This knowledge base contains expanded study notes for ISO/IEC 27001 and ISO/IEC 27002.
It is built for four uses:
- Exam review — concise cues, common traps, and comparison tables.
- ISMS implementation — practical guidance, ownership models, templates, and control examples.
- Audit preparation — evidence lists, interview questions, and internal audit checklists.
- Risk management mapping — ISO/IEC 27005-style risk logic connected to implementation, audit evidence, and control selection.
Main navigation
- Standards Roadmap
- ISO 27001 Overview
- ISO 27001 Knowledge Base MOC
- ISO 27002 Knowledge Base MOC
- ISO 27005 Knowledge Base MOC
- ISO 27001 Implementer Guide MOC
- ISO 27001 Auditor Guide MOC
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- GRC Knowledge Model MOC
- ISO 27001 Clauses 4-10 vs Annex A
- ISO27002 Control Attributes
- A.5 Organizational Controls MOC
- Exam Cues
- Audit Evidence Index
- Templates MOC
Covered so far
Fundamentals
- Field of Application, Usage, and Compliance
- ISO 27001 Clauses 4-10 vs Annex A
- Annex A and the Statement of Applicability
- Statement of Applicability
- Information Security Policy
- Roles and Responsibilities
- Segregation of Duties
- Management Responsibilities
- Access Control
- ISO27002 Control Attributes
- Control Attributes and Risk Treatment Effects
Guide layers
- Standards Roadmap
- 16 Week ISO Study Plan
- ISO 27001 Knowledge Base MOC
- ISO 27002 Knowledge Base MOC
- ISO 27005 Knowledge Base MOC
- ISO 27001 Implementer Guide MOC
- ISMS Implementation Roadmap
- A.5 Organizational Controls Implementation Guide
- ISO 27001 Auditor Guide MOC
- Internal Audit Execution Guide
- A.5 Organizational Controls Audit Guide
- ISO 27005 Risk Management Guide MOC
- ISO 27005 Risk Process Notes
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- A.5 Controls Implementation Audit Risk Mapping
- GRC Knowledge Model MOC
- Asset Threat Vulnerability Risk Control Evidence Data Model
Reference examples
- ISO27001-A.5.7-Threat-Intelligence
- RISK-0001-Customer-Data-Compromise-Ransomware
- AQ-0001-Audit-Question-Threat-Intelligence
Annex A.5 Organizational controls
- A.5.1 Policies for Information Security
- A.5.2 Information Security Roles and Responsibilities
- A.5.3 Segregation of Duties
- A.5.4 Management Responsibilities
- A.5.5 Contact with Authorities
- A.5.6 Contact with Special Interest Groups
- A.5.7 Threat Intelligence
- A.5.8 Information Security in Project Management
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- A.5.19 Information Security in Supplier Relationships
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.21 Managing Information Security in the ICT Supply Chain
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- A.5.23 Information Security for Use of Cloud Services
- A.5.24 Information Security Incident Management Planning and Preparation
Exam and quiz notes
Note style
Each control note follows this pattern where possible:
# ISO 27001 A.x.x - Control Name
## Requirement## Plain-language meaning## Why this matters## Implementation guidance## Audit guidance## Evidence examples## Common failures## Exam traps## KB-ready summary## Templates and checklistsCopyright-safe note policy
These notes paraphrase and explain the material instead of reproducing long passages from standards or course content. Exact control wording is kept brief where provided in the study material.
- Iso27001
- Isms
- Moc
Note Metadata
Aliases: Start Here
Source: 00 Start Here.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Annex A and the Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Field of Application, Usage, and Compliance
- ISO 27001 Clauses 4-10 vs Annex A
- ISO27002 Control Attributes
- Roles and Responsibilities
- Statement of Applicability
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- Common Exam Traps
- Exam Cues
- Quiz Review - Control Attributes and Compliance
- AQ-ISO27001-A.5.7 Threat Intelligence
- A.5 Organizational Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO 27001 Implementer Guide
- RISK-0001 Customer Data Compromise Due to Ransomware Campaign
- A.5 Organizational Controls Audit Guide
- Internal Audit Execution Guide
- ISO 27001 Auditor Guide
- ISO27001-A.5.7 Threat Intelligence
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27001 Knowledge Base
- ISO 27002 Knowledge Base
- ISO 27005 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- GRC Knowledge Model
- Audit Evidence Index
- ISO 27001 Overview
- Templates MOC