What this section is about
This topic explains who the guide is for, how ISO/IEC 27001 and ISO/IEC 27002 relate to each other, and what it means to claim compliance with ISO/IEC 27001.
The main audience includes people involved in:
- designing, implementing, or maintaining an Information Security Management System;
- preparing for ISMS audits and assessments;
- carrying out internal ISMS audits;
- auditing or assessing other organizations.
ISO/IEC 27001 vs ISO/IEC 27002
| Standard | Purpose | Practical use |
|---|---|---|
| ISO/IEC 27001 | Requirements specification for an ISMS | Used for compliance and accredited certification |
| ISO/IEC 27002 | Guidance for selecting and implementing controls | Used to understand and implement commonly accepted security controls |
ISO/IEC 27001 tells you what the ISMS must satisfy.
ISO/IEC 27002 helps explain how controls may be implemented.
Compliance with ISO/IEC 27001
To claim compliance, an organization needs to show that:
- required ISMS processes are in place;
- objective evidence supports the compliance claim;
- information security risks have been assessed;
- risk treatment decisions have been made and documented;
- selected controls are justified;
- controls excluded or marked not applicable are justified;
- residual risks have been knowingly accepted by accountable management.
A compliance claim is not based on intention. It needs evidence.
Key rule
Excluding any of the requirements specified in Clauses 4-10 of ISO/IEC 27001 is not acceptable.
This means an organization cannot remove mandatory ISMS requirements such as:
- defining the ISMS context and scope;
- demonstrating leadership commitment;
- planning risk assessment and treatment;
- providing resources and documented information;
- operating the ISMS;
- evaluating ISMS performance;
- conducting internal audits;
- conducting management reviews;
- managing nonconformities and improvement.
See ISO 27001 Clauses 4-10 vs Annex A.
Annex A controls are different
Annex A controls are selected through risk assessment and risk treatment. A control can be marked not applicable, but only when the decision is justified and documented in the Statement of Applicability.
That is different from Clauses 4-10, which are mandatory ISMS management-system requirements.
Internal audit is mandatory
Even if the organization does not pursue third-party certification, an internal ISMS audit process is mandatory for ISO/IEC 27001 compliance.
The organization may choose not to seek certification, but it cannot claim conformity while skipping the internal audit requirement.
Practical mentor note
Do not confuse these three things:
| Item | Can it be excluded? | Notes |
|---|---|---|
| ISO/IEC 27001 Clauses 4-10 | No | Mandatory ISMS requirements |
| Annex A controls | Potentially yes | Non-applicability must be justified through risk treatment and SoA |
| ISO/IEC 27002 guidance | Not a certification checklist | Guidance for implementation and control interpretation |
Audit perspective
An auditor will expect the organization to provide objective evidence for claims, including:
- ISMS scope;
- policies;
- risk assessment methodology and results;
- risk treatment plan;
- Statement of Applicability;
- internal audit records;
- management review records;
- evidence of control operation;
- nonconformity and corrective action records;
- risk acceptance approvals.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it is a problem |
|---|---|
| Claiming compliance without internal audit | Internal audit is part of the mandatory ISMS requirements |
| Treating Annex A as automatically mandatory | Annex A is risk-based, not a universal checklist |
| Excluding a Clause 4-10 requirement | Not permitted |
| Excluding Annex A controls without justification | Weak SoA and risk treatment evidence |
| Management accepting risk informally | Risk acceptance needs accountable and objective approval |
| Policies exist but are not implemented | Documents alone do not prove control effectiveness |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
-
Trap: “An organization can exclude ISO 27001 requirements that do not apply.”
Correction: Clauses 4-10 cannot be excluded. -
Trap: “Annex A controls are all mandatory for certification.”
Correction: Annex A controls are selected based on risk and justified through the SoA. -
Trap: “Third-party certification is required to be compliant.”
Correction: Third-party certification may not be required, but internal audit is mandatory. -
Trap: “ISO 27002 is the certifiable standard.”
Correction: ISO 27001 is certifiable; ISO 27002 is guidance.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
ISO/IEC 27001 defines the requirements for an ISMS and is used for compliance and certification. ISO/IEC 27002 provides guidance for implementing controls. Clauses 4-10 of ISO/IEC 27001 are mandatory and cannot be excluded. Annex A controls are risk-based and may be excluded only with documented justification in the Statement of Applicability. Objective evidence is required to support compliance claims.
- Iso27001
- Isms
- Compliance
- Audit
Note Metadata
Aliases: Field of Application, Usage and Compliance
Source: 01 Fundamentals/Field of Application, Usage, and Compliance.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Information Security Management System
- Internal Audit
- ISO 27001 Clauses 4-10 vs Annex A
- Statement of Applicability
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.7 - Threat Intelligence
- ISMS Implementation Roadmap
- ISO 27005 Risk Process Notes
- ISO 27001 Knowledge Base
- Authority Contact Register
- ISO 27001 Overview