Clause 4.4 of ISO 27001:2022 is all about having a working Information Security Management System (ISMS). This isn’t just a document you write once and forget. It’s the system you build and maintain to manage information security day-to-day covering your policies, processes, people, and technology.

In this guide, we’ll explain:

• What an ISMS is.

• How to create one.

• A simple implementation checklist.

• What auditors will look for.

What is an information security management system?

An ISMS is a structured way to manage information security in your organisation. It typically includes:

• People. Roles, responsibilities, and awareness.

• Policies and procedures. The rules and guidance.

• Systems and technology. The tools and controls you use.

The goal? To protect information. Keeping it confidential, accurate, and available when needed.

ISO 27001 is a risk-based standard. That means you need to understand what could go wrong, then put controls in place to manage the risks.

The “management system” part is about how you run things: how you plan, operate, monitor, and improve your information security over time.

What does an information security management system include?

A working ISMS includes:

• The required ISO 27001 documents.

• Your organisation’s security policies and objectives.

• Supporting processes and procedures.

• Relevant controls from Annex A.

All of this works together to help you manage risk and protect information.

What does clause 4.4 require?

Clause 4.4 says your organisation must:

• Establish an ISMS.

• Implement it.

• Maintain it.

• Continually improve it.

It builds on Clauses 4.1 to 4.3, which ask you to understand your organisation, interested parties, and scope. Clause 4.4 is where you actually build and operate the system.

The official text says:

"The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.”

In plain English:

You need to build a working information security system, run it properly, and keep making it better.

How to implement clause 4.4

Clause 4.4 is effectively telling you: “implement ISO 27001.” If you follow the standard step by step, you’ll satisfy this clause naturally.

There are three main ways to go about it:

Build it yourself. If you’re confident with the ISO standard, you can create your own ISMS from scratch. You’ll need to:

• Buy the ISO 27001:2022 standard.

• Read and understand all requirements.

• Identify the necessary documents and controls.

• Write your own policies, procedures, and records.

It’s flexible but can be time-consuming, especially for beginners.

Use templates. Templates give you ready-made documentation, checklists, and examples. They often include:

• Pre-written documents and templates.

• Step-by-step implementation guides.

• Training materials.

This is a good middle-ground if you want to speed things up without hiring a consultant.

Hire a consultant. A consultant can design and implement an ISMS tailored to your business. This is the quickest route, but often the most expensive.

ISO 27001 clause 4.4 implementation checklist

Here’s a high-level checklist for building and running your ISMS:

1. Get management support. Secure leadership buy-in, funding, and resources.

   
   

2. Understand your business. Identify your organisation’s information types, risks, legal obligations, and priorities. See our Horizon Scan and Interested Parties Templates.

   
   

3.  Define the ISMS scope. Be clear about which areas, systems, and processes the ISMS covers. See our ISMS Scope Template.

   
   

4. Set information security objectives. Make them SMART (specific, measurable, achievable, relevant, time-bound).

   
   

5. Build the ISMS framework. Include roles, responsibilities, policies, and processes.

   
   

6. Write your documentation. Such as policies, risk assessments, Statement of Applicability, procedures, and records.

   
   

7. Implement controls. Select and apply relevant Annex A controls based on your risk assessment.

   
   

8. Train your people. Everyone should understand their role in information security.

   
   

9. Monitor and review performance. Use KPIs, internal audits, and management reviews to check how things are going.

   
   

10. Manage incidents. Develop and use a clear incident response process.

    
    

11. Continually improve. Learn from audits, incidents, and feedback and act on them.

Clause 4.4 audit checklist

This checklist helps you check whether your ISMS meets Clause 4.4 requirements:

Confirm the ISMS is established. What to look for:

• Documented scope, objectives, and policies.

• Evidence of real implementation (not just paperwork).

• Audit trails, training logs, internal audit reports.

Verify the ISMS is working. What to look for:

• Operational controls (e.g. access logs, change management).

• Observations and staff interviews.

• Pen test or vulnerability scan results.

  
  

Check for continual improvement. What to look for:

• Management reviews and audit outputs.

• Corrective/preventive action records.

• Evidence of lessons learned.

Review monitoring and measurement. What to look for:

• KPIs, dashboards, risk logs.

• Evidence of performance being reviewed and acted on.

Assess internal audits. What to look for:

• Internal audit schedules and reports.

• Follow-up on findings.

• Trained auditors with documented objectivity.

Ensure management review is happening. What to look for:

• Management meeting minutes.

• Improvement actions from leadership.

• Signs of leadership involvement.

Look for evidence of continual improvement. What to look for:

• Improvement logs, change records.

• Staff involvement in improvement initiatives.

Confirm corrective action is taken. What to look for:

• Root cause analysis.

• Evidence that problems were solved properly.

Confirm interested parties are considered. What to look for:

• Analysis of stakeholder needs.

• How these are addressed in the ISMS.

Review documented information. What to look for:

• Up to date, version-controlled documents.

• Clear document management process.

Have a look at our ISO 27001:2022 Audit Question Checklist to help you with auditing.

How to pass an audit of clause 4.4

To satisfy Clause 4.4 in an audit, you’ll need to show:

1. Your ISMS is documented. Scope, policies, objectives, and procedures must be clearly defined.

   
   

2. Your ISMS is implemented. It must be in daily use, not just sitting in a file.

   
   

3. Your ISMS is improving. Show how you respond to incidents, audits, and changes in your business.

Common mistakes to avoid

1. Buying expensive tools too early. Don't invest in platforms before your basic processes are in place.

   
   

2. Trying to do everything alone. Use guides, templates, or ask for support to avoid blind spots.

   
   

3. Thinking it’s just for IT. An ISMS is a business-wide system. Everyone has a role, not just the tech team.

Other useful frameworks

ISO 27001 can be supported by other standards and frameworks:

• ISO/IEC 27000 series. The wider family of information security standards.

• ITIL. Service management framework, useful for operations and security.

• COBIT. Focused on IT governance and management.

Clause 4.4 is where ISO 27001 becomes real. It’s not just about documents, it’s about building a system that works, fits your business, and helps you improve over time.

If you're doing that, you’re on the right track.

Thanks for reading! Watch the video on YouTube for more guidance:

More in the ISO 27001:2022 Explained series: