintained, and improved.
Competence (7.2): determine the competence needed for people whose work affects security performance, ensure they have it through education, training, or experience, take action to close gaps, and retain documented evidence of competence. "We assume the senior engineer knows" does not produce the evidence this clause asks for.
Awareness (7.3): people working under your control must be aware of the policy, their contribution to the ISMS, and the implications of not conforming. This is broader than your security team. A contractor with system access is in scope.
Communication (7.4): determine what to communicate about the ISMS, when, with whom, and how. Internal and external.
Documented information (7.5) has three parts that trip teams up. You keep the documents the standard requires plus those you decide you need (7.5.1). You control creation and updating, so documents carry identification, format, and review-and-approval (7.5.2). And you control the documents themselves: availability, protection, distribution, access, version control, retention, and disposal (7.5.3). The classic finding is a current policy that exists in three versions across three drives with no controlled source. That is a 7.5.3 nonconformity regardless of how good the policy text is.
How do Clauses 8-9 turn the plan into operation, internal audit, and management review?
Clause 8 is operation. You plan, implement, and control the processes needed to meet your requirements and carry out the clause 6 actions, with documented information sufficient to have confidence the processes ran as planned. You control planned changes and review the consequences of unintended ones. You control externally provided processes relevant to the ISMS.
Two specific operational duties matter. Clause 8.2 requires you to perform risk assessments at planned intervals or when significant changes are proposed or occur. Clause 8.3 requires you to implement the risk treatment plan and retain the results. Risk assessment is not a one-time certification artifact. It is a recurring operation triggered by both the calendar and by change.
Clause 9 measures whether any of this is working.
Monitoring and measurement (9.1): determine what to monitor and measure, the methods, when, who, and when and by whom results get analyzed, with documented evidence. Then evaluate ISMS performance and effectiveness.
Internal audit (9.2): conduct internal audit and management review at planned intervals. Internal audit checks whether the ISMS conforms to your own requirements and to the standard, and whether it is effectively implemented and maintained. You plan and maintain an audit programme covering frequency, methods, responsibilities, and reporting, informed by process importance and previous audit results. For each audit you define criteria and scope, select auditors and run the audit to ensure objectivity and impartiality, and report results to relevant management.
The independence gotcha lives in that objectivity-and-impartiality requirement. Your firewall admin cannot audit the firewall controls they operate. In a small team that means you trade audits across domains, bring in an internal auditor from another function, or use an external party. An internal audit performed by the owner of the thing being audited is not an internal audit. It is a self-review, and it does not satisfy 9.2.
Management review (9.3): top management reviews the ISMS at planned intervals for continuing suitability, adequacy, and effectiveness. The review has a defined input list. The inputs teams skip are the ones auditors check first: status of actions from previous reviews, changes in internal and external issues, changes in interested-party needs, performance feedback including trends in nonconformities and corrective actions, monitoring results, audit results, objective fulfilment, interested-party feedback, results of risk assessment and treatment status, and continual-improvement opportunities. The review results must include decisions on improvement opportunities and any needed ISMS changes, documented.
A management review that is a thirty-minute status meeting with no risk-assessment results, no audit results, and no decisions recorded is a clause 9.3 finding. The clause prescribes the agenda. Use it as your agenda.
How does Clause 10 close the loop with nonconformity, corrective action, and continual improvement?
Clause 10 is the feedback loop. Without it the rest of the system is open-loop, and an open-loop ISMS degrades between audits.
Continual improvement (10.1): you continually improve the suitability, adequacy, and effectiveness of the ISMS. Short clause, large expectation, and the clause 5 policy already committed you to it.
Nonconformity and corrective action (10.2) prescribes the response when something fails:
- React: control and correct the nonconformity and deal with its consequences.
- Evaluate whether you need to eliminate the cause so it does not recur or appear elsewhere, by reviewing the nonconformity, determining its causes, and determining whether similar nonconformities exist or could occur.
- Implement the action needed.
- Review the effectiveness of the corrective action.
- Change the ISMS if necessary.
Corrective actions have to be appropriate to the effects of the nonconformity, and you retain documented evidence of the nature of the nonconformities and the results of the corrective actions.
The failure mode is treating "correct it" as the whole job. You patched the box, closed the ticket, done. Clause 10.2 is explicit that reacting is step one and root-cause evaluation is a separate, required step. A corrective-action log full of fixes with no cause analysis and no effectiveness check is the most common clause 10 finding there is. The standard wants to know why it happened and whether your fix held, not just that you reacted.
What annual ISMS operating cadence keeps you continuously audit-ready?
The clauses describe a loop. Here is that loop as an operating calendar a security team can actually run. Treat it as a starting cadence and tighten intervals where your risk criteria demand it.
- Annually, set the frame (Clauses 4-5). Re-confirm context, interested parties, and their requirements. Re-read the scope against current dependencies and fix it if a dependency now crosses the boundary. Confirm the policy and objectives still match strategic direction. Reconfirm role assignments.
- At planned intervals and on significant change, run risk (Clause 6 / 8.2). Refresh the risk assessment against your criteria. Update treatment decisions. Drive the Statement of Applicability from those decisions, including any new exclusions and their justifications.
- Continuously, operate and evidence (Clause 8 / 7.5). Run the treatment plan. Keep documented information current and version-controlled so evidence is a lookup, not an archaeology project.
- Quarterly, measure (Clause 9.1). Monitor and measure the controls and processes you said you would, and retain the results.
- At least annually, audit independently (Clause 9.2). Run the internal audit programme with auditors independent of the area they audit. Report findings to management.
- At least annually, review at the top (Clause 9.3). Hold management review using the prescribed input list. Record decisions and required changes.
- Continuously, close the loop (Clause 10). Log every nonconformity, do root-cause evaluation, verify the corrective action held, and feed improvements back into the next cycle.
Run this loop and audit readiness stops being a quarter-long project. It becomes the state your evidence is already in.
That state is exactly what an integrated GRC platform should give you instead of a folder of spreadsheets. Map your ISO 27001 ISMS obligations to live evidence in one organizational profile at aegis-grc.com, so your Statement of Applicability, risk treatment plan, and audit pack are queries against current data rather than documents you reassemble every cycle. Risk binds to obligation, obligation binds to control, and the audit pack is a query, not a project. See the same approach applied to risk management and audit readiness.
FAQ: ISO 27001 management-system clauses
Are clauses 4-10 mandatory, or can I exclude some like I can with Annex A controls? Clauses 4-10 are the requirements and are not optional. You cannot exclude a management-system clause. Exclusions and justified non-applicability apply only to Annex A controls, which you select and exclude through the risk treatment process and record in the Statement of Applicability.
What is the difference between the Statement of Applicability and the risk treatment plan? The SoA is the register of necessary controls with inclusion justifications, implementation status, and the justification for any excluded Annex A control. The risk treatment plan is the actionable plan for implementing the chosen treatment options. The SoA records what applies and why; the plan records how and when you implement it. Risk owners approve the plan and accept the residual risk.
Does the internal auditor really have to be independent in a small team? The standard requires auditors to be selected and audits conducted to ensure objectivity and impartiality. In practice that means the person who operates a control cannot audit it. Small teams trade audits across domains, borrow an auditor from another function, or bring in an external party. A self-review by the control owner does not satisfy clause 9.2.
How often do I have to run the risk assessment? At planned intervals you define in your risk criteria, and additionally whenever significant changes are proposed or occur. It is a recurring operation under clause 8.2, not a one-time certification exercise. Many organizations run a full refresh annually with event-triggered reassessments on major changes.
What is the most common clause 10 audit finding? Treating correction as the whole corrective action. Teams fix the immediate issue and close the ticket without the required root-cause evaluation and effectiveness review. Clause 10.2 separates reacting from eliminating the cause, and expects documented evidence of both the nonconformity and the result of the corrective action.


