ISO 27001 Clauses 4-10 vs Annex A
1. Clauses 4-10 — mandatory ISMS management-system requirements. 2. Annex A controls — a reference set of information security controls used for risk treatment and the Statement...
ISO27001 domain with 41 resources grouped for implementation and audit work.
Domain guide
Study notes and control distinction cues for ISO 27001, ISO 27002, and ISO 27005 learning paths.
Guide + resources
Implementation context, reference notes, and explanatory material.
1. Clauses 4-10 — mandatory ISMS management-system requirements. 2. Annex A controls — a reference set of information security controls used for risk treatment and the Statement...
Control-level notes and control-domain references.
Research note.
Study notes and distinction cues for certification preparation.
- Screening must be lawful, ethical, proportional, and risk-based. - Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - Candida...
A.6.3 Information Security Awareness Education and Training asks whether the right people receive the right security knowledge at the right time, with updates when things change.
- A.6.4 requires a formalized and communicated disciplinary process, not ad hoc manager action. - A.6.4 should be evidence-based, fair, consistent, and proportionate. - A.6.5 co...
- Remote working is broader than VPN or remote access. - Remote work controls include physical environment, endpoint, secure connection, access, asset inventory, user awareness,...
- A.7.1 is about defined and used security perimeters. - A.7.2 is about entry controls and access points for secure areas. - Physical controls protect confidentiality, integrity...
- A.7.3 is risk-based physical design for offices, rooms, and facilities. - A.7.3 includes avoiding visible clues to sensitive targets, such as server-room signs or exposed dire...
- A.7.5 is not just fire safety; it covers physical and environmental threats to infrastructure. - A.7.5 should link to risk assessment, specialist advice, and business continui...
- A.7.8 is broader than server room protection. - Equipment siting includes workstations, network devices, terminals, screens, communications equipment, and remote equipment. -...
- A.7.9 is not only remote access. It includes equipment, documents, data, software, paper, mobile devices, BYOD, custody, and return. - A.7.9 allows risk acceptance where off-s...
- A.7.11 is not only electricity. - UPS or generator existence is weak unless capacity, runtime, maintenance, and tests match documented requirements. - Cooling must be included...
- A.7.12 is not just tidy cable management; it covers interception, interference, and damage. - A.7.13 is not only availability; maintenance can expose data or introduce tamperi...
- A.8.1 is not just anti-malware or laptop encryption. - BYOD is in scope when it accesses organizational information. - VPN does not solve endpoint security by itself. - A.8.2...
- A.8.4 includes development tools and software libraries, not only Git repositories. - Read access to source code can still be sensitive because it reveals system design and co...
- Antivirus installation alone is not enough. - Malware risk is not limited to Windows endpoints. - User awareness is explicitly part of the control. - Automatic cleaning still...
- A.8.8 is not just scanning or patching. - Vulnerability remediation should be risk-based and verified by retest. - Penetration testing supplements vulnerability management; it...
- A.8.10 is not only physical media destruction. - Retention policy alone is weak without deletion evidence. - Items awaiting destruction still need protection. - Masking is not...
- DLP is not just a tool. - DLP requires knowing sensitive data and approved flows. - False positives affect DLP effectiveness. - Backup job success is not restore success. - Ba...
- A.8.14 does not require full redundancy for every system. - Backup is not the same as redundancy. - Cloud resilience still needs design and testing evidence. - A.8.15 is not o...
- Treating log collection as full monitoring. - Assuming vendor default detection rules are sufficient. - Treating every alert as an incident without triage. - Ignoring monitori...
- Treating developer skill as a substitute for production change control. - Assuming emergency production changes do not need records. - Treating licence and support checks as u...
- Treating provider service use as provider-owned risk. - Treating uptime SLAs as full network service security. - Treating perimeter firewalls as sufficient segregation. - Assu...
- Assuming encryption alone satisfies the control. - Ignoring key lifecycle management. - Treating public keys and certificates as needing no integrity protection. - Selecting s...
- Treating secure SDLC as only code scanning. - Treating acquired applications as outside application security requirements. - Treating architecture principles as generic slogan...
- Treating secure SDLC as identical to secure coding. - Treating automated tools as complete proof of secure coding. - Treating functional testing as security testing. - Leaving...
- Assuming a supplier contract alone satisfies outsourced development control. - Treating supplier security as fully delegated. - Accepting supplier deliverables based only on f...
- Treating approval alone as full change management. - Treating emergency changes as exempt from control. - Treating test data as low risk because it is outside production. - Ig...
These controls are easy to confuse because both involve retained information. The exam distinction is purpose: records protection is about preserving required records; privacy/P...
These controls close the A.5 organizational control set by checking whether the ISMS is independently reviewed, whether policies and standards are followed, and whether operatin...
The exam often tests whether you understand the difference between mandatory management-system requirements and risk-selected controls.
The Statement of Applicability explains which Annex A controls apply, which do not, why those decisions were made, and whether selected controls are implemented.
The exam may use policy, procedure, guideline, and standard loosely. Answer based on function, not title.
Roles and responsibilities must be defined, communicated, accepted, and kept current. Managers remain accountable for ensuring security requirements are followed in their area.
The exam often tests the difference between intent, documentation, and operating evidence.
Supplier and cloud controls overlap in practice, but the exam often tests the distinction between supplier risk management, contractual requirements, supply chain dependencies,...
The access-related controls form a chain: define access rules, manage identities, protect authentication secrets, and grant/review/remove actual access rights.
Incident management planning defines roles, reporting paths, escalation, communications, evidence handling, recovery coordination, and lessons learned before an incident occurs.
A.5.24 to A.5.28 form a practical lifecycle for incident management. Each control tests a different part of the lifecycle.
A.5.29 and A.5.30 are related but not interchangeable. One protects security during disruption; the other ensures ICT availability and recovery capability.
These controls are compliance-heavy. The exam may test whether the organization can prove obligations are known, current, owned, mapped to controls, and evidenced.
Link to this domain with /research/iso27001/exam-preparation/ . Link directly to exact notes from any resource card above.