Clause 4.4 is the shortest clause in ISO 27001. It reads: “The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.”
One sentence, but those four verbs: establish, implement, maintain, and continually improve are doing significant work. They describe the full lifecycle of an ISMS, and an auditor will look for evidence of all four.
What Each Verb Requires
Establish means the ISMS exists as a defined system with documented scope, policies, and processes. The work done in Clauses 4.1 through 4.3: understanding the organization, identifying interested parties, and defining scope, is the foundation of establishment. Without that documentation, there is no ISMS to point to.
Implement means the ISMS is operational. Policies aren’t just written but they’re communicated and followed. Controls are selected and they’re in place. Documents that nobody reads and controls that nobody applies do not constitute implementation.
Maintain means the ISMS is kept current. As the organization changes with new systems, new staff, new regulatory requirements, and new threats, the ISMS is updated to reflect that reality. A scope document written in 2024 that hasn’t been reviewed since isn’t being maintained. Maintenance is the ongoing process that keeps the ISMS accurate.
Continually improve means the ISMS gets better over time. Non-conformities (deficiencies) are identified and corrected. Management reviews produce action items. Internal audits surface gaps. The ISMS in year three should reflect learning from years one and two. Improvement is a requirement of the standard and the subject of Clause 10.
The work product from Clauses 4.1 through 4.4 doesn’t have to live in four separate documents. For an SMB or ISMS with smaller scope, it’s common and practical to consolidate the context analysis (4.1), interested parties register (4.2), scope statement (4.3), and ISMS operational summary (4.4) into a single document. What matters is that all the required content is present and maintained.
What 4.4 Is Really Saying
Clause 4.4 is the clause that converts everything before it into a system. Clauses 4.1 through 4.3 produce documents. Clause 4.4 requires that those documents represent something real — a functioning management system with processes, ownership, and evidence of operation.
What Needs to Exist Before You Can Claim Implementation
Implementation means the controls are actually in place, which means the foundational documents that operationalize those controls must exist before you can honestly say the ISMS is running.
The following documents are required under ISO 27001 — either explicitly by the standard or through the controls in Annex A. Each one must be scoped to the ISMS, not the organization as a whole. An organization may already have a company-wide information security policy, an AUP, or an access control policy — but if those documents don’t cover the systems and processes within the ISMS scope, they don’t satisfy the requirement. A separate ISMS-scoped version is needed, or the existing document must be updated to cover the scope.
- Information Security Policy — the overarching document outlining the rules, expectations, and practices for protecting assets within the ISMS scope
- Acceptable Use Policy — governing how staff interact with in-scope systems and data
- Access Control Policy — defining how access to in-scope systems is granted, reviewed, and revoked
- Incident Response Procedure — what happens when something goes wrong within the ISMS scope
- Password / Authentication Standard — minimum credential requirements for in-scope systems
- Asset Inventory — what’s in scope, who owns it, and how it’s classified
If any of these don’t exist, Clause 4.4 is the point where you stop and create them. The ISMS cannot be considered implemented without them.
An auditor evaluating Clause 4.4 is looking for evidence that the ISMS is real and operational — not just documented. They will look for meeting minutes from management reviews showing the ISMS is actively overseen. They will look for records of corrective actions taken when non-conformities were identified. They will check that the scope document is current and that controls in the scope are actually in place. They will ask who owns the ISMS and what happens when something changes.
Common gap: Organizations produce the documentation required by Clauses 4.1 through 4.3 and then treat the ISMS as complete. Clause 4.4 requires that the system is operational and improving — and an auditor will distinguish between a documented ISMS and a functioning one.
What the Document Looks Like
Below is an ISMS operational summary for Meridian Health Partners — the document that closes out Clause 4 by confirming the ISMS is established, implemented, maintained, and on a path of continual improvement.
ISMS Status: Established and active. The ISMS covers all systems, processes, and personnel involved in the handling of protected health information at Meridian Health Partners LLC, as defined in the Scope Statement (Clause 4.3).
| Requirement | How Meridian Satisfies It | Evidence |
|---|---|---|
| Establish | ISMS documented across four Clause 4 documents: context analysis, interested parties register, scope statement, and this operational summary. Information security policy approved by practice ownership. | Clause 4.1–4.4 documents. Signed information security policy. |
| Implement | Controls are in place across the in-scope environment. MFA enforced on EHR and Microsoft 365. Acceptable use policy distributed to all staff. Contractor access governed by NDA and access agreements. Breach notification procedure documented and tested. | MFA configuration records. Staff acknowledgment log. Contractor agreements. Incident response procedure. |
| Maintain | ISMS documents reviewed annually or on material change to the organization’s systems, staff, or regulatory environment. Scope reviewed whenever new systems handling PHI are introduced. Interested parties register updated when relationships change. | Document version history. Review log with date and reviewer. |
| Continually Improve | Quarterly management review meetings track ISMS performance, open findings, and control effectiveness. Non-conformities are logged and assigned to owners with resolution timelines. Internal audit findings feed the next review cycle. | Management review meeting minutes. Non-conformity log. Internal audit reports. |
ISMS Owner: Practice Owner / Leadership
Next Scheduled Review: July 2027 or upon material change, whichever occurs first.
Next in this series: Clause 5 — Leadership. How top management demonstrates commitment to the ISMS, what the information security policy must contain, and what organizational roles and responsibilities look like in a small practice.
