# Most Challenging Clauses in ISO 27001

Professionals cite difficulties with:

* **Clause 4: Context of the Organization**
  * defining the organization’s boundaries
  * determining relevant interested parties
  * documenting the complex interrelationships among processes required by Clause 4.4.  Show how processes interact and link to business needs
* **Clause 6: Planning (Risk Assessment and Objectives)**
  * identifying, evaluating, and treating risks
  * choosing a risk methodology
  * ensuring risk assessments meet auditor expectations
* **Clause 9: Performance Evaluation**
  * Monitoring, measurement, analysis, and evaluation (especially Clause 9.1), esp. establish meaningful objectives, gather relevant metrics, and provide evidence of improvement.
* **Clause 10: Improvement (Nonconformity and Corrective Action)**
  * a systematic approach to identifying, investigating, and tracking corrective actions. 
* **Annex A Control Mapping and Statement of Applicability**
  * The breadth of required controls and the need to justify inclusions/exclusions create confusion