What is an ISMS?
An Information Security Management System is a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes, and technology within a defined scope, and requires:- Identifying information security risks
- Selecting and implementing controls to treat those risks
- Monitoring and measuring the effectiveness of those controls
- Continually improving the system based on performance data
The Plan-Do-Check-Act cycle
ISO 27001 is built around the Plan-Do-Check-Act (PDCA) continual improvement model:| Phase | ISO 27001 activities | ISOwl support |
|---|---|---|
| Plan | Define scope, conduct risk assessment, select controls | Clauses 4–6, Risk Management, Annex A |
| Do | Implement controls, train staff, manage documentation | Clauses 7–8, Evidence, Asset Management |
| Check | Internal audits, performance measurement, management review | Clause 9, Audit, Dashboard |
| Act | Correct nonconformities, drive improvement | Clause 10, Findings |
Standard structure
ISO 27001 consists of ten clauses. Clauses 1–3 are introductory. Clauses 4–10 are normative (mandatory) and contain all the shall requirements. Annex A is a normative reference to ISO 27002.| Clause | Title | Normative |
|---|---|---|
| 1 | Scope | No |
| 2 | Normative references | No |
| 3 | Terms and definitions | No |
| 4 | Context of the organisation | Yes |
| 5 | Leadership | Yes |
| 6 | Planning | Yes |
| 7 | Support | Yes |
| 8 | Operation | Yes |
| 9 | Performance evaluation | Yes |
| 10 | Improvement | Yes |
| Annex A | Information security controls reference | Yes |
ISOwl feature mapping
Every normative clause and Annex A maps to one or more ISOwl modules:| Clause | Name | ISOwl feature |
|---|---|---|
| 4 | Context of the organisation | Clauses 4–10 — Clause 4 section |
| 5 | Leadership | Clauses 4–10 — Clause 5 section |
| 6 | Planning | Clauses 4–10 — Clause 6 section + Risk Management |
| 7 | Support | Clauses 4–10 — Clause 7 section + Evidence |
| 8 | Operation | Clauses 4–10 — Clause 8 section |
| 9 | Performance evaluation | Clauses 4–10 — Clause 9 section + Audit |
| 10 | Improvement | Clauses 4–10 — Clause 10 section + Findings |
| Annex A | Controls reference | Annex A |
Clauses 4–10: requirement tracking
ISOwl tracks conformance at the requirement level within each clause. The Clauses catalog defines the full three-level hierarchy (Clause → Subclause → Requirement). Each requirement can be assigned:- A conformance status (e.g. Not started, In Progress, Implemented, Not applicable)
- A maturity level from 0 to 5
- An owner and last review date
- Free-text notes
Annex A
Annex A of ISO 27001 contains a normative list of 93 information security controls, organized into four themes. Organisations must reference these controls during their risk treatment process and produce a Statement of Applicability (SoA) that declares which controls are applicable and why. Annex A is a reference to ISO 27002:2022, which provides implementation guidance for each control.Annex A controls
Evaluate and track all 93 ISO 27002:2022 controls within ISOwl’s Annex A module.
SoA export
Export your Statement of Applicability as a structured document.
Certification
ISO 27001 certification is granted by an accredited certification body (CB) after a two-stage audit:- Stage 1 — Documentation review: the auditor reviews your ISMS documentation to confirm it meets the standard’s requirements.
- Stage 2 — Conformance audit: the auditor verifies that your ISMS is operating effectively in practice.
ISO 27001 certification requires an external audit by an accredited body. ISOwl supports your preparation and ongoing conformance — it does not replace the formal certification process.
Related references
ISO 27002
The companion implementation guidance standard that defines each of the 93 Annex A controls.
ISO 31000
The risk management standard that underpins ISOwl’s risk assessment methodology.
Clauses catalog
Technical reference for the
ISO_27001_CLAUSES data structure.ISO controls
Technical reference for the
ISO_CONTROLS array and domain structure.