A Guide to ISO 27001 Clauses - Updated for 2026

Around the world, nearly 100,000 businesses have navigated the challenges of ISO 27001 and earned their certifications. If you want your business to be the next on the list, you need to understand the 11 clauses that make up the security framework, including what they are, why they exist, and what they require you to do.

Let's start where you might reasonably expect to begin: with a definition of what the clauses are.

What Are ISO 27001 Clauses?

Clauses are the framework for the framework. ISO 27001 goes into a lot of detail about the various security controls and security goals for an organization, and the steps necessary to reach an acceptable level of security. The clauses are sort of like the elevator pitch for each section of security.

There are 11 total clauses for ISO 27001, each pertaining to a different part of the framework. Of those 11, only 7 of them are mandatory. This is not because the other four are optional, but rather because they're informational. In that sense, they're mandatory because they form the foundation of the framework itself. They just don't hold responsibilities for you to meet.

As you work your way through the requirements that make up ISO 27001, you'll dig deep into the specific security controls, the goals you want to meet and the standards you want to exceed, and the workflows that help you define your business's ISMS.

One of the big stumbling blocks with ISO 27001 is the way it's designed to fit any organization. It's not prescriptivist; you aren't following a checklist of specific configurations to implement. Instead, it's descriptivist; you're presented with goals and thresholds, and it's up to you to design the systems that meet those goals.

The clauses are a key part of understanding what ISO 27001 is trying to do. Therefore, it's valuable to learn and understand what they ask of you. That's why we'll go through them all, one by one, and help break them down.

ISO 27001 Clause 0

First of the non-mandatory clauses, Clause 0 is nothing more than the introduction to ISO 27001. It's a broad, generalized overview of what the standard is, why it exists, what it does, and how it fits in with the other ISO standards.

If a business is new to the idea of an information security framework, Clause 0 is a good place to start. It's also useful for businesses that use other ISO standards. ISO standards are broadly interoperable, meaning you can create one Management System that incorporates elements from several ISO standards and can still pass your audits and earn your certifications, as long as that's true within the guidance in Clause 0.

ISO 27001 Clause 1

Clause 1 is the second of the non-mandatory, informational clauses. Titled "Scope", it's a single paragraph:

"This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document."

Obviously, we won't be reproducing every clause in its entirety (you need to buy the ISO 27001 guidebook for that), but short elements like this are sufficient for illustrative purposes.

The key detail you need to be aware of here is that Clause 1 is what makes Clauses 4-10 mandatory to be in compliance with ISO 27001.

ISO 27001 Clause 2

Clause 2 is titled Normative References, is the internal linkage between ISO 27001 and the base document, ISO 27000. ISO 27000 is the resource document that defines vocabulary and other terminology that is used throughout the ISO 270XX series of standards documents. If you have questions about specific terminology used throughout ISO 27001, refer to ISO 27000 to look for details.

ISO 27001 Clause 3

Last of the non-mandatory clauses, Clause 3 is Terms and Definitions. This also refers you back to ISO 27000 for details. It also references two online resources for terminology standardization, the ISO Online Browsing Platform and the IEC Electropedia. These can be used to reference specific terms if you don't know what they mean.

While ISO/IEC will use a lot of specific terminology throughout their standards, it's always worth cross-referencing. This is because the definition ISO/IEC uses and the definition in common use may be different.

ISO 27001 Clause 4

Now we get into the mandatory clauses. Clause 4 is Context of the Organization, and is your guidance on how to set up the overall framework for an ISMS.

It's broken down into several sub-clauses, each with its own guidance.

• 4.1: Understanding the organization and its context. This is about determining the internal and external issues relevant to your implementation of an ISMS.
• 4.2: Understanding the needs and expectations of interested parties. This is about determining what parties, such as legal and regulatory agencies, suppliers, and stakeholders, that are relevant to your ISMS design.
• 4.3: Determining the scope of the information security management system. This is the scoping guidance for ISO 27001 section.
• 4.4: Information security management system. This is the sub-clause that mandates the creation of an ISMS in accordance with the guidance throughout the rest of the document.

Overall, Clause 4 is fairly straightforward.

ISO 27001 Clause 5

Clause 5 is the Leadership clause. It's focused on requiring that a business have buy-in from top management and company leadership in order to successfully implement ISO 27001 standards.

Here's what you need to know:

• 5.1: Leadership and commitment. This is a multi-point section that outlines the ways in which company leadership must demonstrate commitment to ISO 27001, including by ensuring strategic alignment between business objectives and ISMS rules, promoting continual improvement in the ISMS, and ensuring that the ISMS achieves its goals of securing information.
• 5.2: Policy. This is another multi-point section that outlines the things management must do to establish an effective ISMS. These include making sure the ISMS is appropriate to the organization, and that it's documented and available.
• 5.3: Organizational roles, responsibilities and authorities. This section establishes top management as the responsible parties for ISMS, and that all specific roles within the ISMS are likewise specifically assigned.

Leadership bears a lot of responsibility for a successful ISO 27001 implementation, so the buy-in and responsibility must be there.

ISO 27001 Clause 6

Clause 6 is Planning. This is a clause with only two sub-clauses, but each of them is further broken down into sections. Overall, though, it's actually quite simple. Clause 6 is about creating your framework for how you assess and address risks, how you take advantage of opportunities for improvement, and how you perform your risk assessments.

While the sub-clauses and sections are complex, it amounts to a workflow that helps guide you in how to establish the policies and procedures that enforce ISO 27001 risk management guidelines. This section also references Annex A, which is the more specific outline of the 93 security controls you have to address in your ISMS.

ISO 27001 Clause 7

Clause 7 is Support, and it centers around the requirement that you actively fund and support the establishment, review, and enforcement of ISO 27001 standards. It's there to require that an ISMS be well-supported, and not a vestigial, unfunded, unsupported effort that falls by the wayside.

It stipulates several specifics throughout its sub-clauses.

• 7.1: Resources. You have to provide the resources necessary to have an effective ISMS.
• 7.2: Competence. You have to have people who have expertise in place to guide your ISMS. Where necessary, train them, evaluate them, and improve or replace them.
• 7.3: Awareness. Anyone working for your organization must be aware of the ISMS and policies, and how to conform in their work.
• 7.4: Communication. You need policies and guidelines for when, how, and with whom to communicate details of your ISMS, security, and other details.
• 7.5: Documented information. Your ISMS needs to be well-documented, the documents need to be kept updated, documented information needs to be protected, and you need policies for things like retention and disposal.

Much of this is core to establishing the policies and procedures that enforce ISO 27001 standards, so it's critical for an effective implementation.

ISO 27001 Clause 8

Clause 8 focuses on day-to-day operations. It's the outline of what your ISMS will be doing on a daily basis, what your ongoing requirements are, and what you need to do regularly.

Here's what you should know:

• 8.1: Operational planning and control. You have to plan, implement, and control your processes as outlined in Clause 6. Changes should be planned and reviewed in advance.
• 8.2: Information security risk assessment. You need to perform risk assessments on a planned and regular basis, and whenever significant changes are proposed or happen.
• 8.3: Information security risk treatment. When risks are identified, implement a solution according to your established risk treatment plan, and retain relevant documentation according to your operational plan.

Since ISO 27001 is all about identifying, mitigating, and addressing risk, this section is key for ensuring that your processes are in place and effectively followed.

ISO 27001 Clause 9

Clause 9 centers around the three levels of assessment and review of the ISMS. These include ongoing monitoring and continual improvement, planned internal auditing, and external auditing.

The overall clause is titled Performance Evaluation.

• 9.1: Monitoring, measurement, analysis and evaluation. This is a detailed outline of how to establish what needs to be monitored, how you monitor, how you evaluate, how you analyze, and what you do if there are abnormal results. This also specifies who should do the monitoring.
• 9.2: Internal Audit. This is the section that details how to set up internal auditing, the standards to which you audit, and what you audit. It helps you figure out how to set up internal audits and how often you should perform them.
• 9.3: Management review. This section requires that top management have a hand in the auditing and review of your ISMS. It can't be "fire and forget" from the top brass; they need to play an active role.

While external auditing is not directly mentioned, you can expect it to be broadly similar to internal auditing, with higher standards and stricter requirements. Understanding how internal audits need to work helps you prepare for external audits.

ISO 27001 Clause 10

The final standard clause is titled Improvement. As you might expect, it focuses on the ongoing analysis and improvement of your ISMS. Since security is a moving target and the threat environment is always changing, you, too, need to evolve with it.

This is a big part of why ISO 27001 is not prescriptivist, because updating the standard often enough to keep up would be an impossible task.

• 10.1: Continual improvement. You must continually improve your ISMS, simple as that.
• 10.2: Nonconformity and corrective action. This section is all about what to do if a nonconformity is discovered. How do you react to it, how is it evaluated, what action is taken and how is it addressed, what review do you do afterwards, and what corrective actions apply?

Overall, these 10 clauses encompass everything you need for a successful ISMS. The difficulty lies in turning the dozen or so pages of clause-based guidance into specific, detailed policies, procedures, technological implementations, employee training, and more.

What Has Changed in 2026?

Has anything specific or major changed in ISO 27001's clauses for 2026? No. ISO 27001's current version is the 2022 version, and there was an update in 2024 to add certain requirements to assess the impact of climate action, but there are no current changes for 2026.

The only thing that could be relevant is that we've reached the three-year deadline for updating from the ISO 27001 2013 version, which was replaced in 2022 and was given leeway until late 2025 to replace. But, if you were on ISO 27001 2013, you don't need an overview of the ISO 27001 clauses, so you probably aren't reading this, right?

What we can say with certainty is that ISO 27001 is not getting any easier. Modern threats are evolving rapidly, and AI-powered cybersecurity attacks are getting increasingly sophisticated. You need powerful tools in your corner to help you keep track of your implementation.

That's where we come in. The Ignyte Assurance Platform is one such tool to help you track the implementation of each of the Annex A security controls, monitor the overall compliance with each of the Clauses, and much more. To see how it can work for you, reach out and book a customized demo today.