# API Reference: Implementing ISO 27001 Information Security Management

## ISO 27001:2022 Clause Structure

| Clause | Title | Key Deliverable |
|--------|-------|----------------|
| 4 | Context of the Organization | ISMS Scope Document |
| 5 | Leadership | Information Security Policy |
| 6 | Planning | SoA, Risk Treatment Plan |
| 7 | Support | Competence records, Awareness |
| 8 | Operation | Risk assessment/treatment results |
| 9 | Performance Evaluation | Audit reports, Management review |
| 10 | Improvement | Corrective action records |

## Annex A Control Categories (2022)

| Category | Name | Controls |
|----------|------|----------|
| A.5 | Organizational | 37 controls |
| A.6 | People | 8 controls |
| A.7 | Physical | 14 controls |
| A.8 | Technological | 34 controls |

## Required Documented Information

| Document | Clause |
|----------|--------|
| ISMS Scope | 4.3 |
| Information Security Policy | 5.2 |
| Risk Assessment Methodology | 6.1.2 |
| Statement of Applicability | 6.1.3d |
| Risk Treatment Plan | 6.1.3 |
| Security Objectives | 6.2 |
| Internal Audit Program | 9.2 |
| Management Review Minutes | 9.3 |

## Risk Assessment Formula

```
Risk Level = Likelihood x Impact
- Likelihood: 1 (Rare) to 5 (Almost Certain)
- Impact: 1 (Negligible) to 5 (Catastrophic)
- Risk Rating: Low (1-6), Medium (7-12), High (13-19), Critical (20-25)
```

### References

- ISO 27001:2022: https://www.iso.org/standard/27001
- ISO 27002:2022: https://www.iso.org/standard/75652.html
- ISO 27005 Risk Management: https://www.iso.org/standard/80585.html