The ISO 27001:2022 Manual, Complete Framework Guide
The ISO 27001 framework is flexible enough to adapt to your needs while maintaining a strong focus on risk management and compliance.
ISO 27001:2022 Structure
ISO 27001 2022 is split into two main parts:
- Clauses 4 to 10: These focus on the management system requirements, laying the foundation for how an ISMS should be implemented and maintained.
- Annex A Controls: This is the ISO 27001 controls list also known as the ISO 27002 2022, a set of security measures to address specific risks.
ISO 27001:2022 Clauses
The ISO 27001 framework is built around a series of clauses that outline the steps for implementing and maintaining an effective ISMS. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when you are trying to achieve compliance for the ISO 27001:2022.
- Clause 4: Context of the Organization
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
ISO 27002:2022 Controls
Annex A, the heart of ISO 27001, contains the ISO 27001 Controls List—a set of 93 specific security controls that your organization can implement to protect your assets. The ISO 27002 2022 Controls are organized into four themes:
- 5.Organizational Controls (37): Policies, procedures, and governance strategies.
- 6.People Controls (8): Measures to manage personnel-related risks.
- 7.Technological Controls (14): Security features like encryption and secure configurations.
- 8.Physical Controls (34): Strategies to protect physical assets and locations.
Resource: ISO 27002 2022 Controls Spreadsheet
ISO 27001:2022 Clauses List
4 Context of the organization
| Clause 4.1 – Understanding the organization and its context |
| Clause 4.2 – Understanding the needs and expectations of interested parties |
| Clause 4.3 – Determining the scope of the information security management system |
| Clause 4.4 – Information security management system |
5 Leadership
| Clause 5.1 – Leadership and commitment |
| Clause 5.2 – Policy |
| Clause 5.3 – Organizational roles, responsibilities and authorities |
6 Planning
| Clause 6.1 – Actions to address risks and opportunities |
| Clause 6.1.1 – General |
| Clause 6.1.2 – Information security risk assessment |
| Clause 6.1.3 – Information security risk treatment |
| Clause 6.2 – Information security objectives and planning to achieve them |
| Clause 6.3 – Planning of changes |
7 Support
| Clause 7.1 – Resources |
| Clause 7.2 – Competence |
| Clause 7.3 – Awareness |
| Clause 7.4 – Communication |
| Clause 7.5 – Documented information |
| Clause 7.5.1 – General |
| Clause 7.5.2 – Creating and updating |
| Clause 7.5.3 – Control of documented information |
8 Operation
| Clause 8.1 – Operational planning and control |
| Clause 8.2 – Information security risk assessment |
| Clause 8.3 – Information security risk treatment |
9 Performance Evaluation
| Clause 9.1 – Monitoring, measurement, analysis and evaluation |
| Clause 9.2 – Internal audit |
| Clause 9.2.1 – General |
| Clause 9.2.2 – Internal audit programme |
| Clause 9.3 – Management review |
| Clause 9.3.1 – General |
| Clause 9.3.2 – Management review inputs |
| Clause 9.3.3 – Management review results |
10 Improvement
| Clause 10.1 – Continual improvement |
| Clause 10.2 – Nonconformity and corrective action |
ISO 27002:2022 Controls List
5 Organizational Controls
| Control 5.1 – Policies for Information Security |
| Control 5.2 – Information Security Roles and Responsibilities |
| Control 5.3 – Segregation of Duties |
| Control 5.4 – Management Responsibilities |
| Control 5.5– Contact with Authorities |
| Control 5.6 – Contact with Special Interest Groups |
| Control 5.7 – Threat Intelligence |
| Control 5.8 – Information Security in Project Management |
| Control 5.9 – Inventory of Information and other Associated Assets |
| Control 5.10 – Acceptable use of Information and Other Associated Assets |
| Control 5.11 – Return of Assets |
| Control 5.12 – Classification of Information |
| Control 5.13 – Labelling of Information |
| Control 5.14 – Information Transfer |
| Control 5.15 – Access Control |
| Control 5.16 – Identity Management |
| Control 5.17 – Authentication Information |
| Control 5.18 – Access Rights |
| Control 5.19 – Information security in supplier relationships |
| Control 5.20 – Addressing information security within supplier agreements |
| Control 5.21 – Managing information security in the ICT supply chain |
| Control 5.22 – Monitoring, review and change management of supplier services |
| Control 5.23 – Information security for use of cloud services |
| Control 5.24 – Information security incident management planning and preparation |
| Control 5.25 – Assessment and decision on information security events |
| Control 5.26 – Response to information security incidents |
| Control 5.27 – Learning from information security incidents |
| Control 5.28 – Collection of evidence |
| Control 5.29 – Information security during disruption |
| Control 5.30 – ICT readiness for business continuity |
| Control 5.31 – Legal, statutory, regulatory and contractual requirements |
| Control 5.32 – Intellectual property rights |
| Control 5.33 – Protection of records |
| Control 5.34 – Privacy and protection of PII |
| Control 5.35 – Independent review of information security |
| Control 5.36 – Compliance with policies, rules and standards for information security |
| Control 5.37 – Documented operating procedures |
6 People Controls
| Control 6.1 – Screening |
| Control 6.2 – Terms and conditions of employment |
| Control 6.3 – Information security awareness, education and training |
| Control 6.4 – Disciplinary process |
| Control 6.5 – Responsibilities after termination or change of employment |
| Control 6.6 – Confidentiality or non-disclosure agreements |
| Control 6.7 – Remote working |
| Control 6.8 – Information security event reporting |
7 Physical Controls
| Control 7.1 – Physical security perimeters |
| Control 7.2 – Physical entry |
| Control 7.3 – Securing offices, rooms and facilities |
| Control 7.4 – Physical security monitoring |
| Control 7.5 – Protecting against physical and environmental threats |
| Control 7.6 – Working in secure areas |
| Control 7.7 – Clear desk and clear screen |
| Control 7.8 – Equipment siting and protection |
| Control 7.9 – Security of assets off-premises |
| Control 7.10 – Storage media |
| Control 7.11 – Supporting utilities |
| Control 7.12 – Cabling security |
| Control 7.13 – Equipment maintenance |
| Control 7.14 – Secure disposal or re-use of equipment |
8 Technological Controls
| Control 8.1 – User endpoint devices |
| Control 8.2 – Privileged access rights |
| Control 8.3 – Information access restriction |
| Control 8.4 – Access to source code |
| Control 8.5 – Secure authentication |
| Control 8.6 – Capacity management |
| Control 8.7 – Protection against malware |
| Control 8.8 – Management of technical vulnerabilities |
| Control 8.9 – Configuration management |
| Control 8.10 – Information deletion |
| Control 8.11 – Data masking |
| Control 8.12 – Data leakage prevention |
| Control 8.13 – Information backup |
| Control 8.14 – Redundancy of information processing facilities |
| Control 8.15 – Logging |
| Control 8.16 – Monitoring activities |
| Control 8.17 – Clock synchronization |
| Control 8.18 – Use of privileged utility programs |
| Control 8.19 – Installation of software on operational systems |
| Control 8.20 – Networks security |
| Control 8.21 – Security of network services |
| Control 8.22 – Segregation of networks |
| Control 8.23 – Web filtering |
| Control 8.24 – Use of cryptography |
| Control 8.25 – Secure development life cycle |
| Control 8.26 – Application security requirements |
| Control 8.27 – Secure system architecture and engineering principles |
| Control 8.28 – Secure coding |
| Control 8.29 – Security testing in development and acceptance |
| Control 8.30 – Outsourced development |
| Control 8.31 – Separation of development, test and production environments |
| Control 8.32 – Change management |
| Control 8.33 – Test information |
| Control 8.34 – Protection of information systems during audit testing |
ISO 27001 Policies and Templates for Implementation
When it comes to achieving ISO 27001 compliance, having the right policies in place is mandatory. These policies form the core of your ISMS, enabling your organization to maintain effect and aligned with the ISO 27001 framework.
Creating these policies from zero will require a lot of resources from your organization. That’s why we create ISO 27001 Policy Templates. They simplify the process, providing your organization with ready-made, editable solutions that save you a lot of time
The Differences: ISO 27001:2022 - ISO 27002:2022
ISO 27001 are the “Clauses” and the “What”—it specifies the requirements for an ISMS, detailing what needs to be done to establish, implement, maintain, and continually improve information security. ISO 27002 are the Controls and the “how”—it contains detailed controls which need to be implemented based on your Statement of Applicability.
Checkout our dedicated page on ISO 27002 VS 27001 for more details.
ISO 27001 27002: A Side-by-Side Comparison
Here’s a closer look at how ISO 27001 27002 work together:
| Aspect | ISO 27001 Clauses | ISO 27002 Controls |
|---|---|---|
| Purpose | Specifies requirements for an ISMS | Provides implementation guidance for controls |
| Focus | Risk management and compliance framework | Practical advice and detailed control descriptions |
| Mandatory? | Yes, for certification | Yes, depending on SoA |
| Structure | Clauses 4–10 and Annex A (controls list) | Expanded descriptions of Annex A controls |
| Target Audience | Organizations seeking certification | Security practitioners implementing controls |
| Updates in 2022 | Simplified controls list (93 controls) | Extended information controls list (93 controls) |
How They Fit-in Each Other
The two standards work together seamlessly:
- ISO 27001:2022 Clauses: Outlining the requirements for establishing an ISMS.
- ISO 27002:2022 Controls: Providing a deeper understanding of each control.
Building Your ISO 27001 Framework
Creating an effective ISO 27001 framework is all about structure and planning. Here’s how you can get started:
1. Understand Your Organizational Context
Every organization is unique, so the first step is defining the scope of your ISMS. Consider:
- Internal Factors: What are your business goals, processes, and key assets?
- External Factors: What regulatory requirements or client expectations apply?
Tip: Use a Scope Statement Template to clearly define the boundaries of your ISMS. This document helps auditors understand what’s covered by your ISMS.
2. Gain Leadership Commitment
ISO 27001 success depends on top management support. Leadership must:
- Allocate resources (budget, time, and staff).
- Define an information security policy.
- Promote a culture of information security throughout the organization.
3. Conduct a Risk Assessment
Risk assessment is at the core of ISO 27001. Identify and evaluate risks to your information assets, then decide how to treat them.
- Steps to Perform Risk Assessment:
- Identify assets and their vulnerabilities.
- Analyze potential threats and their likelihood.
- Determine the impact of risks on your organization.
- Develop a risk treatment plan linked to Annex A controls.
Tip: Use our ISO 27001 Risk Assessment Spreadsheet to simplify the process and ensure consistency.
4. Develop Mandatory Policies and Procedures
ISO 27001 requires several policies to support your ISMS, such as:
- Access Control Policy
- Risk Management Policy
- Information Security Policy
Resource Tip: Download our customizable ISO 27001 policy templates to save time and effort.
5. Implement Controls from Annex A
Once your risks are identified, it’s time to implement controls from the ISO 27002 Controls List in Annex A. These controls address everything from physical security to technical firewalls.
Example: If a risk involves unauthorized access to sensitive data, implement controls like multi-factor authentication and access logging.
6. Train Your Employees
Your ISMS is only as strong as the people managing it. Conduct regular training sessions to ensure employees understand their roles and responsibilities in protecting information.
7. Monitor, Measure, and Audit
ISO 27001 emphasizes continuous improvement. Set up a system to:
- Monitor security incidents.
- Measure the effectiveness of your controls.
- Conduct regular internal audits to identify gaps.
Tip: Use a Statement of Applicability (SOA) Template to document which controls are implemented and why, making audits smoother.
Using the ISO 27001 Controls List to Mitigate Risks
The ISO 27001 Controls List in Annex A is your reference for managing risks. How to use it effectively:
1. Align Controls with Risks
Every control in Annex A is designed to address specific risks. For example:
- Access Control: Mitigates risks related to unauthorized access.
- Operational Security: Protects against system failures and malware.
2. Focus on the 4 Categories
The controls are divided into four categories in the 2022 version:
- Organizational Controls: Policies, governance, and processes.
- People Controls: Employee training and screening.
- Technological Controls: Encryption, firewalls, and secure configurations.
- Physical Controls: Secure facilities and equipment.
3. Use Templates and Tools
For more efficient implementation, use tools like:
- SOA Templates: Clearly document your selected controls.
- Risk Assessment Spreadsheets: Map risks to controls.
- Policy Templates: Ensure your policies align with control requirements.
It makes a differents
Significance of ISO/IEC 27001
Framework
ISO 27001 structure provides a systematic approach to information security management.
Risk Management
Emphasizing a risk-based approach, ISO 27001 ensures that risks are assessed, treated, and monitored systematically.
Adaptability and Relevance
The flexible nature of ISO 27001 allows it to be applied across various organizational types.
Risk Assessment and Treatment
This component involves identifying and analyzing risks to your organization’s information security.
Organization-Specific Controls
Beyond the standard ISO 27001 controls list, the standard allows organizations to develop additional controls.
Continual Improvement
ISO 27001 demands ongoing review and adaptation of the ISMS to address new threats.
A Mature Security Posture
When you have successfully implements ISO/IEC 27001, it achieves a thorough and dynamic framework that significantly increases your information security management. The benefits of this implementation extend across various facets of your organization.
Trust with Stakeholders
In competitive markets, having an ISO/IEC 27001 certification can serve as a key differentiator, demonstrating a proven commitment to information security and risk management.
Operational Efficiency
The process of aligning with ISO/IEC 27001 often leads to more streamlined and efficient operational processes.
Cultural Shift Towards Security
This shift encourages your organizational culture that values security, with employees becoming more aware and proactive about protecting organizational assets.