Image source: Bing image creatorISO 27001 reference guide: complete overview of requirements and implementation
This reference guide contains detailed information about ISO 27001 requirements and practical implementation. Use it as a lookup guide during your project—if you want to know what a specific clause requires, which documents are mandatory, or how the certification process works, you'll find it here.
How to use this reference guide
This article is structured differently than our other blogs. Where those focus on strategy and approach, this reference gives you concrete details about ISO 27001 requirements. You don't need to read it from start to finish—jump directly to the section you need.
The structure follows how ISO 27001 is built: first the management requirements (clauses 4-10), then the practical controls (Annex A), followed by what documentation you need, and finally what auditors exactly check. Each part contains not only what the standard says, but also how you practically implement it and how Tidal helps you.
Requirements overview: clauses 4-10 in detail
ISO 27001 consists of ten clauses of which the first three are general (scope, definitions, context) and clauses 4-10 contain the actual requirements. Below you'll find per clause what you must do, how you practically implement it, and where Tidal supports you.
Clause 4: Context of the organisation
This clause requires that you understand the environment in which you operate. What are internal and external factors that influence information security? Think of regulations applicable to you (GDPR, NEN7510, sector-specific requirements), but also technological trends, competition, or organisational changes like growth or mergers.
You must also identify interested parties and determine their requirements. Who has an interest in your information security? Customers making demands in their contracts, partners wanting to know their data is safe, regulators checking compliance, and of course your own management and employees.
Crucial for certification is a clearly and measurably defined ISMS scope. What exactly are you certifying? Which systems, processes, locations and people fall within scope? This definition determines the rest of your implementation and audit scope.
Practical implementation:
- Determine which regulations apply to your organisation from Tidal's inventory of laws and regulations
- Inventory customer and partner requirements using Tidal's context analysis
- Document which information and systems fall within scope in the scope document
Tidal support: The context analysis guides you systematically through these questions. The result is documented organisational context that provides input for your next steps and that auditors can review.
Clause 5: Leadership
This clause is about management commitment—not just providing budget but truly being involved. Management must establish an information security policy that gives direction to the organisation. They must assign roles and responsibilities so it's clear who does what. And they must ensure resources and support—both budget and time.
Practical implementation:
- Management signs the policy and communicates it to the organisation
- Appoint an ISMS manager with mandate to make decisions
- Plan budget for implementation and ongoing maintenance
- Schedule information security as fixed agenda item in management meetings
Tidal support: Document policies in the policies section. The management dashboard shows progress and escalates issues needing attention.
Clause 6: Planning
Planning revolves around understanding and addressing risks. You conduct a risk analysis: what threats exist, how likely are they, what's the impact? Based on that you establish security objectives—what do you want to achieve? You select appropriate controls from Annex A that cover your risks. And you create an implementation plan with deadlines and responsible parties.
Practical implementation:
- Identify threats specific to your business
- Determine impact and likelihood per risk
- Choose controls from Annex A that mitigate these risks
- Plan implementation with concrete deadlines and names
Tidal support: Risk assessment is structured with AI support. Automatic control mapping shows which controls belong to which risks. Project planning tools help you organise implementation.
Clause 7: Support
Support is about the resources your ISMS needs. Ensure competent employees—people must know what they're doing. Provide security awareness training to everyone, not just IT. Document procedures and policies in a workable way. And establish communication channels so people know how to report incidents or ask questions.
Practical implementation:
- Train your ISMS team in ISO 27001 basics
- Organise annual security awareness for all employees
- Create workable procedures of maximum one to two pages
- Establish an incident reporting channel (email, form, or tool)
Tidal support: Document training progress, use document templates for policies, and set up awareness campaigns with built-in tools.
Clause 8: Operation
Here it gets concrete: actually implement the planned controls. Execute your risk treatment as planned. Monitor how implementation progresses. And document what you've done so you can later demonstrate that controls were executed.
Practical implementation:
- Install technical controls like antivirus, firewalls, MFA
- Implement organisational procedures like access management and incident handling
- Test whether controls actually work as intended
- Track which risks are covered by which controls
Tidal support: Work on implementation tasks in the platform. Assess outcomes of automatic tests. Monitor progress with KPIs showing how much you've completed.
Clause 9: Performance evaluation
Evaluation means checking whether what you've done also works. Monitor the effectiveness of controls—do they do what they should? Conduct an internal audit where an independent party checks compliance. Hold a management review where management discusses how the ISMS functions. And measure security indicators like number of incidents or training participation.
Practical implementation:
- Check monthly whether procedures are actually followed
- Have an independent party (internal or external) audit your ISMS
- Discuss findings with management in a formal management review
- Track KPIs like number of security incidents, training participation, time-to-resolve
Tidal support: Automatic monitoring shows whether technical controls work. Audit templates support execution. Management review reports summarise status for management.
Clause 10: Improvement
The final clause is about learning and improving. Resolve deviations found during monitoring or audits. Implement improvement actions arising from incidents or findings. Update procedures where needed based on new insights. And document lessons learned so you don't keep making the same mistakes.
Practical implementation:
- Analyse causes of incidents, not just symptoms
- Adjust procedures based on what you learn in practice
- Communicate changes clearly to the team
- Plan preventive measures for problems you see coming
Tidal support: Record issues in the system. Document corrective action plans with deadlines and responsible parties. Monitor progress of resolution until the issue can be closed.
Controls library: Annex A practically explained
ISO 27001 Annex A contains 93 controls divided over four main groups: organisational, people, physical, and technical. You don't need to implement all 93—in practice you'll end up between 60 and 93 controls. Below you'll find the most common and important controls per category.
Organisational controls (5.1-5.37)
This category is the largest and contains all organisational aspects of information security. From policy to supplier management, from asset management to incident response. For small companies these are the most essential:
5.1 Information security policy is the foundation. This policy document gives direction to your entire ISMS. Practically this means a document of two to three pages with the main rules and who's responsible for what. Not a tome of fifty pages, but a readable document that management can approve and employees can understand.
5.9 Asset inventory requires you know which assets you have and who's responsible. Practically this is a list (Excel, database, or in Tidal) of all systems, data and hardware with who the owner is and how critical the asset is classified.
5.15 Access control is about who may access what. The least privilege principle: people only get access to what they need for their work, nothing more. Practically this means regular access reviews where you check whether people still have the correct permissions.
5.24 Incident response planning is your plan for when things go wrong. Practically this means a clear escalation procedure with current contact details. Who do you call in a security incident? What are the first steps? How do you communicate internally and externally?
People controls (6.1-6.8)
This category focuses on people and their behaviour. Most security incidents have a human component, so awareness and responsibility are crucial.
6.3 Security awareness training requires all employees be trained. Practically this means annual training for everyone plus regular reminders. Monthly security tips, phishing simulations, or short updates about current threats keep security top-of-mind.
6.7 Remote working is more current than ever. Arranging safe remote work practically means: device management so you know which devices have access, a clear desk policy so sensitive information isn't visible during video calls, and a dedicated VPN or SSL connection for access to critical business systems.
Physical controls (7.1-7.14)
Physical security is increasingly scoped out in small, virtual organisations, but remains relevant. After all, there are still many office environments that provide access to sensitive information via, for example, an archive cabinet in the attic, digital screens on the wall, or poorly secured NAS systems under the desk.
7.1 Physical access control means limited access to offices and especially to spaces where sensitive information is stored. Practical: a badge system for employees, visitor registration, and separated zones for public and secured spaces.
7.7 Clear desk policy requires no sensitive information remains on desks. Practical: screens automatically lock after inactivity, documents cleared away at end of day, confidential documents in locked cabinets.
Technical controls (8.1-8.34)
The technical category contains all IT security controls. These are often most concrete and testable.
8.5 Secure authentication adds the requirement to additionally secure critical access beyond passwords. Practical: SMS, authenticator app, or hardware token for all critical systems. Start with admin accounts and systems with customer data, then expand.
8.7 Malware protection Think of centrally managed antivirus with automatic updates. You want one console where you see whether all devices are protected and whether threats have been detected.
8.13 Information backup requires regular backups of critical data. Practical: automatic cloud backup daily, and at least monthly an (automatic) restore test to check whether backups actually work. Backups you never test aren't backups.
8.15 Event logging means tracking who does what when in your systems. Practical: central log management where all important events go, and security monitoring that detects abnormal behaviour. This helps with incident response and forensic investigation.
Documentation checklist: what you really need
ISO 27001 requires certain documentation, but the standard doesn't prescribe exactly what that documentation must look like. However, it's often mandatory to document controls and procedures that need to be executed more frequently and by multiple people in a consistent way. Below the mandatory documents an auditor wants to see, plus recommended documents that make your life easier.
Mandatory documents (13 pieces)
These 13 documents are explicitly required by ISO 27001. Without these documents you cannot be certified.
| Document | Required for | In Tidal |
|---|---|---|
| Organisational context | Clause 4.1 | Policies section |
| ISMS scope | Clause 4.3 | Policies section |
| Information security policy | Clause 5.2 | Policies section |
| Risk management process | Clause 6.1 | Policies section |
| Risk treatment plan | Clause 6.1.3 | Risk module |
| Statement of Applicability | Clause 6.1.3 | Policies section |
| Information security objectives | Clause 6.2 | Policies section |
| Internal audit plan | Clause 9.2 | Documents section |
| Internal audit report | Clause 9.2 | Documents section |
| Management review | Clause 9.3 | Documents section |
| Incident logs | Clause 5.24-5.28 | Issues module |
| Corrective actions | Clause 10.1 | Issues module |
| Training records | Clause 7.2 | Upload to task |
Recommended documents (20 pieces)
These documents aren't explicitly mandatory but make implementation much easier and are often needed to meet specific Annex A controls.
| Document | Helps with | In Tidal |
|---|---|---|
| Organisational chart | Clause 4.1 | Upload in Documents section |
| Legal and regulatory register | Control 5.31 | Policies section |
| Roles and responsibilities | Clause 5.3 | Policies section |
| Communication structure | Clause 7.4 | Policies section |
| Internal audit programme | Clause 9.2.2 | Policies section |
| Acceptable use policy | Control 5.10 | Policies section |
| Access control policy | Control 5.15 | Policies section |
| Network diagram | Control 8.20 | Upload in Documents section |
| Secure baseline configuration | Annex A Chapter 8 | Policies section |
| Logging & monitoring policy | Control 8.15 | Policies section |
| Incident response plan | Control 5.26 | Policies section |
| Emergency contact list | Control 5.24 | Documents section |
| Change management policy | Control 8.32 | Policies section |
| Secure software development policy | Control 8.25 | Policies section |
| Business continuity plan | Control 5.30 | Policies section |
| Information classification policy | Control 5.12 | Policies section |
| Data retention policy | Control 5.33 | Policies section |
| Privacy policy (GDPR compliance) | Control 5.34 | Policies section |
| Supplier security policy | Control 5.19 | Policies section |
| Physical and environmental security policy | Control 7.1 | Policies section |
The Tidal advantage is that audit-proof templates for all mandatory and optional documents are ready for you. You don't start from scratch but adapt existing, proven templates for your situation.
Certification process: what auditors exactly check
The certification process consists of two phases. Phase 1 is a document review, Phase 2 is a review of all controls including Annex A. Below what auditors check in each phase and which findings often occur.
Phase 1 Audit: document review
This phase takes approximately one day for a small organisation and focuses on documents and procedures. The auditor checks whether you have all mandatory documents, whether procedures are logical and complete, whether your Statement of Applicability is correct, and whether management involvement is visible in documentation.
Common findings in Phase 1:
- Missing or inadequate version control on policy documents
- Procedures that don't match reality as described
- Statement of Applicability filled in incorrectly (controls not correctly ticked)
- Unclear scope definition allowing different interpretations
Tidal preparation: the internal audit function shows exactly what's missing or needs improvement before the external audit starts.
Phase 2 Audit: complete assessment
This phase takes two days for a small organisation and focuses on implementation and effectiveness. The auditor checks whether procedures are actually followed, whether technical controls are implemented, whether the team is aware of their responsibilities, and whether the management review cycle really works.
The auditor conducts interviews with different people:
- ISMS manager about daily practice
- IT administrator about technical controls and configurations
- Random employees about security awareness
- Management about commitment and the management review
Common findings in Phase 2:
- Gap between written procedure and what really happens
- Missing technical implementation that is documented
- Employees not aware of procedures relevant to them
- Management review too superficial without real decision-making
Tidal evidence: all evidence is directly available for the auditor. No searching for screenshots or documents, everything is structured and accessible.
After the audit
The certificate is issued 2 to 4 weeks after a successful audit. Validity period is three years. Surveillance audits occur annually and take approximately one day—they check whether you maintain the level. Recertification after three years is comparable to the initial audit.
Maintenance after certification: maintaining the rhythm
Certification isn't the endpoint but the beginning of ongoing maintenance. Below which tasks you must do when to remain compliant.
Monthly tasks (2-3 hours)
- Check the compliance dashboard in Tidal for deviations
- Assess new risks arising from changes or incidents
- Conduct access reviews for critical systems
- Update security metrics for management reporting
Quarterly tasks (4-6 hours)
- Review policy documents—are they still current or must something be adjusted?
- Plan training—who needs refresher course, are there new employees?
- Conduct vendor assessments for new suppliers
- Analyse incident trends—do you see patterns needing attention?
Annual tasks (2-3 days)
- Conduct a complete risk assessment revision
- Conduct the internal audit or have it conducted
- Prepare the management review and hold it with management
- Prepare the surveillance audit
Tidal support means you need 60% less time for these maintenance activities compared to manual systems. Automatic reminders ensure you forget nothing, compliance tracking gives real-time status, and evidence collection for surveillance audits happens automatically.
Frequently asked questions
"How many controls from Annex A must I implement?" There's no minimum number. Focus on controls that actually address your identified risks. Small organisations implement on average 70 to 80 controls. Large, complex organisations can implement all 93, but that's rarely necessary.
"Must each procedure be a separate document?" No, you can combine related procedures. But although it seems handy to put all "ISO 27001" policy in one large document, this leads to problems long-term. You get ambiguity in the organisation, inadequate management because nobody will read a fifty-page document, and duplicate work once other compliance requirements arise.
"How specific must procedures be?" Specific enough that a new employee can follow the procedure, but not so detailed that updates are constantly needed for small changes. Focus on 'what' and 'when', less on 'how'. Give direction, not prescriptions for every possible situation.
"Can we outsource controls?" Yes, you can have certain controls executed by suppliers. But you remain responsible for effectiveness. Document which supplier delivers which control and monitor their performance. An ISO 27001 certificate from your supplier helps, but doesn't release you from your own responsibility.
What you use this reference guide for
This document is intended as a lookup resource, not as a reading book. Bookmark it and come back when you have specific questions about ISO 27001 requirements. If you want more strategic guidance on how to approach ISO 27001, check out our other articles about planning, avoiding pitfalls, and practical implementation tips.
Want to see how Tidal helps you with all requirements mentioned in this reference guide? Contact us for a demo where we show how the platform structures and accelerates implementation.