ISO 27001 Clause 4.4
This sub-clause requires the organisation to establish, implement, maintain and continually improve an ISMS, including the processes needed and their interactions.
ISO 27001 Clause 4.4 - Information Security Management System
Clause 4.4 is the umbrella clause for the whole standard. It pulls the four-part lifecycle together - establish, implement, maintain, continually improve - and tells the organisation that the ISMS has to include the processes needed and their interactions. Everything else in the standard sits underneath this clause.
What ISO 27001 Clause 4.4 Requires
The clause has one short paragraph. The organisation shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of ISO 27001. The simplicity is deliberate. The detail of what the ISMS must contain is in Clause 5 through Clause 10 and in Annex A.
The reference to processes and their interactions is important. The ISMS is not a folder of policies. It is a set of running processes - risk assessment, risk treatment, internal audit, management review, incident response, change control and so on. The clause asks the organisation to be clear about what those processes are and how they connect to each other.
Demonstrating Compliance with Clause 4.4
Most organisations demonstrate Clause 4.4 through the management system manual or equivalent overview document. The manual describes the structure of the ISMS, the main processes, how they fit together and where the supporting documentation lives. It is the entry point for anyone trying to understand how the system works.
The clause does not specifically require a documented manual. It does require the processes and interactions to be evident. A well-organised set of policies, registers and records can demonstrate this without a single overarching document, though a manual is by far the most common approach because it makes the system easy to navigate.
Clause 4.4 is the easiest clause to evidence and the easiest to overlook. The auditor wants a clear picture of how the ISMS hangs together. A manual or system overview that walks through the main processes - risk, controls, audits, reviews, incidents - and shows how they feed into each other is usually all that is needed.
I look for the management system manual or equivalent at the start of the audit. It tells me how the system is meant to work. I then check that the system actually does work that way - that the processes described are running, that the records exist, and that the interactions between processes are real rather than diagrams on paper.
Practical Compliance Guidance
The IMS1 Integrated Management System Manual gives the organisation a single document covering the structure, processes and interactions of the ISMS. The manual is built around business operations rather than the clause structure of the standard, which makes it easier to use day to day while still mapping cleanly to the ISO 27001 requirements.
The documents below provide the manual and the correlation that maps the ISO 27001 clauses to the IMS1 sections.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the IMS1 Manual. |
| ISO 27001:2022 Correlation | Maps each clause and Annex A control to the relevant IMS1 manual sections and supporting documents, useful as a desk reference during set-up and audits. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
No specific UK legislation applies to the management system overview itself. The legislation relevant to the ISMS as a whole is covered under the individual clause and control articles.
