ISO 27001;2013 Awareness for Employees V2 – Lesson 2 “Clauses”

ISO 27001 Clauses


ISO 27001 is part of the Annex SL structure, and is made up of 10 clauses. Unlike other ISOs, ISO 27001 also has Annex A –  series of controls which can be applied to risks as required.

The Annex SL structure allows easier integration of multiple ISOs, as many of the clauses are very similar if not identical.


The clauses of ISO 27001 are as follows:


Clause 4: Context of the Organisation – Internal and External Issues,  Interested Parties, and Scope

Clause 5: leadership – Commitment, Policy, and Roles, Responsibilities & Authorities.

Clause 6: Planning – Risks and Opportunities, Infosec Risk Assessment, Infosec Risk Treatment, Infosec Objectives and Targets.

Clause 7: Support – Resources, Competence, Awareness, Communication, Control of Documented Information

Clause 8: Operation – Operational Planning and Control, Infosec Risk Assessment (application), Infosec Risk Treatment (application)

Clause 9: Performance Evaluation – Monitoring Measurement Analysis and Evaluation, Internal Audit, Management Review

Clause 10: Improvement – Nonconformity and Corrective Action, Continual Improvement.


Be Aware of…

  • Roles and Responsibilities assigned to them
  • Any risks or risk actions assigned to them
  • their part in achieving objectives
  • any awareness training they need to do.
  • how to manage documentation
  • monitoring and measurement results


Information Security Representative

Find out who is responsible for Information Security in your Organisaiton


Risk Management Consultants

Find out if your organisation has an Information Security Risk Management Consultant, and if so, who they are and how to contact them.