Core idea
ISO/IEC 27001 has two major parts you need to distinguish:
- Clauses 4-10 — mandatory ISMS management-system requirements.
- Annex A controls — a reference set of information security controls used for risk treatment and the Statement of Applicability.
The most important exam point:
Clauses 4-10 cannot be excluded. Annex A controls can be selected or excluded based on risk, but exclusions must be justified.
Clauses 4-10
| Clause | What it covers | Can it be excluded? |
|---|---|---|
| Clause 4 | Context of the organization, interested parties, scope, ISMS | No |
| Clause 5 | Leadership, policy, roles, responsibilities, authority | No |
| Clause 6 | Planning, risks and opportunities, risk assessment, risk treatment, objectives | No |
| Clause 7 | Support, resources, competence, awareness, communication, documented information | No |
| Clause 8 | Operation, operational planning and control, risk assessment and treatment operation | No |
| Clause 9 | Performance evaluation, monitoring, internal audit, management review | No |
| Clause 10 | Improvement, nonconformity, corrective action, continual improvement | No |
What “cannot be excluded” means
An organization cannot say:
- “Top management is not involved.”
- “We do not need an ISMS scope.”
- “We do not perform risk assessment.”
- “We do not maintain documented information.”
- “We do not conduct internal audits.”
- “We do not perform management reviews.”
- “We do not manage corrective actions.”
Those are mandatory management-system requirements.
Annex A controls
Annex A controls are different. They are used to support risk treatment and to avoid missing important control areas.
The organization must consider Annex A, but it does not automatically have to implement every control.
For each Annex A control, the organization should be able to explain:
- selected or not selected;
- applicable or not applicable;
- justification;
- implementation status;
- link to risks, legal requirements, contractual requirements, or business needs.
This is documented in the Statement of Applicability.
Practical example
A cloud-only SaaS company might decide that a control related to physical data center operations is not directly applicable because it does not operate physical data centers. That exclusion may be acceptable if:
- the organization has assessed the related risk;
- the cloud provider’s responsibilities are understood;
- supplier controls are in place;
- the Statement of Applicability explains the decision;
- residual risk is accepted by accountable management.
The same organization cannot exclude internal audit, risk assessment, or management review. Those are Clause 4-10 requirements.
Good compliance evidence
| Requirement area | Evidence |
|---|---|
| Context and scope | Scope statement, interested party analysis |
| Leadership | Approved policy, management commitment records |
| Risk planning | Risk methodology, risk register |
| Support | competence/training records, communication records |
| Operation | risk assessment results, risk treatment plan |
| Performance evaluation | monitoring results, internal audit records, management review minutes |
| Improvement | corrective actions, nonconformity records |
| Annex A decisions | Statement of Applicability |
Common exam traps
| Trap | Correct answer |
|---|---|
| “All Annex A controls are mandatory.” | No. Controls are selected through risk treatment and justified in the SoA. |
| “Clauses 4-10 can be excluded if not relevant.” | No. Exclusion is not acceptable. |
| “ISO 27002 is used for accredited certification.” | No. ISO 27001 is the certifiable requirements standard. |
| “No external audit means no internal audit is needed.” | No. Internal audit is mandatory for compliance. |
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
Clauses 4-10 define the mandatory ISMS requirements and cannot be excluded. Annex A is a control reference set used to support risk treatment. Annex A controls may be marked applicable or not applicable, but the decision must be justified in the Statement of Applicability and supported by risk assessment and risk treatment evidence.
- Iso27001
- ISO27002
- Isms
- Annex a
- Certification
- Exam
Note Metadata
Aliases: Clauses 4-10, Mandatory ISMS Clauses
Source: 01 Fundamentals/ISO 27001 Clauses 4-10 vs Annex A.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Field of Application, Usage, and Compliance
- Information Security Management System
- Statement of Applicability
- ISO 27001 Clause 10 - Improvement
- ISO 27001 Clause 4 - Context of the Organization
- ISO 27001 Clause 5 - Leadership
- ISO 27001 Clause 6 - Planning
- ISO 27001 Clause 7 - Support
- ISO 27001 Clause 8 - Operation
- ISO 27001 Clause 9 - Performance Evaluation
- A.5 Organizational Controls MOC
- ISO 27001 Implementer Guide
- EXAM-001 - Clauses 4-10 vs Annex A
- ISO 27001 Knowledge Base
- Exam Cues Index
- ISO 27001 Overview