ISO 27001, Mandatory requirements that you must take into account

ISO 27001, Mandatory requirements that you must take into account


At the beginning of the creation of a management system in your organization, there are different questions or doubts when applying the requirements of the standard to be implemented. For ISO 27001, which provides the points for implementing an Information Security Management System, the International Organization for Standardization (ISO) also requires you to adhere to its requirements.

By having the high-level structure of this standard, you should take into account that you are dealing with a standardized system for easy integration of internal processes or other management systems.

The ISO 27001 standard was designed with a structure similar to “blocks” for the easy adaptation of one or more standards in the future, and there are different requirements that you must apply, which are found in the official ISO standard.

It should be noted that there is an Annex A, which has different sections for the risk management required by the standard, not all sections must be taken into account, as they are defined depending on the line of our business, if you have a documented process for a section that is not included in your line of business, there will be no major problem.


The following sections are intended to provide support so that when the time comes for your internal audit or certification, you will have no major problems in receiving them.

Los siguientes apartados tienen carácter obligatorio en la norma para documentar:

  • Scope
  • Information Security Policy
  • Information security risk assessment process
  • Information security risk treatment process
  • Statement of Applicability
  • Information security objectives
  • Evidence of competence
  • Documentation necessary for ISMS effectiveness
  • Documentation necessary for confidence that the processes required for planning and operational control have been carried out as planned
  • Outcome of information security risk assessments
  • Outcome of information security risk treatment
  • Evidence of the results of monitoring and measuring information security performance
  • Internal audit program(s) and audit results
  • Evidence of management review results

The requirements mentioned above are part of the mandatory documentation that must be taken into account.

In QAlliance we have qualified personnel to give an excellent follow-up to the certification of your information security management system and provide you with an immediate and personalized service. Contact us and achieve a higher degree of competitiveness in your organization.

Leave a Reply

Your email address will not be published. Required fields are marked *