ISO 27001 Chapters 4-10: The first steps in setting-up your ISMS and what you really need to document.

Why Chapters 4–10 Matter

ISO 27001 clauses 4–10 set out how to build, operate, monitor, and improve an Information Security Management System (ISMS). They require specific documented information and records that show intent, implementation, and evidence. Getting these elements right early accelerates certification, reduces rework, and anchors security to business objectives.

Clause 4 — Context of the Organization: What to Establish and Document

Define the ISMS in relation to your business model, risk profile, and legal or contractual obligations.

Key actions:

• Identify internal and external issues that affect information security (regulatory requirements, threat landscape, business strategy).
• Identify interested parties (customers, regulators, partners) and their relevant requirements.
• Define the ISMS scope, considering organizational units, locations, processes, and technologies.

Minimum documented information:

• ISMS Scope (mandatory).

Recommended artifacts:

• Context and interested parties register (issues, requirements, expectations).
• Scope rationale and boundaries narrative explaining inclusions and exclusions.

Clause 5 — Leadership: Policy and Governance Records

Top management must set direction, assign responsibilities, and integrate the ISMS with business processes.

Key actions:

• Approve and communicate an information security policy aligned with strategic objectives.
• Assign ISMS roles, responsibilities, and authorities.
• Demonstrate leadership commitment through resource allocation, prioritization, and risk acceptance decisions.

Minimum documented information:

• Information Security Policy (mandatory).

Recommended artifacts:

• ISMS governance charter and role descriptions.
• Top management commitment statement.

Clause 6 — Planning: Risk, Objectives, SoA, and Treatment

Plan how to address risks and opportunities with a defined methodology, clear objectives, and a justified set of controls.

Key actions:

• Define and approve the risk assessment process (criteria for likelihood, impact, and acceptance).
• Define the risk treatment process (selection of options, residual risk approval).
• Perform the initial risk assessment and maintain a risk register.
• Select controls and produce the Statement of Applicability (SoA), documenting rationales and implementation status.
• Set measurable information security objectives and plans to achieve them.

Minimum documented information:

• Risk assessment process/methodology (mandatory).
• Risk treatment process (mandatory).
• Statement of Applicability (mandatory).
• Risk treatment plan (mandatory).
• Information security objectives (mandatory).

Required records:

• Results of risk assessment and risk treatment activities (evidence that will also be maintained under Clause 8).

Recommended artifacts:

• Risk register with owners, due dates, and residual risk acceptance.
• Control implementation plans mapped to Annex A.

Clause 7 — Support: Resources, Competence, and Documented Information Control

Provide the resources, skills, awareness, and document controls the ISMS needs to function effectively.

Key actions:

• Allocate resources (people, budget, tools) to operate and monitor the ISMS.
• Define competence requirements, deliver training, and retain evidence of competence.
• Raise awareness of policies, roles, and consequences for security-related behaviour.
• Plan communications relevant to interested parties.
• Establish control over documented information: creation, approval, change control, access, retention, and disposition.

Minimum documented information and records:

• Evidence of competence (mandatory records).
• Controlled documented information required by the standard and the organization (mandatory).

Recommended artifacts:

• Training matrix and curriculum; onboarding security awareness content.
• Document control procedure and templates (policy, standard, procedure, record).

Clause 8 — Operation: Run the ISMS and Keep Evidence

Operate planned processes, manage change, and retain evidence that risk management and controls are being executed.

Key actions:

• Control operational activities and any changes affecting information security.
• Execute risk assessments at planned intervals and when significant changes occur.
• Implement and operate selected risk treatment controls.

Minimum documented information and records:

• Documented information necessary to have confidence that processes are carried out as planned (mandatory where required for effective operation).
• Results of information security risk assessments (mandatory records).
• Results of information security risk treatment (mandatory records).

Recommended artifacts:

• Standard operating procedures for key controls (access provisioning, backup, vulnerability management, incident handling).
• Change management records demonstrating linkage to risk and control implications.

Clause 9 — Performance Evaluation: Metrics, Audit, and Management Review

Measure ISMS performance, audit processes, and review outcomes with leadership to guide improvement.

Key actions:

• Define and run monitoring and measurement (KPIs/KRIs) with methods, frequency, and owners.
• Plan and perform internal audits and address findings promptly.
• Conduct management reviews covering performance, risks, opportunities, and resourcing.

Minimum documented information and records:

• Evidence of monitoring, measurement, analysis, and evaluation (mandatory records).
• Internal audit programme and results (mandatory records).
• Management review results (mandatory records).

Recommended artifacts:

• Metrics catalogue with targets and data sources.
• Audit checklist mapped to clauses and controls.

Clause 10 — Improvement: Nonconformities and Continual Improvement

Address nonconformities systematically and demonstrate that corrective actions resolve root causes and are effective.

Key actions:

• Respond to nonconformities, correct them, and manage any consequences.
• Perform root-cause analysis, implement corrective actions, and verify effectiveness.
• Use data from incidents, audits, metrics, and reviews to drive continual improvement.

Minimum documented information and records:

• Records of nonconformities and corrective actions, including cause, actions taken, and effectiveness review (mandatory records; Clause 10.2).

Recommended artifacts:

• Continuous improvement log with prioritization and status.

Practical First 90 Days: A Focused, Minimal Set

If you are starting an ISMS, prioritize these deliverables to build momentum and satisfy auditors:

• ISMS scope statement and high-level context register.
• Information security policy approved by leadership.
• Risk assessment methodology and criteria; initial asset and risk register.
• Statement of Applicability with control rationale and status.
• Risk treatment plan with owners, timelines, and acceptance criteria.
• Defined security objectives with metrics and a tracking approach.
• Evidence of competence for key ISMS roles; an awareness plan.
• Documented information control process and templates.
• Initial monitoring set (patch compliance, incident MTTR, access review completion).
• Internal audit plan and management review cadence.

Documentation Essentials: Mandatory vs. Useful

Mandatory documented information and records under clauses 4–10:

• ISMS scope.
• Information security policy.
• Risk assessment process and risk treatment process.
• Statement of Applicability.
• Risk treatment plan.
• Information security objectives.
• Evidence of competence.
• Controlled documented information required by the standard and the ISMS.
• Results of risk assessments and risk treatment.
• Evidence of monitoring and measurement.
• Internal audit programme and results.
• Management review results.
• Nonconformity and corrective action records.

Useful (commonly expected) documents that streamline operations and audits:

• Context and interested parties register.
• Asset inventory and data classification scheme to support controls.
• Access control standard, acceptable use, and secure configuration baselines.
• Incident response procedure and incident register.
• Vulnerability and patch management procedures; change management process.
• Supplier security evaluation process and supplier inventory.

Common Pitfalls and How to Avoid Them

• Over-documentation: Keep documents concise, role-focused, and aligned to practice.
• Control-first mindset: Start with risk and objectives, then select controls.
• Static SoA: Update the SoA after risk reassessments and significant changes.
• Unmeasurable objectives: Give objectives targets, owners, and data sources.
• Paper compliance: Maintain operational evidence (tickets, logs, reviews) linked to risks and controls.

How Much Is “Enough” Documentation?

Document what is necessary for consistent operation, evidence, and informed decision-making—no more. Auditors expect clear intent, traceability from risk to control to evidence, and visible leadership oversight. If a process materially affects risk or assurance, document it; if it does not, keep it lightweight.