The ISO 27001 Harmonized Structure

In this article, we walk through the Harmonized Structure of the ISO 27001 (Chapters 4-10) and explain how to implement it using the Plan-Do-Check-Act (PDCA) cycle. This will be the basis for your Information Security Management System (ISMS) according to the standard.

The “engine” of the ISMS: Chapters 4 to 10

ISO 27001 is structured around Chapters 4-10: context, leadership, planning, support, operation, performance evaluation, and improvement. This structure is called the Harmonized Structure (previously the High-Level Structure) because it aligns with other ISO management standards, such as ISO 9001.

A useful way to understand these chapters is to see them as the engine of the ISMS, driven by the PDCA cycle: you Plan what you will do, Do it, Check whether it works, and Act on what you learn. Mapped to ISO 27001, context and leadership set the foundation, planning identifies and treats risks, support and operation implement and run controls, performance evaluation checks results, and improvement strengthens the system over time.

The second major phase of ISMS implementation is putting Annex A controls in place and collecting evidence that demonstrates they operate. This is often where practitioners jump in first, but it is usually not the most efficient path. Instead, think of Annex A (A5 to A8) as the payload you deliver using the management system “engine” in Chapters 4-10. This is why we start with Chapters 4-10 in our training and advisory work.

Note: Annex A controls are out of scope for this article. We cover control implementation in a separate article series.

Chapter 4 – Context. A well-structured ISMS begins by defining what your ISMS covers (and does not cover). This means setting the scope and boundaries, identifying internal and external issues that affect information security, and documenting stakeholder requirements and expectations (including how you communicate with them).

These steps can feel administrative, but they ensure that the ISMS reflects the reality of a company operations. Practically, you want (1) a clear scope statement in your main ISMS document (often the Information Security Policy), and (2) a structured register of issues and stakeholder requirements. For example: if customers require high availability, that becomes an explicit requirement to address; if you process personal data, confidentiality obligations and GDPR-driven requirements are key external drivers, and regulators may be relevant stakeholders. In practice, this information is usually captured in a simple table in a spreadsheet or your preferred workspace tool.

Chapter 5 – Leadership. An ISMS cannot be sustained purely through delegation. ISO 27001 requires leadership to establish the information security policy, set security objectives, assign responsibilities, and ensure adequate resources. Auditors look for more than the existence of documents: they want evidence that governance is operating in practice. That can include leadership participation in relevant training, management communicating about information security when appropriate, and formal management review of ISMS objectives and outcomes.

Chapter 6 – Planning. This ‘Plan’ step of the PDCA cycle is about planning ahead in the form of risks management and setting measurable objectives. Start by agreeing on which information assets are critical, then run a risk assessment with representatives from relevant departments within a workshop. Risk management is the core element of the ISO 27001 standard.

Decide which risks you accept versus treat, and capture the outcome in a risk register and a treatment plan. A simple approach is to score probability and impact (for example on a 1-3 scale), compute a risk score (probability x impact), define an acceptance threshold (e.g., 5), and require treatment plans for risks above the threshold. Assign clear risk owners and deadlines.

This is a very brief, agile description of risk management. We have a dedicated article on basic risk management for information security. There are many risk management methods and, perhaps, you already have a working method at your company, so keep using that.

A key output of this phase is the Statement of Applicability (SoA): the authoritative record of which Annex A controls are applicable, how they are implemented, and why they are included or excluded. A credible SoA links control decisions back to risks and requirements, rather than becoming an arbitrary checklist.

Chapter 7  – Support.  Support is about making the ISMS viable: resources, competence, awareness, and communication. This includes defining an information security team (or function) with enough time and capability to operate the ISMS, and ensuring the wider organization receives appropriate training and awareness.

In practice, the security team should have the capacity to meet regularly and coordinate work on incidents, changes, plans, and monitoring. Management should also communicate about information security where relevant (for example, publishing the IS policy where appropriate). Allocating real time and resources is often the strongest demonstration of support.

Many organizations embody their ISMS in the tools they already use like SharePoint, Atlassian, Google Workspace, Notion, and similar platforms. Some teams also use dedicated compliance platforms such as Vanta or Drata, which are designed to organize controls, evidence, and progress in one place.

Chapter 8 – Operations. This is where most implementation work happens: the Do step of PDCA. The goal is to execute what you planned in Chapter 6, especially risk treatment. Because this work is ongoing and coordinated, an action list in a ticketing system or planning board is essential. Operational building blocks usually include policies (direction), procedures and rules (how controls work in practice), registers (assets, risks, suppliers, decisions), and evidence (proof that controls operate, auditors love screenshots). As you implement, track completion and results as those measurements become key inputs for performance evaluation.

Chapter 9 – Performance evaluation. To Check your implementation, monitor whether the ISMS is working. Many organizations define 5-10 measurable security objectives. Some are internal (training participation, patching SLAs, access review completion), while others can be external (web security posture testing, verification of cryptographic configurations). Ensure you cover applicable Annex A controls, assign owners, and review progress regularly. Dashboards can help make progress visible and prioritize decisions.

A formal requirement here is internal audit. In the first year, the internal audit typically covers the full scope to establish baseline confidence. Over time, it becomes more risk-based and change-focused. The evaluation cycle concludes with management review, where formally required discussion items lead to documented decisions and follow-up actions. With that governance cycle operating, you are in a strong position to prepare for external certification audit.

Chapter 10 – Continual improvement. The Act step restarts the PDCA cycle. ISO 27001 requires you to address nonconformities and implement corrective actions in a structured way: what went wrong, what immediate action you took, what the root cause was, what corrective steps you agreed, and how you prevent recurrence. While this is a formal requirement, the broader point is cultural and operational: the organization, including management, should demonstrate continual improvement. Practically, this is implemented through your incident processes, training and awareness loops, and a concrete register that tracks nonconformities and corrective actions to closure.

Training on ISO27001

If you work in a security team using ISO 27001, completing formal training helps ensure the standard is applied correctly. We offer a short course covering the fundamentals of information security based on ISO 27001. Check out the next dates on our trainings page.