ISO 27001 Basics Cheat Sheet
Introduces the ISO/IEC 27001 information security management system framework, its structure, Annex A controls, and certification process.
ISMS Fundamentals
Core concepts of an Information Security Management System under ISO 27001.
- ISMS- Information Security Management System; a systematic, risk-based approach to managing sensitive information
- Scope statement- Documented boundary of the ISMS, defining which systems, locations, and processes are covered
- Risk assessment- Identify assets, threats, vulnerabilities, and calculate risk levels to prioritize treatment
- Statement of Applicability (SoA)- Document listing which Annex A controls are applied or excluded, with justification
- PDCA cycle- Plan-Do-Check-Act; the continuous improvement cycle underlying the ISMS
Management Clauses (4-10)
The mandatory management system clauses of ISO 27001:2022.
- Clause 4: Context of the organization- Determine internal/external issues and interested parties relevant to the ISMS
- Clause 5: Leadership- Top management commitment, policy, and defined roles/responsibilities
- Clause 6: Planning- Risk assessment, risk treatment plan, and information security objectives
- Clause 7: Support- Resources, competence, awareness, communication, and documented information
- Clause 8: Operation- Operational planning and execution of risk treatment
- Clause 9: Performance evaluation- Monitoring, internal audits, and management review
- Clause 10: Improvement- Nonconformity handling and continual improvement
Annex A Control Themes (2022 revision)
The 93 Annex A controls are grouped into four themes.
- Organizational controls (37)- Policies, roles, supplier relationships, incident management processes
- People controls (8)- Screening, terms of employment, security awareness training, disciplinary process
- Physical controls (14)- Secure areas, equipment protection, clear desk/clear screen policy
- Technological controls (34)- Access control, cryptography, logging, malware protection, secure development
Sample Risk Register Entry
Structure of a risk register entry used to document risk assessments.
risk_id: RISK-014asset: customer-databasethreat: unauthorized access via leaked credentialsvulnerability: no MFA enforced on admin accountslikelihood: 3 # 1-5 scaleimpact: 5 # 1-5 scalerisk_score: 15 # likelihood x impacttreatment: mitigatecontrol_applied: "A.8.5 - Secure authentication (enforce MFA)"owner: security-teamreview_date: 2026-10-01residual_risk_score: 5
Certification Process Steps
Typical path an organization follows to achieve ISO 27001 certification.
- Gap analysis- Compare current controls against ISO 27001 requirements to find gaps
- Risk treatment implementation- Implement selected Annex A controls and document the SoA
- Internal audit- Conduct an independent internal audit of the ISMS before external audit
- Stage 1 audit- Certification body reviews documentation and readiness
- Stage 2 audit- Certification body verifies controls are implemented and operating effectively
- Surveillance audits- Annual audits over the 3-year certification cycle to maintain certification
Treat the Statement of Applicability as a living document, not a one-time deliverable — review it whenever new systems, vendors, or risks are introduced, since auditors specifically check that the SoA reflects current reality, not the state at initial certification.
Explore Topics
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance