UnixTime

Research Note

Field of Application, Usage, and Compliance

This topic explains who the guide is for, how ISO/IEC 27001 and ISO/IEC 27002 relate to each other, and what it means to claim compliance with ISO/IEC 27001.

On this page

What this section is about

This topic explains who the guide is for, how ISO/IEC 27001 and ISO/IEC 27002 relate to each other, and what it means to claim compliance with ISO/IEC 27001.

The main audience includes people involved in:

  • designing, implementing, or maintaining an Information Security Management System;
  • preparing for ISMS audits and assessments;
  • carrying out internal ISMS audits;
  • auditing or assessing other organizations.

ISO/IEC 27001 vs ISO/IEC 27002

Standard Purpose Practical use
ISO/IEC 27001 Requirements specification for an ISMS Used for compliance and accredited certification
ISO/IEC 27002 Guidance for selecting and implementing controls Used to understand and implement commonly accepted security controls

ISO/IEC 27001 tells you what the ISMS must satisfy.

ISO/IEC 27002 helps explain how controls may be implemented.

Compliance with ISO/IEC 27001

To claim compliance, an organization needs to show that:

  • required ISMS processes are in place;
  • objective evidence supports the compliance claim;
  • information security risks have been assessed;
  • risk treatment decisions have been made and documented;
  • selected controls are justified;
  • controls excluded or marked not applicable are justified;
  • residual risks have been knowingly accepted by accountable management.

A compliance claim is not based on intention. It needs evidence.

Key rule

Excluding any of the requirements specified in Clauses 4-10 of ISO/IEC 27001 is not acceptable.

This means an organization cannot remove mandatory ISMS requirements such as:

  • defining the ISMS context and scope;
  • demonstrating leadership commitment;
  • planning risk assessment and treatment;
  • providing resources and documented information;
  • operating the ISMS;
  • evaluating ISMS performance;
  • conducting internal audits;
  • conducting management reviews;
  • managing nonconformities and improvement.

See ISO 27001 Clauses 4-10 vs Annex A.

Annex A controls are different

Annex A controls are selected through risk assessment and risk treatment. A control can be marked not applicable, but only when the decision is justified and documented in the Statement of Applicability.

That is different from Clauses 4-10, which are mandatory ISMS management-system requirements.

Internal audit is mandatory

Even if the organization does not pursue third-party certification, an internal ISMS audit process is mandatory for ISO/IEC 27001 compliance.

The organization may choose not to seek certification, but it cannot claim conformity while skipping the internal audit requirement.

Practical mentor note

Do not confuse these three things:

Item Can it be excluded? Notes
ISO/IEC 27001 Clauses 4-10 No Mandatory ISMS requirements
Annex A controls Potentially yes Non-applicability must be justified through risk treatment and SoA
ISO/IEC 27002 guidance Not a certification checklist Guidance for implementation and control interpretation

Audit perspective

An auditor will expect the organization to provide objective evidence for claims, including:

  • ISMS scope;
  • policies;
  • risk assessment methodology and results;
  • risk treatment plan;
  • Statement of Applicability;
  • internal audit records;
  • management review records;
  • evidence of control operation;
  • nonconformity and corrective action records;
  • risk acceptance approvals.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it is a problem
Claiming compliance without internal audit Internal audit is part of the mandatory ISMS requirements
Treating Annex A as automatically mandatory Annex A is risk-based, not a universal checklist
Excluding a Clause 4-10 requirement Not permitted
Excluding Annex A controls without justification Weak SoA and risk treatment evidence
Management accepting risk informally Risk acceptance needs accountable and objective approval
Policies exist but are not implemented Documents alone do not prove control effectiveness

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Trap: “An organization can exclude ISO 27001 requirements that do not apply.”
    Correction: Clauses 4-10 cannot be excluded.

  • Trap: “Annex A controls are all mandatory for certification.”
    Correction: Annex A controls are selected based on risk and justified through the SoA.

  • Trap: “Third-party certification is required to be compliant.”
    Correction: Third-party certification may not be required, but internal audit is mandatory.

  • Trap: “ISO 27002 is the certifiable standard.”
    Correction: ISO 27001 is certifiable; ISO 27002 is guidance.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

ISO/IEC 27001 defines the requirements for an ISMS and is used for compliance and certification. ISO/IEC 27002 provides guidance for implementing controls. Clauses 4-10 of ISO/IEC 27001 are mandatory and cannot be excluded. Annex A controls are risk-based and may be excluded only with documented justification in the Statement of Applicability. Objective evidence is required to support compliance claims.