Most Challenging Clauses in ISO 27001

Professionals cite difficulties with:

Clause 4: Context of the Organization
- defining the organization’s boundaries
- determining relevant interested parties
- documenting the complex interrelationships among processes required by Clause 4.4. Show how processes interact and link to business needs
Clause 6: Planning (Risk Assessment and Objectives)
- identifying, evaluating, and treating risks
- choosing a risk methodology
- ensuring risk assessments meet auditor expectations
Clause 9: Performance Evaluation
- Monitoring, measurement, analysis, and evaluation (especially Clause 9.1), esp. establish meaningful objectives, gather relevant metrics, and provide evidence of improvement.
Clause 10: Improvement (Nonconformity and Corrective Action)
- a systematic approach to identifying, investigating, and tracking corrective actions.
Annex A Control Mapping and Statement of Applicability
- The breadth of required controls and the need to justify inclusions/exclusions create confusion