ISO 27001 Clause Compliance Register
ISO/IEC 27001:2022 — Clause 4–10 Requirement Compliance Status
Last Updated: 2026-02-20
Owner: Lucas Shin — Security Director
Clause 4 — Context of the Organisation
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 4.1 | Understanding the organisation and its context | L1 Information Security Policy §2 | — | 🟡 Needs Improvement |
| 4.2 | Understanding the needs and expectations of interested parties | L1 §2 (regulatory alignment), P5 Supplier Policy §2 | Interested parties register required | 🟡 Needs Improvement |
| 4.3 | Determining the scope of the ISMS | L1 §2 (organisational & technical scope) | Standalone Scope Statement recommended | 🟡 Needs Improvement |
| 4.4 | Information security management system | L1 overall + ISMS document structure | — | ✅ Adequate |
Clause 5 — Leadership
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 5.1 | Leadership and commitment | L1 §4 Governance Structure (CEO, CISO role definitions) | Management review minutes (not yet created) | 🟡 Needs Improvement |
| 5.2 | Policy | L1 Information Security Policy (SEC-POL-ISP-001) | Approved policy document | ✅ Adequate |
| 5.3 | Organisational roles, responsibilities and authorities | L1 §4.1 + Roles & Responsibilities section of each L2 policy | — | ✅ Adequate |
Clause 6 — Planning
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 6.1.1 | Actions to address risks and opportunities — General | L1 §6 | — | 🟡 Needs Improvement |
| 6.1.2 | Information security risk assessment | L1 §6.1 (mentioned only) | Risk Assessment Methodology document required, Risk Register (Database) required | 🔴 Missing |
| 6.1.3 | Information security risk treatment | L1 §6.2 (4 treatment options mentioned) | Risk Treatment Plan required, SoA required | 🔴 Missing |
| 6.2 | Information security objectives and planning to achieve them | — | Annual security objectives + KPI document required | 🔴 Missing |
| 6.3 | Planning of changes | Document Control section of each policy (version control) | — | ✅ Adequate |
Clause 7 — Support
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 7.1 | Resources | L1 §4.1 (CEO: resource allocation) | Recommended to include in management review output | 🟡 Needs Improvement |
| 7.2 | Competence | P4 HR Policy §4.3 (Security Awareness) | Competence criteria and assessment records need supplementation | 🟡 Needs Improvement |
| 7.3 | Awareness | P4 HR Policy §4.3 (onboarding briefing, annual refresher) | Training records (minutes, signatures) | ✅ Adequate |
| 7.4 | Communication | P6 Communications & Media Policy, P4 HR §4.3 (ad-hoc notification) | — | ✅ Adequate |
| 7.5 | Documented information | Document Control section of each policy | ISMS-wide document management procedure supplementation recommended | 🟡 Needs Improvement |
Clause 8 — Operation
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 8.1 | Operational planning and control | L2 P1–P7 policies + L3 procedures | Monitoring items in each policy | ✅ Adequate |
| 8.2 | Information security risk assessment (execution) | — | Risk assessment execution results required (Risk Register) | 🔴 Missing |
| 8.3 | Information security risk treatment (execution) | — | Risk treatment execution results required | 🔴 Missing |
Clause 9 — Performance Evaluation
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 9.1 | Monitoring, measurement, analysis and evaluation | P1 M365 §8, P2 BYOD (distributed across policies) | Integrated monitoring framework recommended | 🟡 Needs Improvement |
| 9.2 | Internal audit | — | Internal audit programme and result records required | 🔴 Missing |
| 9.3 | Management review | L1 §4.2 (annual review mentioned) | Management review procedure (input/output) and minutes template required | 🔴 Missing |
Clause 10 — Improvement
| Clause | Requirement | Implementation | Evidence / Records | Status |
|---|---|---|---|---|
| 10.1 | Continual improvement | L1 §4.2 (review cycle defined) | — | 🟡 Needs Improvement |
| 10.2 | Nonconformity and corrective action | — | Nonconformity and corrective action procedure + records required | 🔴 Missing |
Compliance Status Summary
| Status | Count | Description |
|---|---|---|
| ✅ Adequate | 8 | Covered by current policies/procedures |
| 🟡 Needs Improvement | 8 | Supplement existing documents or add evidence |
| 🔴 Missing | 6 | New process/records creation required |
🔴 Critical Missing Items (Priority Actions)
- Risk Assessment & Treatment (6.1.2, 6.1.3, 8.2, 8.3) — Methodology + Risk Register
- Internal Audit Programme (9.2)
- Management Review (9.3) — Procedure + record templates
- Information Security Objectives (6.2)
- Nonconformity & Corrective Action (10.2)
- Statement of Applicability (6.1.3d) — Separate SoA Database