Open ISO 27001 for the first time and you’re in for a surprise. The document doesn’t lead with a list of security measures. It opens with an introduction, moves on to a section of definitions, and only then do the requirements show up. To top it off, those requirements are numbered 4 through 10, as if someone had torn out the first few pages.
Nothing is missing. The standard is built this way on purpose, and understanding its architecture is the fastest way to stop seeing it as a doorstop and start using it as a map.
This article walks through the standard from front to back. What each part contains, which parts are mandatory, which are advisory, and why the numbering starts where it does.
What Is ISO 27001, and Why Does Its Structure Matter?
ISO 27001 is the international standard that describes how to build and maintain an information security management system, or ISMS. If you’re looking for the details on what it’s for, which companies it applies to, and what it delivers, you’ll find all of that in our complete guide to ISO 27001.
Here we’re focused on its architecture, and that architecture rests on two blocks that work very differently:
- The first is the clauses. These are the requirements. They spell out what your organization has to do, no exceptions, in order to get certified. An auditor shows up, reads them, and checks them off one by one.
- The second is Annex A. It’s a catalog of security controls. You aren’t required to apply all of them. You are required to review all of them, decide which ones you need based on your risks, and document your reasoning for the ones you leave out.
That split between what’s mandatory and what’s selectable is the key to the entire standard. Anyone who conflates the two blocks ends up believing that certification means rolling out 93 security measures. It doesn’t.
Why Does ISO 27001 Start at Clause 4?
Because the first three clauses exist, but they aren’t auditable.
Behind this is a decision made by ISO. To keep its management system standards from being written in isolation from one another, the organization created an internal template called Annex SL. It isn’t a standard you buy, and it isn’t one you get certified against. It’s the mold that technical committees follow when drafting any management standard, and it’s where the shared ten-clause outline, the common requirements, and a single vocabulary for words like risk and nonconformity all come from.
Each committee then layers its own material on top of that foundation. In ISO 27001, the specific part is everything dealing with information security, risk assessment, and Annex A. That’s why, if your company is already ISO 9001 certified, the clauses on leadership, support, and performance evaluation will feel familiar. They’re worded almost identically.
A note on vocabulary. For years this shared structure was called the High Level Structure, or HLS. Since the 2021 revision, its official name is the harmonized structure, and you’ll see both terms used interchangeably. The 2022 version of ISO 27001 already reflects it.
Clauses 0 Through 3 of ISO 27001: The Introductory Section
These four clauses take up only a few pages, and no auditor will ever ask you for evidence on them. Skipping them is still a mistake, because they set the ground rules:
- Clause 0, introduction: explains what the standard is for and what’s expected of an organization that adopts it. This is where you’ll find the idea that the ISMS has to be woven into the company’s processes rather than living as an appendix in a shared folder. It’s a statement of intent, not a requirement.
- Clause 1, scope of the standard: not to be confused with the scope of your ISMS, which is a different thing and shows up in clause 4. This clause states which types of organizations ISO 27001 applies to, and the answer is all of them. Any size, any industry. It also makes clear that clauses 4 through 10 aren’t negotiable if you want to be certified.
- Clause 2, normative references: points you to ISO 27000, a free document that holds the shared vocabulary for the entire 27000 family. Whenever you’re unsure what a term means exactly, that’s where to look.
- Clause 3, terms and definitions: pins down the meaning of the words the standard uses. It looks like a formality, but it isn’t. Words like risk, control, documented information, and interested party carry a precise meaning inside the standard that doesn’t always line up with everyday usage. Plenty of pointless arguments during an implementation project get settled by opening this clause.
Clauses 4 Through 10 of ISO 27001: The Certifiable Requirements
Here’s the standard for real. These seven clauses are what an auditor checks, and the order they appear in is no accident. They tell a story that runs from understanding your organization to improving it continuously.
- Clause 4, context of the organization: the starting point. You have to identify which internal and external factors affect your information security, who your interested parties are, and what they expect from you. Customers, employees, regulators, vendors. From that you define the scope of your ISMS, meaning which processes, which sites, and which systems are inside it.
- Clause 5, leadership: management has to genuinely get involved. Signing a document isn’t enough. This clause requires top management to approve an information security policy, assign clear responsibilities, and provide the necessary resources.
- Clause 6, planning: the heart of the standard. Here you define how you identify and evaluate your security risks, which ones you accept, which ones you treat, and which controls you apply. Two documents come out of it, the risk treatment plan and the Statement of Applicability, where you justify control by control why you’re applying it or why you aren’t.
- Clause 7, support: everything the system needs in order to run. People with the right competence, training, staff awareness, internal and external communication channels, and control of documentation.
- Clause 8, operation: putting the plan into practice. You run the processes, apply the risk treatment plan, and repeat the risk assessment on a regular basis or whenever circumstances change. It also requires you to keep control of the processes you outsource, because outsourcing a service doesn’t outsource your responsibility.
- Clause 9, performance evaluation: checking whether the system works. It rests on three pillars, monitoring and measuring the indicators you defined, an internal audit carried out by someone objective, and the management review, a formal, documented meeting in which top management examines the results and makes decisions.
- Clause 10, improvement: closing the loop. When something goes wrong, and sooner or later something will, you have to log the nonconformity, correct it, work out why it happened, and act on the root cause so it doesn’t happen again.
Annex A and the 93 Security Controls
Annex A is the shopping list. Ninety-three security controls that the standard puts on the table so you can pick the ones you need.
This is where most people go wrong, so it’s worth being blunt. You don’t have to implement all ninety-three. You have to review every one of them, hold them up against the risks you identified in clause 6, apply the ones that make sense, and document your reasoning for the ones you leave out. That documentation is the Statement of Applicability.
Here’s an example. If your company doesn’t build software, the secure development controls don’t apply to you, and you say so. If you don’t have a physical office because the whole team works remotely, some physical controls fall away. The auditor doesn’t expect you to have all of them. The auditor expects your decisions to line up with your risks.
Up through the 2013 version, there were 114 controls spread across fourteen sections. The 2022 revision regrouped them, stripped out the overlaps, added eleven new controls covering the cloud, threat intelligence, and security in development, and brought the total down to 93, organized into four broad families.
- Organizational controls: thirty-seven of them, making this the largest family. They cover policies, roles and responsibilities, supplier management, information classification, incident response, and business continuity. This is the most managerial and least technical part.
- People controls: eight of them. They run from background checks before hiring to confidentiality agreements, along with security training, the disciplinary process, and what happens when someone leaves the company. The human factor gathered into a single block.
- Physical controls: fourteen of them. Security perimeters, access control to facilities, protection against environmental threats, cabling security, a clear desk and locked screen policy, and secure disposal of equipment and media.
- Technological controls: thirty-four of them. What most people picture when they hear information security. Identity management, authentication, encryption, backups, logging and monitoring, protection against malware, vulnerability management, and security in software development.
The 2022 version also added a useful layer. Every control comes with five attributes that let you filter and classify it. Control type, information security property, cybersecurity concept, operational capability, and security domain.
How Annex A Relates to ISO 27002
Reading through Annex A, you’ll notice each control gets dispatched in two or three lines. It tells you what you need to achieve, not how to achieve it. That’s deliberate, because Annex A is a reference index, not a manual.
The instructions live in ISO 27002, a separate standard that you buy on its own and can’t be certified against. It contains the same 93 controls under the same numbering, but devotes several pages to each one, explaining its purpose and how to implement it. In short, ISO 27001 tells you what to do and certifies you, ISO 27002 explains how, and nobody will audit you against it. If you want the details, we compare the two standards in this article.
The workflow is straightforward. You identify your risks in clause 6, walk through Annex A to select the controls that address those risks, document your selection in the Statement of Applicability, and open ISO 27002 to that same number to implement each one.
That gives you the complete map. Four introductory clauses that fix the vocabulary, seven certifiable clauses that walk through the system’s life cycle, a catalog of 93 controls you pick from according to your needs, and a sister standard that explains how to apply them.

