Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This map keeps the ISO/IEC 27001 requirement view separate from the implementer and auditor views.
Map
| ISO 27001 area | Requirement view | Implementer view | Auditor view | Risk view |
|---|---|---|---|---|
| Context | Define organization, interested parties, scope | Build scope statement and requirements register | Verify scope is justified and reflected in operation | Establish risk context |
| Leadership | Demonstrate commitment, policy, roles | Assign ownership and approve policy | Verify accountability and management involvement | Assign risk/control ownership |
| Planning | Address risks/opportunities, objectives, treatment | Define risk method, risk register, SoA, objectives | Verify risk method, treatment, and SoA consistency | Identify, analyze, evaluate, treat risk |
| Support | Provide resources, competence, awareness, communication, documented information | Build competence, awareness, communication, document control | Verify records and awareness | Communicate and document risk |
| Operation | Plan and control ISMS processes and risk work | Operate risk assessment/treatment and controls | Verify operation records and changes | Operate the risk process |
| Performance evaluation | Monitor, measure, audit, review | Define metrics, internal audit, management review | Verify audit and review effectiveness | Monitor and review risk |
| Improvement | Handle nonconformity and continual improvement | Run corrective action and lessons learned | Verify correction and effectiveness | Feed risk reassessment |
| Annex A | Reference controls for risk treatment | Implement selected controls | Test control design and operation | Risk treatment library |
Related notes
- Iso27001
- Mapping
- Implementer guide
- Auditor guide
Note Metadata
Aliases: ISO 27001 Requirement Map
Source: 10 ISO 27001 Knowledge Base/ISO 27001 Requirements to Implementation and Audit Map.md