Skip to content

What is an ISMS under ISO/IEC 27001, and what role does Annex A play?

Short answer

ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS): a risk-based, top-down framework of policies, processes, roles, and continual improvement (Plan-Do-Check-Act) governing how an organisation manages information security. Annex A is a reference catalogue of controls. You don't apply them all blindly — you run a risk assessment, decide which controls are needed, and document the include/exclude decisions with justification in a Statement of Applicability (SoA).

ISO/IEC 27001 is the leading international standard for managing information security. Certification proves an organisation runs a working management system, not that it bought a particular tool. Interviewers use this question to separate people who have operated an ISMS from those who have only heard the acronym.

The ISMS

The Information Security Management System is the heart of the standard (clauses 4–10). It requires the organisation to:

  • Understand its context and interested parties.
  • Set leadership commitment, scope, and an information security policy.
  • Run a risk assessment and risk treatment process.
  • Define objectives, resources, competence, and awareness.
  • Monitor, measure, audit, and review performance.
  • Drive continual improvement — the Plan-Do-Check-Act loop.

These management-system clauses are the certifiable requirements. Everything else serves them.

Annex A and the Statement of Applicability

Annex A is a normative reference list of controls (organisational, people, physical, and technological in the 2022 revision). It is not a checklist to implement wholesale. The flow is:

  1. Assess risks to your information assets.
  2. Decide on a risk treatment plan.
  3. Select the Annex A controls that address those risks.
  4. Record every control's status — applicable or excluded, with justification — in the Statement of Applicability (SoA).

ISO/IEC 27002 provides the implementation guidance for those controls.

Why this matters

The strongest answer stresses that 27001 is risk-driven: controls follow from risk, and the SoA is the document that links them. Candidates who think Annex A is a mandatory, all-or-nothing checklist have misread the standard.

Likely follow-ups

  • What goes into a Statement of Applicability and why does the auditor care about exclusions?
  • How does ISO/IEC 27002 relate to Annex A of ISO/IEC 27001?
  • What does the certification audit cycle (Stage 1, Stage 2, surveillance) look like?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.