Clauses 4 to 10 are the management system core of ISO 27001. They define how the ISMS is governed, planned, run, measured, and improved. Unlike Annex A controls, which are selected based on your risk assessment, the clauses are entirely mandatory — every "shall" statement must be addressed for certification. This walkthrough takes them in order, with the documents you need, the auditor's perspective, and the failure modes to avoid.
Clauses 1, 2, 3 — Orientation Only
Before getting into the auditable clauses, a quick word on the first three. Clause 1 (Scope) describes what the standard covers. Clause 2 (Normative References) points to ISO/IEC 27000 for vocabulary. Clause 3 (Terms and Definitions) defines the language. None of these contain "shall" statements and none are auditable — but you should still read them once to anchor your understanding of terms like "interested parties," "documented information," and "risk owner," all of which appear throughout the auditable clauses.
If you are still building your foundational understanding, start with what is an ISMS and our ISO 27001 explained for startups piece — both cover the conceptual scaffolding this article assumes.
Clause 4 — Context of the Organisation
Clause 4 forces you to formally document who you are, what you do, who depends on your information security posture, and what the boundaries of your ISMS are. It has four sub-clauses: 4.1 (understanding the organisation and its context), 4.2 (interested parties and their requirements), 4.3 (scope), and 4.4 (the ISMS itself).
What "context" actually means in practice
Most teams treat context as a paragraph. Auditors treat it as the foundation that justifies every other decision in the ISMS. Internal context covers organisational structure, culture, contracts, capabilities. External context covers regulatory landscape (DPDP, GDPR, sector laws), competitive pressure, threat environment, supply chain. The interested-parties register lists every entity with a stake in your information security and what they expect — customers expect uptime and confidentiality, regulators expect breach notification, employees expect privacy, investors expect risk transparency.
Scope (4.3) is where most early-stage ISMS programmes fail. The scope statement must be unambiguous — exactly which products, locations, processes, and personnel are covered. Our ISO 27001 scope definition guide covers the trade-offs between narrow and broad scope, with examples for SaaS, fintech, healthcare, and consulting.
Clause 5 — Leadership
Clause 5 demands visible, documented top-management commitment to the ISMS. It has three sub-clauses: 5.1 (leadership and commitment), 5.2 (information security policy), and 5.3 (organisational roles, responsibilities, and authorities).
Why auditors interview the CEO
If the CEO cannot articulate the ISMS objectives, the importance of compliance, or the basic risks the organisation manages, Clause 5 fails. This is non-negotiable. Top management cannot delegate ownership — they can delegate execution, but the visible commitment must remain at the top. The Information Security Policy (5.2) must be signed by top management, communicated, and reviewed regularly. A draft policy or an unsigned PDF will not pass.
Clause 5.3 also requires clear assignment of responsibility for the ISMS itself — typically a CISO, Head of Security, Compliance Lead, or vCISO. For startups thinking through this, our piece on the role of a CISO in a startup covers when to hire and what the role actually does. The substance of the policy itself is covered in how to write a security policy people will actually follow.
Clause 6 — Planning
Clause 6 is the heaviest of the seven. It has three sub-clauses: 6.1 (actions to address risks and opportunities, including risk assessment 6.1.2 and risk treatment 6.1.3), 6.2 (information security objectives), and 6.3 (planning of changes — new in 2022). This is where the risk assessment, risk treatment plan, and Statement of Applicability all live.
The trio that anchors the ISMS
Three deliverables under Clause 6 are non-negotiable: the risk assessment, the risk treatment plan, and the Statement of Applicability. They must be internally consistent — every risk maps to a treatment, every treatment maps to one or more Annex A controls, and every selected control appears in the SoA with justification. We cover each in detail: risk assessment in ISO 27001 covers methodology and the risk register; the Statement of Applicability complete guide covers the bridge document.
Clause 6.2 (Information Security Objectives) requires measurable goals. "Improve security" is not an objective. "Achieve 95% MFA enrolment by Q2 2026" is. "Reduce mean time to detect from 18 hours to 8 hours by year-end" is. Auditors look for SMART objectives tied to identified risks and tracked through the management review cycle.
Clause 6.3 was added in the 2022 revision — it requires planning for ISMS changes (scope expansion, structural reorganisation, new processing activities). This is one of the easiest places to score quick wins because it formalises something most organisations already do informally.
Clause 7 — Support
Clause 7 covers the resources, competence, awareness, communication, and documented information required to operate the ISMS. Five sub-clauses: 7.1 (resources), 7.2 (competence), 7.3 (awareness), 7.4 (communication), 7.5 (documented information).
The clause that seems easy until the auditor pulls 10 random employees
Clause 7.3 (Awareness) is enforced through stop-and-ask checks during the audit. Auditors will pick three to five employees at random and ask basic questions: "Where is the security policy?" "Who do you report a phishing email to?" "What classification level is customer data?" If even one cannot answer, awareness fails. The fix is a continuous awareness programme — recurring training, phishing simulations, internal communications. Our phishing simulation guide covers the operational side.
Clause 7.5 (Documented Information) is where document control comes in. Every controlled document must have an owner, a version number, an approval date, a review schedule, and access controls. "Documents" here include the policy, the SoA, the risk register, procedures, and records — everything that an auditor might inspect.
Clause 8 — Operation
Clause 8 is short but consequential. It requires you to actually operate the ISMS — execute the planned processes, conduct risk assessments at planned intervals, implement the risk treatment plan, and control planned changes. Three sub-clauses: 8.1 (operational planning and control), 8.2 (information security risk assessment), 8.3 (information security risk treatment).
The clause that proves your ISMS is alive
Clause 8 is where Stage 2 audits live. Stage 1 reviews documentation; Stage 2 tests operation. Auditors will pick controls from your SoA and ask for evidence that they are operating — access reviews actually performed, incidents actually triaged, vulnerabilities actually remediated. A well-documented ISMS that has not actually operated for at least 90 days will struggle in Stage 2. Our walkthrough on how to prepare for a security audit covers exactly what evidence to assemble.
The risk register must show movement. Risks identified at the start of the cycle should have been treated, accepted, or transferred — and new risks should have been added as conditions changed. A static risk register is a red flag.
Clause 9 — Performance Evaluation
Clause 9 is consistently the most-failed clause in early certification audits. It has three sub-clauses: 9.1 (monitoring, measurement, analysis, evaluation), 9.2 (internal audit), 9.3 (management review). It demands evidence of operation over time — the one thing early-stage ISMS programmes lack.
Why Clause 9 trips up most first-time certifications
The minimum viable evidence pattern for Clause 9 is: at least one internal audit covering all clauses and a representative sample of Annex A controls, at least one management review with documented inputs and outputs, and at least 90 days of monitoring data showing the ISMS is being measured. Skipping any one of these is a fast route to a major non-conformity.
Internal audits (9.2) must be conducted by someone independent of the area being audited. For small organisations this often means engaging an external internal auditor — yes, "external internal" is the actual term. The audit must follow a documented programme and produce a formal report with findings and corrective actions.
Management review (9.3) is a structured meeting with mandatory inputs (audit results, risk changes, performance data, corrective action status, opportunities for improvement) and mandatory outputs (decisions on changes, resource needs, ISMS direction). The minutes are an audit-grade document. Our coverage of security metrics that actually matter to the board covers metric selection.
Clause 10 — Improvement
Clause 10 closes the PDCA loop. Two sub-clauses: 10.1 (continual improvement) and 10.2 (nonconformity and corrective action). Where Clause 9 measures, Clause 10 fixes.
The PDCA cycle made tangible
Every non-conformity raised — whether by an internal audit, an incident investigation, or a customer complaint — becomes a row in the NC register. Each row needs a root-cause analysis (5-Why or Fishbone is sufficient for most), a corrective action with an owner and a deadline, and effectiveness verification before closure. "Closed" is not the same as "fixed and verified." Auditors look for that distinction.
Clause 10.1 (Continual Improvement) is broader — it covers any opportunity to improve the suitability, adequacy, and effectiveness of the ISMS, not just fixing problems. Captured improvement ideas, prioritised against risk and impact, with progress tracked through management review, demonstrates a healthy ISMS.
Mandatory Documents — The Map
ISO 27001 explicitly requires certain documented information across the clauses. Here is a consolidated view of what must exist before Stage 1, mapped to clause and what auditors expect to see.
| Document | Clause | Why It's Mandatory |
|---|---|---|
| ISMS Scope Statement | 4.3 | Defines the boundary of certification |
| Information Security Policy | 5.2 | Top-level commitment; auditor-signed evidence |
| Risk Assessment Methodology | 6.1.2 | Documents how risks are identified and scored |
| Risk Assessment Results / Register | 6.1.2 | The output — every identified risk |
| Risk Treatment Plan | 6.1.3 | How risks will be addressed, by whom, when |
| Statement of Applicability (SoA) | 6.1.3(d) | The control register — included, excluded, justified |
| Information Security Objectives | 6.2 | Measurable goals tied to risks |
| Evidence of Competence | 7.2 | Training records, qualifications |
| Documented Procedures | 7.5 / 8.1 | How operational processes are run |
| Internal Audit Programme & Reports | 9.2 | Independent verification of operation |
| Management Review Minutes | 9.3 | Top-management oversight evidence |
| Nonconformity & Corrective Action Records | 10.2 | Improvement loop evidence |
This list is the floor, not the ceiling. Most certification-ready ISMS programmes also document operating procedures, change records, access reviews, and incident logs — all required by Annex A controls, even if the clauses themselves do not specifically demand them. If your team is at the early-stage gap-assessment phase, our broader walkthrough on does ISO 27001 apply to your business covers the prerequisites and our business value of certification piece covers the commercial rationale.
The clauses are not a checklist to satisfy once — they are the operating system of the ISMS. Treated that way, certification follows almost as a side effect of running the system properly. Treated as paperwork to satisfy an audit, they become the brittle scaffolding that fails under the lightest scrutiny. Build them seriously the first time.
Frequently Asked Questions
ISO 27001:2022 has 10 main clauses. Clauses 1 to 3 are introductory (scope, normative references, terms and definitions) and contain no auditable requirements. Clauses 4 to 10 are the management system clauses — the core of the standard — and contain all the auditable requirements for the ISMS itself, separate from the Annex A controls.
Clauses 4 to 10 define the management system: how you set up, run, monitor, and improve your ISMS. They cover governance, risk, planning, performance evaluation, and improvement. Annex A controls are the specific security measures you select to treat identified risks — encryption, access control, training, incident response, and so on. The clauses are mandatory; Annex A controls are selected based on your risk assessment and documented in the Statement of Applicability.
Yes. Clauses 4 to 10 are entirely mandatory and contain no optional requirements. Every "shall" statement in those clauses must be addressed for certification. This is different from Annex A, where individual controls can be excluded with documented justification. There is no exclusion mechanism for the management system clauses themselves.
Clause 9 (Performance Evaluation) is consistently flagged. Many organisations build the ISMS, run it for a few months, and arrive at certification without enough internal audit cycles, management reviews, or measurable monitoring data. Clause 9 demands evidence of operation over time — exactly what early-stage ISMS programmes lack. Building a 90-day operational track record before Stage 2 is one of the most reliable ways to pass.
For a startup with no prior management system, allow 4 to 9 months to build, document, and operate clauses 4 to 10 to a level that supports certification. The fastest path: complete clauses 4 to 7 in months 1-2 (governance, scope, planning, support), implement Annex A controls and clause 8 in months 3-4, and accumulate clause 9 evidence (audit, review, measurement) over months 4-6 before Stage 2. Larger organisations typically need 6-12 months.
The clause structure stayed nearly identical — the biggest changes were in Annex A. Clause 6.3 (Planning of Changes) was added to the 2022 version, formalising the requirement to plan ISMS changes deliberately. Some sub-clause numbering shifted slightly, and the "documented information" terminology became more consistent. Organisations transitioning from 2013 typically focus most of their update effort on Annex A and the SoA, with relatively light changes to clauses 4 to 10.
Yes, but it is harder than most teams expect. Clauses 4-10 require both the management system thinking (governance, planning, measurement) and the discipline to keep evidence over time. Teams with prior ISO 9001 or other management system experience tend to do this in-house comfortably. Teams approaching the standards for the first time benefit significantly from consultant involvement during scoping, the SoA, and the internal audit — these are the highest-leverage points and the most common failure modes.