What is ISO/IEC 27001?+
ISO/IEC 27001 is the international management-system standard for information security. It helps organisations define the scope of their Information Security Management System, assess information-security risks, treat those risks, maintain a Statement of Applicability, implement appropriate controls, and prove that security governance is operating through records, reviews, audits, and continual improvement.
How is ISO 27001 different from ISO 9001?+
ISO 9001 is focused on quality management and consistent delivery of products and services. ISO 27001 is focused on confidentiality, integrity, and availability of information. They share management-system structure, but ISO 27001 adds information-security risk assessment, risk treatment, the Statement of Applicability, and Annex A control evidence.
What is an ISMS?+
An ISMS is an Information Security Management System. It defines the people, policies, processes, assets, risks, controls, monitoring, audits, and improvement routines used to manage information security. For SMEs, the hard part is usually not writing a policy; it is proving that asset ownership, access control, supplier security, incident handling, backups, continuity, and management review are actually operating.
What does ISO 27001 Clause 4 require for context and ISMS scope?+
Clause 4 requires the organisation to understand internal and external issues, interested-party requirements, and the boundaries of the ISMS. Practically, that means defining which teams, systems, locations, products, services, suppliers, and information assets are in scope, and making the scope clear enough that risks and controls can be assessed consistently.
What does ISO 27001 Clause 5 require from leadership?+
Clause 5 requires leadership to own the ISMS, approve an information-security policy, assign responsibilities, provide resources, and make security part of normal business governance. Useful evidence includes signed policy approval, role assignments, security objectives, leadership decisions, management review minutes, and proof that responsibilities are understood.
What does ISO 27001 Clause 6 require for information-security risk planning?+
Clause 6 requires a risk assessment process, risk acceptance criteria, assessment of information-security risks, treatment planning, security objectives, and planning for change. ROTIX.IO templates support this with risk methodology, asset inventory, risk register, risk treatment plan, objectives, and Statement of Applicability records.
What is the difference between ISO 27001 risk assessment and risk treatment?+
Risk assessment identifies and evaluates information-security risks, usually by considering assets, threats, vulnerabilities, likelihood, impact, and current controls. Risk treatment decides what to do about those risks: reduce them with controls, transfer them, avoid them, or accept them. The treatment decisions should link to owners, deadlines, Annex A controls, and evidence.
What is the Statement of Applicability?+
The Statement of Applicability, often shortened to SoA, lists the ISO 27001 Annex A controls, records whether each control is applicable, explains why it is included or excluded, and links the applicable controls back to risk treatment and implementation evidence. It is one of the central ISO 27001 documents and is included in the ROTIX.IO ISO 27001 Template Library.
What does ISO 27001 Clause 7 require for support, competence, awareness, and documented information?+
Clause 7 covers the support needed to run the ISMS: resources, competence, awareness, communication, and document control. Practical evidence includes training records, awareness activity, communication logs, controlled policies and procedures, version history, document approvals, and proof that staff understand their information-security responsibilities.
What does ISO 27001 Clause 8 require in day-to-day ISMS operation?+
Clause 8 requires the organisation to operate the planned ISMS processes, perform risk assessments at planned intervals or when changes occur, and implement the risk treatment plan. For an SME, this means keeping access reviews, supplier checks, incident logs, backup checks, vulnerability actions, and other control records current rather than treating certification as a one-off paperwork exercise.
What does ISO 27001 Clause 9 require for monitoring, internal audit, and management review?+
Clause 9 requires the organisation to monitor ISMS performance, evaluate whether controls are working, run internal audits, and hold management reviews. Useful evidence includes security metrics, audit plans, audit reports, audit findings, management review agendas, decisions, action logs, and follow-up records showing that issues were closed.
What does ISO 27001 Clause 10 require for improvement and corrective action?+
Clause 10 requires continual improvement and disciplined response to nonconformities. When incidents, audit findings, control failures, or process gaps are found, the organisation should record the issue, investigate causes, define corrective action, assign owners, verify completion, and keep evidence that the fix reduced recurrence risk.
What are ISO 27001 Annex A.5 organisational controls?+
Annex A.5 covers organisational controls such as information-security policies, roles and responsibilities, segregation of duties, contact with authorities, threat intelligence, project security, asset inventory, acceptable use, classification, access control rules, supplier security, cloud services, incident management, continuity, legal requirements, privacy, and independent review. ROTIX.IO exposes these through policy, supplier, asset, incident, continuity, and review templates.
What are ISO 27001 Annex A.6 people controls?+
Annex A.6 covers people-related controls before, during, and after employment. Practical records include screening decisions where appropriate, employment terms, awareness training, acceptable-use acknowledgement, disciplinary process links, remote-working expectations, confidentiality requirements, role changes, access removal, and return of assets when someone leaves.
What are ISO 27001 Annex A.7 physical controls?+
Annex A.7 covers physical security, including secure areas, entry controls, protection against physical and environmental threats, equipment placement, clear desk practices, storage media handling, maintenance, and secure disposal. For many SMEs this is a focused set of practical controls around office access, visitor handling, device protection, home working, and disposal records.
What are ISO 27001 Annex A.8 technological controls?+
Annex A.8 covers technology controls such as endpoint devices, privileged access, identity management, authentication, malware protection, vulnerability management, configuration management, backups, logging, monitoring, network security, secure development, change control, test data, and information deletion. ROTIX.IO templates help turn these into assignable control records rather than isolated IT tasks.
What ISO 27001 templates does ROTIX.IO provide?+
The ISO 27001 Template Library includes a free starter pack covering ISMS scope, information-security policy, risk assessment, and asset inventory. The paid Core Bundle adds 29 templates covering context, roles, risk methodology, risk treatment, SoA, objectives, document control, competence, business continuity, internal audit, management review, nonconformity, acceptable use, access control, suppliers, incidents, HR security, physical security, remote working, cryptography, malware, vulnerability management, backup, network security, and security event records.
Can ISO 9001 and ISO 27001 be implemented together?+
Yes. Both standards use the same management-system structure, so context, leadership, planning, support, operation, performance evaluation, internal audit, management review, and improvement can be coordinated. The integrated approach reduces duplicated governance while still preserving the ISO 27001-specific risk assessment, Statement of Applicability, and Annex A control evidence.