High Table ISO 27001 Toolkit Logo

ISO 27001 Clauses

ISO 27001 Clause 4.1 – Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 – Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 – Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 – Information Security Management System

ISO 27001 Clause 5.1 – Leadership and Commitment

ISO 27001 Clause 5.3 – Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 – Planning General

ISO 27001 Clause 6.1.2 – Information Security Risk Assessment

ISO 27001 Clause 6.1.3 – Information Security Risk Treatment

ISO 27001 Clause 6.2 – Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 – Planning Of Changes

ISO 27001 Clause 7.1 – Resources

ISO 27001 Clause 7.2 – Competence

ISO 27001 Clause 7.3 – Awareness

ISO 27001 Clause 7.4 – Communication

ISO 27001 Clause 7.5.1 – Documented Information

ISO 27001 Clause 7.5.2 – Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 – Control of Documented Information

ISO 27001 Clause 8.1 – Operational Planning and Control

ISO 27001 Clause 8.2 – Information Security Risk Assessment

ISO 27001 Clause 8.3 – Information Security Risk Treatment

ISO 27001 Clause 9.1 – Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 – Internal Audit

ISO 27001 Clause 9.3 – Management Review

ISO 27001 Clause 10.1 – Continual Improvement

ISO 27001 Clause 10.2 – Nonconformity and Corrective Action

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

ISO 27001 People Controls

ISO 27001 Annex A 6.1: Screening

ISO 27001 Annex A 6.2: Terms and conditions of employment

ISO 27001 Annex A 6.3: Information security awareness, education and training

ISO 27001 Annex A 6.4: Disciplinary process

ISO 27001 Annex A 6.5: Responsibilities after termination or change of employment

ISO 27001 Annex A 6.6: Confidentiality or non-disclosure agreements

ISO 27001 Annex A 6.7: Remote working

ISO 27001 Annex A 6.8: Information security event reporting

Home / ISO 27001 / What a CEO should know about ISO 27001

What a CEO should know about ISO 27001

Last updated Oct 22, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 What a CEO should know

If you are a CEO or senior management looking to do ISO 27001 then this is everything you need to know. These are the facts no one else will tell you, and rather than the usual benefits and upsells we will cut straight to the nitty gritty and the reality of the ISO 27001 standard. Ready?

Table of contents

ISO 27001 is not an information security standard

The first shocking fact is that ISO 27001 is not an information security standard.

What it actually is: ISO 27001 is an information security management standard

And more than that: ISO 27001 is an information security risk management standard.

This is one of those facts that can blow your mind.

If the expectation is that this standard will tell you what security to put in place, set out some rules on what you need to do and make you more secure then you are sadly mistaken.

What is ISO 27001?

ISO 27001 is a very straightforward and easy to implement management system. It sets out how you manage information security in your organisation. At its heart is risk management and this is where it gets interesting.

If you are managing information security and you are managing risk, you will get your ISO 27001 certification.

Note here at no point have I referenced any technical requirements, or made reference to how you operate.

To be clear, this is about managing information security and managing risk.

If anyone says to you – we have to do X now because of ISO 27001 then they are probably mistaken.

It is very possible to have incredibly weak information security with little to no information security controls and still pass the audit and get certified.

I would not advise it, clearly. But it is possible.

What is the minimum you need to do?

The bare minimum you need to do is implement the basic ISO 27001 clauses from the standard – I even show you how to do it and give you step-by-step guides with videos, for free, in the ISO27001:2022 Reference Guide

In outline you are going to:

  • Define some roles
  • Allocate people
  • Write some policies
  • Do risk management
  • Audit and review yourself
  • Continually improve.

I have to re-state that it is not that hard.

ISO 27001 Toolkit
Get the Small Business ISO 27001 Toolkit >
ISO 27001 Toolkit Business Edition
ISO 27001 Toolkit Consultant Edition

I don’t understand – how can I be insecure and still certify?

The answer is simple, this is about risk management. The only requirement on your actual security is that you are managing risk. Risk management is a beautiful thing because it allows you and encourages you and wants you to implement security to a level that is appropriate to you and proportionate to you.

You identify your risks and you implement the level of security you need.

And guess what?

If it turns out you don’t need or want to implement some security, you don’t have to. You can just accept the risk.

There is a middle ground here, for sure, but to answer the question of what is the bare miniimum you can get away with and still ‘pass’, the answer is shockingly straightforward.

The standard is pointless then?

I can see your perspective and it is not without it’s challenges. The level of how pointless it is for you is really down to your context. Let’s explore.

Clients Need

The main focus of having this standard as a CEO is going to be client need and commercial benefit. If someone won’t do business with you unless you have it then you have a choice. Get it and do business. Or don’t get it and move on to the next client opportunity.

What does having it actually tell my clients?

When you get ISO 27001 certification the only thing that it is telling your clients is that you are managing information security and you are managing your risks and this has been independently assessed as being true.

That is it.

What this translates to in reality is that anyone that does what I do for a living will follow up with further questions, document requests and audits of you to assess the actual level of security that you have implemented.

Those clients questionnaires are never going to stop.

Why does it cost so much?

You want the truth? People will charge you what they can. There is an entire industry that comes together to make this look and sound so hard that your only option is to seek outside help and the silver bullet services they offer and the premium price point they offer them.

They have their place.

This is about market forces, supply and demand and no one in an industry wanting to break ranks, so you get charged what they think they can charge you. Simple.

Is it worth doing?

It is worth doing. When you understand what it is, it is worth doing. Effectively managing information security and information security risk is valuable and those benefits are what most people will lead with.

When you understand this about managing then the value comes from that management.

Of course, you also get a certificate to stick on the wall and share with people.

Tags:
ISO 27001 Toolkit Business Edition
ISO 27001 Toolkit: Business Edition
ISO 27001 Toolkit: Consultant Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.