Study Document 01

ISO 27000 family and ISMS key concepts.

An auditor-focused guide to ISO/IEC 27000 vocabulary, ISO/IEC 27001 requirements, ISO/IEC 27002 control guidance, and the ISMS concepts learners need before attempting ISO 27001 Lead Auditor scenarios.

Learning outcomes

What you should be able to explain after this document.

This document turns the ISO 27000-family standards into a practical mental map for exam preparation and audit judgement.

Outcome

Understand the standard family

Explain why the ISO/IEC 27000 family exists and how the main documents support information security management.

Outcome

Separate requirements and guidance

Distinguish ISO/IEC 27000 vocabulary, ISO/IEC 27001 requirements, and ISO/IEC 27002 control guidance.

Outcome

Think like an auditor

Connect ISMS terms to evidence review, control selection, audit conclusions, and nonconformity wording.

Standards map

The key ISO 27000-family documents and how auditors use them.

A Lead Auditor does not need to memorise every publication number, but should know which document provides vocabulary, requirements, control guidance, implementation support, risk management guidance, or audit support.

Standard
Primary role
Lead Auditor use
ISO/IEC 27000
Overview and vocabulary for ISMS concepts.
Use it to understand terms that appear in standards, audit discussions and exam questions.
ISO/IEC 27001
Requirements for establishing, implementing, maintaining and improving an ISMS.
Use it as certification audit criteria. Clauses 4 to 10 are mandatory when conformity is claimed.
ISO/IEC 27002
Implementation guidance for information security controls.
Use it to understand control intent and practical evidence. It supports control understanding but does not replace ISO 27001.
ISO/IEC 27005
Information security risk management guidance.
Useful when reviewing risk assessment, treatment planning and residual risk practices.
ISO/IEC 27007 / 27008
Guidance for ISMS auditing and control assessment.
Helpful background for audit method, control review and objective evidence evaluation.

Relationship

ISO 27000 vs ISO 27001 vs ISO 27002

  • ISO/IEC 27000 answers: what do the terms and concepts mean?
  • ISO/IEC 27001 answers: what must an organisation do to claim ISMS conformity?
  • ISO/IEC 27002 answers: how can information security controls be understood and applied?

Audit mindset

Controls are not the whole audit.

In an ISO 27001 audit, the auditor checks the management system, the risk process, the Statement of Applicability, control implementation, retained evidence and effectiveness. Annex A controls support the ISMS, but certification depends on the ISO 27001 requirements.

ISMS model

Think of the ISMS as a chain of evidence.

An ISMS is a structured management system for protecting information through risk-based governance, controls, monitoring and continual improvement.

Context and scope

Scope statement, interested-party needs, internal and external issues, process boundaries, interfaces and dependencies.

Leadership and planning

Policy, objectives, responsibilities, risk methodology, risk register, treatment plan and Statement of Applicability.

Operation and evidence

Control operation records, access reviews, supplier evidence, change records, awareness records and incident logs.

Performance evaluation

Monitoring, measurement, internal audit, management review, performance trends and audit outputs.

Improvement

Nonconformities, root cause analysis, corrective action, effectiveness checks and improvement records.

Audit conclusion

The auditor connects requirement, evidence and judgement to determine conformity or nonconformity.

Vocabulary

Key terms for Lead Auditor candidates.

The wording below is a learner explanation. It does not replace formal definitions in authorised standards.

Information security

Protection of information so it remains appropriately confidential, accurate and available when needed.

Risk treatment

The decision and action taken to modify, accept, avoid or share information security risk.

Statement of Applicability

A controlled record explaining which Annex A controls apply, which do not, and why.

Objective evidence

Verifiable information that supports an audit conclusion. It is stronger than opinion or intention.

Nonconformity

Failure to meet a requirement. Good NCR wording links requirement, evidence and specific failure.

Documented information

Information that must be controlled and maintained or retained by the organisation.

Clause map

ISO 27001:2022 from an auditor’s perspective.

A practical auditor moves from clause intent to evidence. The map below is a revision aid, not a reproduction of the standard.

Clause 4: Context

Check scope, interested parties, internal and external issues, boundaries and dependencies.

Clause 5: Leadership

Check policy, responsibility, accountability, communication and top management commitment.

Clause 6: Planning

Check risk method, risk assessment, treatment decisions, objectives and SoA justification.

Clause 7: Support

Check resources, competence, awareness, communication and documented information control.

Clause 8: Operation

Check operational planning, risk treatment execution, outsourced processes and control operation.

Clauses 9 and 10

Check monitoring, internal audit, management review, corrective action and continual improvement.

Annex A

How ISO 27002 supports control understanding.

ISO/IEC 27001:2022 uses Annex A as a reference set of controls. ISO/IEC 27002:2022 helps learners understand control intent and practical implementation.

37 controls

Organizational

Governance, policies, supplier relationships, threat intelligence, change, incident and continuity management.

8 controls

People

Screening, employment terms, awareness, disciplinary process, confidentiality, remote work and reporting.

14 controls

Physical

Physical perimeters, secure areas, equipment protection, clear desk practices and utility support.

34 controls

Technological

Endpoint, network, access, logging, malware, backup, cryptography, secure development and monitoring controls.

Audit trace

Trace from risk assessment to treatment plan, SoA, selected controls, implementation records and effectiveness evidence.

Common mistake

Do not treat Annex A as a simple checklist. The control set must be justified by the organisation’s risk and context.

Revision checklist

Before moving to clause-wise notes, confirm you can explain:

  • Why ISO 27001 is certifiable and ISO 27002 is guidance.
  • Why Clauses 4 to 10 matter before discussing Annex A controls.
  • How risk assessment, treatment, SoA and selected controls connect.
  • Why objective evidence is different from a verbal statement.
  • Why controls may be excluded with justification, while ISO 27001 requirements cannot be excluded when conformity is claimed.

Practice prompts

Use these for self-checking.

  1. A manager says the organisation is certified because it implemented most Annex A controls. What would you check first?
  2. A cloud service is outside scope but hosts customer data. What scope issue might this create?
  3. The SoA says a control is not applicable, but gives no justification. What audit concern does this raise?
  4. An auditor receives only a verbal assurance that access reviews are performed. What evidence would make the claim verifiable?

Use note

This is a KISCyber learner guide.

This page is an original paraphrased training summary using user-provided ISO 27000, ISO 27001, ISO 27002 and CQI/IRCA exam-framework materials as references. It is not an authorised copy of any ISO standard and should not replace licensed standards, official course material, certification body instructions or exam provider rules.