ISO 27001 2022 controls

  • Excel document
  • Guide to implementing ISO 27002 2022 controls
  • Internal audit instructions
  • Comparison of 27001:2013 and 27001:2022 controls
  • Additional control details

What Are the ISO 27001 2022 Controls?

ISO 27001 is an internationally recognized standard designed to help organizations protect their information’s Confidentiality, Integrity, and Availability. It provides a set of security controls that your organization can implement to protect your sensitive data.

These ISO 27001 2022 controls outline actions—including policies, processes, and procedures—that organizations must take to meet ISO 27001’s security requirements. Organized into four main themes—People, Organizational, Technological, and Physical—these control categories equip organizations to manage and mitigate risks to an acceptable level, strengthening their overall security posture.

How Many Controls Does ISO 27001 Annex A Have?

ISO 27001:2022 Annex A includes 93 controls, divided into four categories. 

  • Clause 5: Organizational Controls (37 controls)
  • Clause 6: People Controls (8 controls)
  • Clause 7: Physical Controls (14 controls)
  • Clause 8: Technological Controls (34 controls)

New ISO 27001 2022 controls

There are 11 new controls that have been added to the ISO 27001 2022 framework, which include: 

  • Threat intelligence (Control 5.7): requires companies to collect and analyze information relating to information security threats 

  • Information security for use of cloud services (Control 5.23): requires companies to specify and manage information security for the use of cloud services

  • ICT readiness for business continuity (Control 5.30): requires companies to create an ICT continuity plan to maintain operational resilience 

  • Physical security monitoring (Control 7.04): requires companies to detect and prevent external and internal intruders by deploying suitable surveillance tools

  • Configuration management (Control 8.09): requires companies to establish policies to manage how they document, implement, monitor, and review the use of configurations across their entire network 

  • Information deletion (Control 8.10): provides guidance on how to manage data deletion to comply with laws and regulations 

  • Data masking (Control 8.11): provides data masking techniques for personal identifiable information (PII) to comply with laws and regulations

  • Data leakage protection (Control 8.12): requires companies to implement technical measures that detect and prevent the disclosure and/or extraction of information

  • Monitoring activities (Control 8.16): provides guidance on improving network monitoring activities to identify anomalous behavior and address security events and incidents 

  • Web filtering (Control 8.23): requires companies to enforce access controls and measures to restrict and control access to external websites 

  • Secure coding (Control 8.28): requires companies to follow secure coding principles to prevent vulnerabilities caused by poor coding methods

ISO 27001 2022 Control Themes Overview

5. Organizational Controls 

Organizational controls include a broad range of security measures, including information security policy, asset management, and cloud service usage. This section addresses elements that do not strictly fall under people, technology, or physical security, such as identity management, management responsibilities, the role of information security professionals, and evidence collection.

Key New Controls in Organizational Security:

  • Control 5.07: Threat Intelligence
    Expands on identifying malicious domains to enable organizations to understand and anticipate potential threats better, incorporating insights to strengthen their security posture.

  • Control 5.23: Information Security for Cloud Services
    Focuses on protecting cloud resources, reflecting the increasing reliance on cloud-based infrastructure.

  • Control 5.30: ICT Readiness for Business Continuity
    Ensures organizations are prepared to maintain critical operations in case of disruptions.

6. People Controls

The People category, with eight controls, is focused on protecting sensitive information through effective employee management. This section addresses remote work, confidentiality, nondisclosures, and screening, as well as critical processes like onboarding, offboarding, and incident reporting responsibilities.

Update:
No new ISO 27001 2022 controls were introduced for this theme.

7. Physical Controls

Physical controls protect against environmental and physical threats such as natural disasters, theft, and intentional damage. This section covers monitoring, maintenance, facility security, and media storage.

New Physical Control:

  • Control 7.4: Physical Security Monitoring
    Strengthens the ability to track and respond to physical security threats in real time.

8. Technological Controls

Technological controls focus on secure technology management, including authentication, encryption, data leakage prevention, access rights, network security, and data masking. This section emphasizes robust security practices to protect organizational data and resources.

Key New Technological Controls:

  • Control 8.1: Data Masking
    Enhances data privacy by obscuring sensitive information within the system.

  • Control 8.9: Configuration Management
    Maintains the integrity of systems through controlled configuration practices.

  • Control 8.10: Information Deletion
    Establishes protocols for securely deleting information no longer in use.

  • Control 8.12: Data Leakage Prevention
    Helps organizations prevent unauthorized data access or transfer, requiring significant investment to implement effectively.

  • Control 8.16: Monitoring Activities
    Provides guidelines for systematic monitoring of security activities across the organization.

  • Control 8.23: Web Filtering
    Outlines web traffic filtering measures to prevent user access to malicious sites.

  • Control 8.28: Secure Coding
    Encourages secure software development practices to reduce vulnerabilities in applications.

Highlight:
Data leakage prevention and web filtering are among the most impactful new ISO 27001 2022 Controls, addressing modern data security challenges and helping prevent unauthorized access and malware exposure.