Introducing the ISMS Workbook: The ISO 27001 Requirements Nobody Told You About

When I started preparing Humadroid for ISO 27001 certification, I made the same mistake everyone makes.

I focused entirely on security controls. Access management, encryption, incident response—the stuff that feels like "real" security work. Annex A has 93 controls. That's where the action is, right?

Wrong.

Weeks into preparation, I discovered an uncomfortable truth: there's an entire section of ISO 27001 that nobody talks about. Clauses 4 through 10. Seven clauses that define how you manage your security program, not just what controls you implement. And here's the kicker—auditors examine these requirements before they ever look at your security controls.

I'd been preparing for the wrong test.

The Requirements That Cause 70% of Certification Failures

Here's something the compliance platform marketing pages won't tell you: internal auditing generates more nonconformities than any other clause in ISO 27001. Not access control. Not encryption. Internal auditing—a management requirement buried in Clause 9.2.

This isn't an edge case. The pattern repeats across certification bodies worldwide. Organizations show up to audits with green dashboards full of passing control tests, then fail because they can't produce evidence of management reviews. Or their security objectives aren't measurable. Or they have no corrective action process.

The ISO 27001 standard has two distinct parts. Annex A contains the 93 security controls everyone obsesses over. Clauses 4-10 contain the Information Security Management System (ISMS) requirements—the governance framework that makes those controls actually work.

Most compliance platforms automate Annex A beautifully. Continuous monitoring, evidence collection, pretty dashboards showing control status. But Clauses 4-10? You get templates. Maybe a checklist. Good luck figuring out what auditors actually want.

What Are Clauses 4-10, and Why Should You Care?

If you've never heard of these requirements, you're not alone. Let me break them down in plain language:

Clause 4 (Context) asks: What's your business situation? Who cares about your security? What's actually in scope for certification?

Clause 5 (Leadership) asks: Is management actually committed, or is this just an IT project? Who's accountable?

Clause 6 (Planning) asks: How do you identify risks? What are your security objectives? How will you achieve them?

Clause 7 (Support) asks: Do you have the resources, competence, and awareness needed? Is your documentation controlled?

Clause 8 (Operation) asks: Are you actually implementing your plans and managing changes?

Clause 9 (Performance Evaluation) asks: How do you measure effectiveness? When did you last conduct an internal audit? When did management review the program?

Clause 10 (Improvement) asks: How do you handle nonconformities? What's your corrective action process? How do you continuously improve?

These aren't optional nice-to-haves. They're mandatory requirements that auditors examine systematically during Stage 1 of your certification audit—before they ever look at whether you've implemented MFA or encrypted your databases.

Why Compliance Platforms Leave You Exposed

I researched how major platforms handle these requirements. The pattern was consistent.

Platforms like Vanta and Drata excel at Annex A automation. Vanta runs over 1,200 automated tests hourly for technical controls. Drata provides continuous monitoring across hundreds of integrations. Impressive stuff.

But for Clauses 4-10? Platforms cannot decide if a process is suitable for your unique culture or ensure management is truly committed—those are human leadership tasks.

The result is a dangerous asymmetry. You see green dashboards showing 95% control compliance. You feel ready. Then the Stage 1 auditor asks for your management review minutes, and you realize you don't have any. Or they ask about your internal audit program, and you realize conducting one internal audit isn't the same as having a program.

The gap becomes obvious when you look at specific requirements.

For management reviews, platforms give you a template document. Auditors expect evidence of regular meetings with specific inputs reviewed and decisions documented. For internal audits, you get checklists and guidance. Auditors expect a risk-based audit program with independent auditors and actionable findings. Security objectives? Sometimes a table to fill in. Auditors want measurable objectives with targets, timelines, resources, and evaluation criteria. Corrective actions get basic issue tracking. Auditors look for root cause analysis, effectiveness verification, and trend monitoring.

Templates don't pass audits. Evidence of a living, breathing management system does.

The Moment I Knew We Needed Something Different

During our own ISO 27001 preparation, I kept a spreadsheet tracking Clauses 4-10 requirements. Which documents addressed which clauses. Whether we had evidence. What gaps remained.

It was tedious. And error-prone. And I kept discovering requirements I'd missed entirely.

The worst part? Humadroid already had most of the evidence. Our risk assessments covered Clause 6.1.2. Our Statement of Applicability addressed Clause 6.1.3. Our internal audit findings lived in the system. But connecting that evidence to the specific requirements auditors would check required manual mapping that nobody should have to do.

That's when the ISMS Workbook idea crystallized. Not another template library. Not another checklist. A structured system that maps every ISO 27001 requirement, automatically connects evidence you've already created, and tells you—before your auditor does—whether your documentation actually addresses what the standard requires.

Introducing the ISMS Workbook

Today, I'm releasing the ISMS Workbook as part of Humadroid. It's designed specifically for organizations without dedicated security officers—people who need to pass certification but shouldn't need a consultant to explain what "Clause 9.3.2 inputs" means.

Every requirement mapped and explained. The workbook breaks down Clauses 4-10 into specific, actionable items. Each requirement includes the exact ISO standard text, guidance on what auditors look for, and clear evidence expectations. No more guessing what "determine the external and internal issues" actually means in practice.

Automatic evidence linking. This is where it gets interesting. The workbook automatically connects your existing Humadroid data to relevant requirements. Your risk assessments link to Clause 6.1.2. Your Statement of Applicability links to Clause 6.1.3. Internal audits link to Clause 9.2. Documents link based on type and content.

You've already done the work. The workbook makes sure auditors can find it.

AI-powered document verification. For linked documents, AI reviews whether your policies and procedures actually address each requirement. You get an adequacy score, specific gaps identified, actionable recommendations, and evidence of what's working well.

This matters because having a policy isn't enough. Having a policy that addresses what the standard requires is what passes audits. The AI catches gaps like "your access control policy doesn't specify periodic access reviews" before your auditor does.

Built-in management review and objectives tracking. These are the requirements organizations miss most often. The workbook includes purpose-built features for:

• Management reviews with all required inputs per Clause 9.3
• Security objectives with measurable targets and progress tracking per Clause 6.2
• Findings and corrective actions with severity classification and effectiveness verification

Real-time audit readiness. See your overall completion percentage across all clauses. Track progress per clause. Identify critical gaps before they become audit findings.

What This Means for Your Certification Journey

If you're preparing for ISO 27001 without a dedicated security team, the ISMS Workbook changes your preparation in three ways.

You'll know what you don't know. The most dangerous gaps are the ones you don't realize exist. The workbook surfaces every requirement auditors will check, so you can address gaps proactively instead of discovering them during your Stage 1 audit.

Your existing work becomes audit evidence. Stop duplicating effort. The automatic linking means risk assessments, internal audits, and documents you've already created in Humadroid become properly mapped evidence for the clauses they address.

You'll find documentation gaps before auditors do. The AI verification catches the subtle issues—policies that exist but don't quite address what the standard requires. Fix these on your timeline, not during a frantic audit preparation sprint.

The Competitive Reality

I looked hard at what other platforms offer for Clauses 4-10. The honest answer: templates and guidance. Drata provides comprehensive template documentation. Sprinto positions itself as "your ISMS" with management review reports. Thoropass offers integrated audit services.

But none of them automatically link your existing evidence to specific requirements. None use AI to verify document adequacy against what auditors will check. None provide the structured requirement-by-requirement guidance that someone without ISO expertise actually needs.

The ISMS Workbook isn't just another feature. It's a fundamental rethinking of what compliance automation should cover.

Getting Started

The ISMS Workbook is available now for all Humadroid users.

If you're already using Humadroid for ISO 27001, you'll find the workbook in your dashboard. Your existing risk assessments, Statement of Applicability, and internal audit data will automatically link to relevant requirements.

If you're new to Humadroid, the workbook gives you a clear roadmap from day one. You'll see exactly what ISO 27001 requires—not just the security controls, but the management system requirements that actually determine whether you pass certification.

No more discovering gaps the week before your audit. No more wondering if your policies actually address what the standard requires. No more spreadsheets mapping evidence to clauses.

Just a clear path to certification, with AI assistance at every step.