UnixTime

Research Note

ISO 27001 Clauses 4-10 vs Annex A

1. Clauses 4-10 — mandatory ISMS management-system requirements. 2. Annex A controls — a reference set of information security controls used for risk treatment and the Statement...

On this page

Core idea

ISO/IEC 27001 has two major parts you need to distinguish:

  1. Clauses 4-10 — mandatory ISMS management-system requirements.
  2. Annex A controls — a reference set of information security controls used for risk treatment and the Statement of Applicability.

The most important exam point:

Clauses 4-10 cannot be excluded. Annex A controls can be selected or excluded based on risk, but exclusions must be justified.

Clauses 4-10

Clause What it covers Can it be excluded?
Clause 4 Context of the organization, interested parties, scope, ISMS No
Clause 5 Leadership, policy, roles, responsibilities, authority No
Clause 6 Planning, risks and opportunities, risk assessment, risk treatment, objectives No
Clause 7 Support, resources, competence, awareness, communication, documented information No
Clause 8 Operation, operational planning and control, risk assessment and treatment operation No
Clause 9 Performance evaluation, monitoring, internal audit, management review No
Clause 10 Improvement, nonconformity, corrective action, continual improvement No

What “cannot be excluded” means

An organization cannot say:

  • “Top management is not involved.”
  • “We do not need an ISMS scope.”
  • “We do not perform risk assessment.”
  • “We do not maintain documented information.”
  • “We do not conduct internal audits.”
  • “We do not perform management reviews.”
  • “We do not manage corrective actions.”

Those are mandatory management-system requirements.

Annex A controls

Annex A controls are different. They are used to support risk treatment and to avoid missing important control areas.

The organization must consider Annex A, but it does not automatically have to implement every control.

For each Annex A control, the organization should be able to explain:

  • selected or not selected;
  • applicable or not applicable;
  • justification;
  • implementation status;
  • link to risks, legal requirements, contractual requirements, or business needs.

This is documented in the Statement of Applicability.

Practical example

A cloud-only SaaS company might decide that a control related to physical data center operations is not directly applicable because it does not operate physical data centers. That exclusion may be acceptable if:

  • the organization has assessed the related risk;
  • the cloud provider’s responsibilities are understood;
  • supplier controls are in place;
  • the Statement of Applicability explains the decision;
  • residual risk is accepted by accountable management.

The same organization cannot exclude internal audit, risk assessment, or management review. Those are Clause 4-10 requirements.

Good compliance evidence

Requirement area Evidence
Context and scope Scope statement, interested party analysis
Leadership Approved policy, management commitment records
Risk planning Risk methodology, risk register
Support competence/training records, communication records
Operation risk assessment results, risk treatment plan
Performance evaluation monitoring results, internal audit records, management review minutes
Improvement corrective actions, nonconformity records
Annex A decisions Statement of Applicability

Common exam traps

Trap Correct answer
“All Annex A controls are mandatory.” No. Controls are selected through risk treatment and justified in the SoA.
“Clauses 4-10 can be excluded if not relevant.” No. Exclusion is not acceptable.
“ISO 27002 is used for accredited certification.” No. ISO 27001 is the certifiable requirements standard.
“No external audit means no internal audit is needed.” No. Internal audit is mandatory for compliance.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

Clauses 4-10 define the mandatory ISMS requirements and cannot be excluded. Annex A is a control reference set used to support risk treatment. Annex A controls may be marked applicable or not applicable, but the decision must be justified in the Statement of Applicability and supported by risk assessment and risk treatment evidence.