ISO 27001
ISO 27001 reference guide
title: ISO 27001 reference guide description: Detailed reference for requirements, controls and processes sidebar_position: 4
ISO 27001 reference guide
This reference guide contains detailed information about ISO 27001 requirements and implementation. Use it as a lookup guide during your project.
Requirements overview: Clauses 4-10
Clause 4: Context of the organization
What you must do:
- Identify internal and external factors that influence information security
- Determine stakeholders and their requirements
- Define ISMS scope clearly and measurably
Practical execution:
- Determine which regulations from Tidal's inventories of laws and regulations apply to your organization (GDPR, HIPAA, etc.)
- Inventory customer and partner requirements using Tidal's context analysis
- Document which information and systems fall within scope in the Scope document
Clause 5: Leadership
What you must do:
- Management shows active involvement
- Establish information security policy
- Assign roles and responsibilities
- Provide resources and support
Practical execution:
- Management signs policy and communicates it
- Appoint ISMS manager with mandate
- Plan budget for implementation and maintenance
- Schedule information security in management meetings
In Tidal: Document in Tidal policies, management dashboard shows progress, escalations for unresolved issues.
Clause 6: Planning
What you must do:
- Conduct risk analysis
- Establish security objectives
- Select appropriate measures
- Create implementation plan
Practical execution:
- Identify threats specific to your business
- Determine impact and likelihood per risk
- Choose controls from Annex A that cover risks
- Plan implementation with deadlines and responsible parties
In Tidal: Risk assessment with AI, automatic control mapping, project planning tools.
Clause 7: Support
What you must do:
- Ensure competent employees
- Provide security awareness training
- Document procedures and policies
- Establish communication channels
Practical execution:
- Train ISMS team in ISO 27001 basics
- Organize security awareness for all employees
- Create workable procedures (max 1-2 pages)
- Establish incident reporting channel
In Tidal: Document training progress, document templates, awareness campaign tools.
Clause 8: Operation
What you must do:
- Implement planned measures
- Execute risk treatment
- Monitor implementation progress
- Document executed actions
Practical execution:
- Install technical measures (antivirus, firewalls, etc.)
- Implement organizational procedures
- Test whether measures actually work
- Track which risks are covered
In Tidal: Work on implementation tasks, assess executed automatic tests, monitor progress with KPIs.
Clause 9: Performance evaluation
What you must do:
- Monitor effectiveness of measures
- Conduct internal audit
- Hold management review
- Measure security indicators
Practical execution:
- Check monthly whether procedures are followed
- Have independent party audit ISMS
- Discuss findings with management
- Track KPIs like number of incidents, training participation
In Tidal: Automatic monitoring, audit execution or provision of work program and reporting templates, management review reports.
Clause 10: Improvement
What you must do:
- Resolve non-conformities
- Implement improvement actions
- Update procedures where needed
- Document lessons learned
Practical execution:
- Analyze causes of incidents
- Adjust procedures based on new insights
- Communicate changes to team
- Plan preventive measures
In Tidal: Enter Issues, document corrective action plans, and monitor progress of resolution.
Controls library: Annex A practical
Organizational controls (5.1-5.37)
Most important for small businesses:
5.1 Information security policy
- What: Policy document that provides direction
- Practice: 2-3 pages with main rules and responsibilities
5.9 Asset inventory
- What: List of all systems, data and hardware
- Practice: Excel/database with owners and classification
5.15 Access control
- What: Who may access what
- Practice: Least privilege principle, regular reviews
5.24 Incident response planning
- What: Plan for when things go wrong
- Practice: Clear escalation procedure with contact details
People controls (6.1-6.8)
Focus on awareness and responsibility:
6.3 Security awareness training
- What: Train all employees
- Practice: Annual training + monthly tips
6.7 Remote working
- What: Arrange secure remote work
- Practice: VPN, device management, clear desk policy
Physical controls (7.1-7.14)
Relevant for office environments:
7.1 Physical access control
- What: Limited access to office/server room
- Practice: Badge system, visitor registration
7.7 Clear desk policy
- What: Don't leave sensitive information on desk
- Practice: Lock screens, clean up documents
Technological controls (8.1-8.34)
Essential for IT security:
8.5 Multi-factor authentication
- What: Extra verification besides password
- Practice: SMS, app or hardware token for critical systems
8.7 Malware protection
- What: Antivirus on all systems
- Practice: Centrally managed antivirus, automatic updates
8.13 Information backup
- What: Regular backups of critical data
- Practice: Automatic cloud backup, monthly restore test
8.15 Event logging
- What: Track who does what when
- Practice: Central log management, security monitoring
Documentation checklist
Mandatory documents (13 pieces)
| Document | Required for | In Tidal |
|---|---|---|
| Organizational context | Clause 4.1 | Policies section |
| Scope of the ISMS | Clause 4.3 | Policies section |
| Information security policy | Clause 5.2 | Policies section |
| Risk management process | Clause 6.1 | Policies section |
| Risk treatment plan | Clause 6.1.3 | Risk module |
| Statement of Applicability | Clause 6.1.3 | Policies section |
| Information security objectives | Clause 6.2 | Policies section |
| Internal audit plan | Clause 9.2 | Policies section |
| Internal audit report | Clause 9.2 | Documents section |
| Management review | Clause 9.3 | Documents section |
| Incident logs | Clause 5.24-5.28 | Issues module |
| Corrective actions | Clause 10.1 | Issues module |
| Training records | Clause 7.2 | Upload to task |
Recommended documents (20 pieces)
| Document | Required for | In Tidal |
|---|---|---|
| Organisation chart | Clause 4.1 | Upload in Policies section |
| Register of laws and regulations | Control 5.31 | Policies section |
| Roles and responsibilities | Clause 5.3 | Policies section |
| Communication structure | Clause 7.4 | Policies section |
| Internal audit programme | Clause 9.2.2 | Policies section |
| Acceptable use policy | Control 5.10 | Policies section |
| Access control policy | Control 5.15 | Policies section |
| Network diagram | Control 8.20 | Upload in Policies section |
| Secure configuration baseline | Annex Chapter 8 | Policies section |
| Logging & Monitoring policy | Control 8.15 | Policies section |
| Incident response plan | Control 5.26 | Policies section |
| Emergency contact list | Control 5.24 | Policies section |
| Change management policy | Control 8.32 | Policies section |
| Secure software development policy | Control 8.25 | Policies section |
| Business continuity plan | Control 5.30 | Policies section |
| Information classification policy | Control 5.12 | Policies section |
| Data retention policy | Control 5.33 | Policies section |
| Privacy policy (GDPR compliance) | Control 5.34 | Policies section |
| Supplier security policy | Control 5.19 | Policies section |
| Physical and environmental security policy | Control 7.1 | Policies section |
Tidal advantage: Audit-proof templates are already in Tidal for all mandatory ánd optional documentation
Certification process: What auditors check
Phase 1 Audit (Document review)
Duration: 1 day for small organization Focus: Documents and procedures
Auditor checks:
- Are all mandatory documents present?
- Are procedures logical and complete?
- Is the Statement of Applicability correct?
- Is management involvement visible?
Common findings:
- Missing or inadequate version control on policies
- Procedures that don't match reality
- Statement of Applicability incorrectly completed
- Unclear scope definition
Tidal preparation: Internal audit shows exactly what's missing.
Phase 2 Audit (On-site assessment)
Duration: 1-2 days for small organization Focus: Implementation and effectiveness
Auditor checks:
- Are procedures actually followed?
- Are technical controls implemented?
- Is the team aware of their responsibilities?
- Does the management review cycle work?
Interviews with:
- ISMS manager about daily practice
- IT administrator about technical measures
- Random employees about awareness
- Management about commitment and review
Common findings:
- Gap between written procedure and practice
- Missing technical implementation
- Employees not aware of procedures
- Management review too superficial
Tidal evidence: All evidence directly available for auditor.
After the audit
Certificate issuance: 2-4 weeks after successful audit Validity period: 3 years Surveillance audits: Annually, 1 day Recertification: After 3 years, comparable to initial audit
Maintenance after certification
Monthly tasks (2-3 hours)
- Compliance dashboard check in Tidal
- New risks assess (changes, incidents)
- Access reviews for critical systems
- Security metrics update
Quarterly tasks (4-6 hours)
- Policy review - are documents still current?
- Training planning - who needs refresher course?
- Vendor assessments - check new suppliers
- Incident trend analysis - identify patterns
Annual tasks (2-3 days)
- Complete risk assessment review
- Internal audit conduct or have conducted
- Management review prepare and hold
- Surveillance audit prepare
Tidal support
- Automatic reminders for all periodic tasks
- Compliance tracking with real-time status
- Evidence collection for surveillance audits
Save time: With Tidal automation you take 70% less time for maintenance activities compared to manual systems.
Troubleshooting & FAQ
Frequently asked questions
"How many controls from Annex A must I implement?" There is no minimum. Focus on controls that actually address your identified risks. Small organizations typically implement 60-90 controls.
"Must each procedure be a separate document?" No. You can combine related procedures. But although it seems convenient to put all "ISO 27001" policy in one document, this will eventually lead to organizational confusion, poor management, and a handbook that loses relevance and creates duplicate work when other compliance requirements arise (e.g., expansion to the US market, or product development for another target group, such as healthcare).
"How specific should procedures be?" Specific enough that a new employee can follow the procedure, but not so detailed that updates are constantly needed. Focus on 'what' and 'when', less on 'how'.
"Can we outsource controls?" Yes, but you remain responsible. Document which supplier provides which control and monitor their effectiveness.
Common problems
"Surveillance audit finds gap that wasn't there last year"
- Cause: Procedures not updated after changes
- Solution: Implement change management process
- Prevention: Monthly compliance checks in Tidal
"Team doesn't follow procedures"
- Cause: Procedures too complex or not practical
- Solution: Simplify procedures, retrain team
- Prevention: Test procedures with end users before finalization
"Technical controls don't work as intended"
- Cause: Configuration errors, lack of monitoring
- Solution: Technical review, implement monitoring
- Prevention: Automatic compliance checks in Tidal
Still stuck?
Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.
Gather support info: Note specifically which requirement is unclear, which steps you've already tried, and what your deadline is for resolution.
- Previous
- Avoiding common pitfalls