ISO 27001:2022 Cybersecurity Concepts
ISO 27001 Cybersecurity Concepts
This page details the “Cybersecurity Concepts” attribute within ISO/IEC 27001. It explains how your organization can categorize and manage security controls using five key concepts—Identify, Protect, Detect, Respond, and Recover—to strengthen your overall information security posture. This attribute supports a clear, structured approach to addressing cybersecurity risks.


Identify Controls
5. Organizational
A.5.01 | Policies for information security |
A.5.02 | Information security roles and responsibilities |
A.5.04 | Management responsibilities |
A.5.05 | Contact with authorities |
A.5.07 | Threat intelligence |
A.5.08 | Information security in project management |
A.5.09 | Inventory of information and other associated assets |
A.5.12 | Classification of information |
A.5.19 | Information security in supplier relationships |
A.5.20 | Addressing information security within supplier agreements |
A.5.21 | Managing information security in the ICT supply chain |
A.5.22 | Monitoring, review and change management of supplier services |
A.5.23 | Information security for use of cloud services |
A.5.27 | Learning form information security incidents |
A.5.31 | Identification of legal, statutory, regulatory and contractual requirements |
A.5.32 | Intellectual property rights |
A.5.33 | Protection of records |
A.5.34 | Privacy and protection of PII |
A.5.35 | Independent review of information security |
A.5.36 | Compliance with policies and standards for information security |
6. People
None
7. Physical
None

Protect Controls
5. Organizational
A.5.03 | Segregation of duties |
A.5.05 | Contact with authorities |
A.5.06 | Contact with special interest groups |
A.5.08 | Information security in project management |
A.5.10 | Acceptable use of information and associated assets |
A.5.11 | Return of assets |
A.5.13 | Labelling of information |
A.5.14 | Information transfer |
A.5.15 | Access control |
A.5.16 | Identity management |
A.5.17 | Authentication information |
A.5.18 | Access rights |
A.5.27 | Learning form information security incidents |
A.5.29 | Information security during disruption |
A.5.33 | Protection of records |
A.5.34 | Privacy and protection of PII |
A.5.35 | Independent review of information security |
A.5.36 | Compliance with policies and standards for information security |
A.5.37 | Documented operating procedures |
6. People
7. Physical
A.7.01 | Physical security perimeter |
A.7.02 | Physical entry |
A.7.03 | Security offices, rooms and facilities |
A.7.04 | Physical security monitoring |
A.7.05 | Protecting against physical and environmental threats |
A.7.06 | Working in secure areas |
A.7.07 | Clear desk and clear screen |
A.7.08 | Equipment siting and protection |
A.7.09 | Security of assets off-premises |
A.7.10 | Storage media |
A.7.11 | Supporting utilities |
A.7.12 | Cabling security |
A.7.13 | Equipment maintenance |
A.7.14 | Secure disposal or re-use of equipment |
8. Technological
A.8.01 | User endpoint devices |
A.8.02 | Privileged access rights |
A.8.03 | Information access restriction |
A.8.04 | Access to source code |
A.8.05 | Secure authentication |
A.8.06 | Capacity management |
A.8.07 | Protection against malware |
A.8.08 | Management of technical vulnerabilities |
A.8.09 | Configuration management |
A.8.10 | Information deletion |
A.8.11 | Data masking |
A.8.12 | Data leakage prevention |
A.8.14 | Redundancy of information processing facilities |
A.8.17 | Clock Synchronization |
A.8.18 | Use of privileged utility programs |
A.8.19 | Installation of software on operational systems |
A.8.20 | Network security |
A.8.21 | Security of network services |
A.8.22 | Segregation of networks |
A.8.23 | Web filtering |
A.8.24 | Use of cryptography |
A.8.25 | Secure development lifecycle |
A.8.26 | Application security requirements |
A.8.27 | Secure system architecture and engineering principles |
A.8.28 | Secure coding |
A.8.30 | Outsourced development |
A.8.31 | Separation of development, test and production environments |
A.8.32 | Change management |
A.8.33 | Test information |
A.8.34 | Protection of information systems during audit and testing |
Respond Controls

5. Organizational
A.5.05 | Contact with authorities |
A.5.06 | Contact with special interest groups |
A.5.07 | Threat intelligence |
A.5.24 | Information security incident management responsibilities and preparation |
A.5.25 | Assessment and decision on information security events |
A.5.26 | Response to information security incidents |
A.5.28 | Collection of evidence |
A.5.29 | Information security during disruption |
A.5.30 | ICT readiness for business continuity |
6. People
A.6.4 | Disciplinary process |
7. Physical
None
8. Technological
A.8.16 | Monitoring activities |
Recover Controls

Introduction to Cybersecurity Concepts
The Cybersecurity Concepts attribute provides a way for your organization to organize, evaluate, and enhance security controls by classifying them under five main functions: Identify, Protect, Detect, Respond, and Recover. These functions are further defined in ISO/IEC TS 27110 and serve as a framework for managing cybersecurity risks.
The Cybersecurity Concepts attribute complements this objective by offering a clear view of how each control contributes to overall cyber resilience. Your organization can use these concepts alongside other attributes within ISO/IEC 27001 to ensure that all relevant risks, processes, and activities are adequately addressed. This alignment helps maintain consistency with the standard’s requirements while promoting a systematic, risk-based approach to cybersecurity.
Overview of the Five Cybersecurity Concepts
This chapter provides a detailed explanation of each of the five cybersecurity concepts defined in ISO/IEC TS 27110: Identify, Protect, Detect, Respond, and Recover. These concepts help your organization develop a structured approach to information security by mapping existing and planned controls to specific functions. This section includes detailed descriptions, examples, and simple tables to illustrate how these concepts can be integrated into your security strategy.
Summary Table of Cybersecurity Concepts
Below is a summary table that outlines the primary objectives, examples of relevant controls, and typical outcomes for each of the five cybersecurity concepts.
Concept | Primary Objectives | Example Controls | Typical Outcomes |
---|---|---|---|
Identify | – Understand assets, vulnerabilities, and roles – Define governance and risk management standards | – Asset inventory – Data classification procedures – Governance frameworks | – Clear overview of critical assets – Informed decision-making – Priority-based allocation of resources |
Protect | – Safeguard data and systems – Limit unauthorized access | – Secure configurations – Access control mechanisms – Encryption protocols | – Reduced likelihood of breaches – Enhanced resilience – Minimized damage from external/internal threats |
Detect | – Identify incidents quickly – Monitor system activities | – Intrusion detection systems (IDS) – Security information and event management (SIEM) – Log analysis | – Early threat detection – Faster response time – Lower overall impact of incidents |
Respond | – Contain and mitigate ongoing threats – Execute incident handling procedures | – Incident response plan – Escalation process – Communication protocols | – Effective containment of incidents – Coordinated incident response – Reduced downtime and damage |
Recover | – Restore normal operations – Improve processes based on lessons learned | – Disaster recovery plans – Backup and restoration procedures – Post-incident reviews | – Rapid return to normal functioning – Continuous improvement in security posture – Enhanced business continuity |
Use this table as a quick reference to see how each concept can map to the specific actions and outcomes that drive your organization’s security goals.
1. Identify
Identify focuses on creating a clear understanding of your organization’s environment to determine what needs protection. It involves identifying assets, defining roles, analyzing the threat landscape, and determining risk exposures.
- Assets and Resources: You start by listing hardware, software, data repositories, and any other resources.
- Governance and Roles: You define who oversees cybersecurity tasks, who approves policies, and who manages daily security operations.
- Risk Assessment: You look at where potential threats could come from, including external attackers, insider threats, or accidental mishandling of data.
A structured Identify phase helps you set realistic security goals and assign resources. The table below breaks down key Identify activities in more detail.
Identify Activity | Description | Example Approach |
---|---|---|
Asset Inventory | Compile a list of hardware, software, and data assets | Use an automated discovery tool or maintain a central registry |
Data Classification | Categorize data based on sensitivity and confidentiality | Develop classification labels (e.g., Public, Internal, Confidential) |
Threat Landscape Review | Stay updated on current threats relevant to your operations | Conduct regular threat intelligence sessions |
Governance Framework | Define authority, accountability, and structure for security | Document roles and responsibilities in a governance policy |
Risk Assessment | Identify, analyze, and evaluate risks | Use a consistent methodology, such as qualitative risk scoring |
2. Protect
Protect encompasses the steps required to prevent or limit the impact of a security incident. It includes policies, processes, and technologies aimed at reducing vulnerabilities and preventing unauthorized access.
- Secure Configurations: Your organization ensures that systems are set up correctly with patches, updates, and minimal open ports.
- Access Control: Role-based or attribute-based access control (RBAC or ABAC) policies restrict who can view or modify critical data.
- Encryption and Data Protection: Data at rest and in transit are encrypted, ensuring confidentiality and integrity.
- User Awareness and Training: Regular training sessions help personnel recognize threats such as phishing, social engineering, and other common attack methods.
The table below summarizes core Protect activities:
Protect Activity | Objective | Example Control |
---|---|---|
Access Management | Limit access to authorized personnel only | Implement a privileged access management solution |
Secure Configuration | Enforce baseline configurations for all assets | Use standardized system images, apply security patches promptly |
Data Security | Keep data safe from unauthorized access | Encrypt sensitive data (e.g., AES-256), use secure file transfer |
Network Security | Control inbound and outbound traffic | Configure firewalls and enable intrusion prevention systems |
Security Training | Equip staff with knowledge to avoid threats | Conduct quarterly awareness programs, phishing simulations |
3. Detect
Detect focuses on identifying malicious activities, suspicious events, or anomalies as soon as possible. Effective detection mechanisms allow your organization to respond promptly and reduce the impact of an incident.
- Monitoring and Logging: Real-time monitoring of systems, networks, and applications helps flag unauthorized activities.
- Intrusion Detection Systems (IDS): These tools analyze traffic and behavior patterns to detect potential intrusions.
- Security Information and Event Management (SIEM): SIEM platforms correlate event logs from multiple sources and generate alerts based on predefined rules.
- Periodic Security Assessments: Conduct regular vulnerability scans, penetration tests, and log reviews to catch emerging issues.
Here is a table detailing the main elements of Detect:
Detect Activity | Focus | Implementation Example |
---|---|---|
Continuous Monitoring | Observe real-time system and network behavior | Deploy network monitoring solutions that issue alerts |
Log Management | Collect, store, and analyze event logs | Aggregate logs in a central SIEM system for correlation |
Threat Intelligence | Stay informed of new tactics and vulnerabilities | Use threat feeds or intelligence platforms to update detection rules |
Anomaly Detection | Identify unusual patterns in user or system behavior | Employ machine learning or statistical analysis on usage patterns |
Security Testing | Proactively find gaps in controls | Conduct vulnerability scans and penetration tests |
4. Respond
Respond concentrates on actions your organization takes immediately after detecting a security incident. A coordinated response approach reduces damage and downtime.
- Incident Response Plan: A documented plan outlines the roles, responsibilities, and actions that staff should follow during an incident.
- Containment Strategies: Methods to isolate affected systems, block malicious IP addresses, or shut down compromised services.
- Communication Protocols: Who to inform, how to inform them, and what information to share internally and externally (customers, partners, regulators).
- Legal and Compliance Considerations: Ensure that legal obligations regarding breaches (such as notification requirements) are followed.
The following table illustrates common Respond measures:
Respond Activity | Key Step | Illustration |
---|---|---|
Incident Triage | Determine incident severity and impact | Classify incident type (e.g., malware outbreak, DDoS) |
Containment | Isolate, block, or neutralize the threat | Block malicious domains, isolate infected hosts |
Communication | Notify stakeholders and relevant teams | Send alerts to management, inform legal teams if needed |
Eradication | Remove malware or compromised components | Clean infected systems, patch vulnerabilities |
Documentation | Record incident details for future review | Maintain incident logs, note timeline of actions |
5. Recover
Recover ensures your organization returns to normal operations and learns from the incident. Recover goes beyond simply restoring data—it involves evaluating the root cause and refining processes to prevent similar events.
- Disaster Recovery Planning: Define how to restore systems, data, and operations to full functionality.
- Backup and Restoration: Keep backups in secure, offsite storage and test restoration procedures regularly.
- Post-Incident Analysis: Examine what went wrong, how controls performed, and how improvements can be made.
- Long-Term Remediation: Develop mitigation strategies to reduce the likelihood of recurrence, such as policy changes or additional security tools.
Below is a breakdown of key Recover components:
Recover Activity | Objective | Example Measures |
---|---|---|
System Restoration | Restore or rebuild systems from backups | Maintain offsite backups and test recovery procedures |
Business Continuity | Maintain critical services during and after disruptions | Use alternate sites or resources if primary locations fail |
Root Cause Analysis | Determine underlying factors that caused the incident | Perform forensic analysis, gather logs, and review controls |
Process Improvement | Use lessons learned to strengthen security | Update policies, refine configurations, enhance training |
Verification | Confirm that normal operations are fully reestablished | Check system functionality, validate data integrity |
Practical Application of the Cybersecurity Concepts
Mapping Controls to Each Concept
Your organization can map existing or new controls to one of the five cybersecurity functions. This process allows you to see which measures fall under Identify, Protect, Detect, Respond, or Recover. By doing so, you create a clear inventory of how each control contributes to cybersecurity outcomes. This mapping is also useful for identifying any weak points in your security posture.
For example:
- A patch management policy might fall under Protect.
- An Intrusion Detection System (IDS) maps to Detect.
- A formal incident response procedure can be labeled under Respond.
A structured excel tool can make it easier to track which controls are aligned with which concept. One resource that can simplify this process is the ISO 27002:2022 Controls Spreadsheet. This spreadsheet helps document, categorize, and update controls to reflect your security needs.
Aligning with Organizational Goals
Once controls have been mapped, ensure they align with your operational goals. For instance, if the organization’s focus is on preventing data breaches, you may emphasize the Protect function first. If you handle sensitive data daily, you could also prioritize Identify to maintain an accurate asset and data classification process.
Balancing these priorities is essential. Overemphasizing Protect without sufficient Detect measures may leave you unaware of incidents until they become more damaging. Similarly, having robust Respond capabilities without consistent Protect measures could mean your incident team is handling preventable events.
Maintaining and Improving Cybersecurity Readiness
Cyber threats evolve, so continuous improvement is key. Incorporate periodic reviews to check if controls are still effective, and consider emerging threats that may require new or updated controls. Examine incidents that occurred and evaluate whether your current mapping of controls helped mitigate the risk.
Activities to maintain readiness include:
- Conducting regular risk assessments.
- Testing incident response procedures.
- Reviewing new technologies or services that can strengthen existing controls.
Related Parts of ISO 27001
Annex A Controls and Their Relation to Cybersecurity Concepts
Annex A of ISO/IEC 27001 lists a range of security controls. Each control in Annex A can be viewed through the lens of the five cybersecurity concepts. For instance, controls related to information classification can fit into Identify, while network security controls might belong under Protect. Mapping Annex A controls to these concepts is a straightforward way to ensure nothing is overlooked.
Integration with Risk Assessment Processes
ISO/IEC 27001 prioritizes a systematic risk management process. You can integrate the Cybersecurity Concepts attribute into this process by identifying how each risk is addressed (Identify, Protect, Detect, Respond, Recover). This approach provides a clear line of sight from risk identification to the specific controls that mitigate that risk. It also helps in prioritizing actions based on the organization’s risk profile and business objectives. Utilize the ISO 27001 Risk Assessment Template to organize the risk assessment process.
Alignment with Other Attributes (a, b, d, e)
ISO/IEC 27001 provides multiple attributes such as Control Type, Information Security Properties, Operational Capabilities and Security Domains. Aligning these with Cybersecurity Concepts gives a more robust view of how your organization’s ISMS operates. For example, a control marked as “Preventive” under Control Type can also be categorized under Protect or Identify, ensuring a comprehensive classification system that supports better decision-making.
Templates That Can Assist
Risk Assessment Template
A dedicated risk assessment template can help you systematically document which controls fall under each of the five concepts. You can list identified risks, map them to potential controls, and label those controls according to the relevant function (Identify, Protect, Detect, Respond, or Recover). This approach helps maintain consistency across your ISMS.
Incident Response Plan Template
This template outlines roles, responsibilities, and procedures for Respond. It clarifies communication protocols, escalation procedures, and how to handle various incident types. Through embedding the Respond function throughout your incident response plan, you ensure that each step is clearly defined and immediately actionable.
Security Monitoring Checklist
A security monitoring checklist supports the Detect function. It typically includes recommended log reviews, alert thresholds, and defined procedures for investigating suspicious behavior. Using such a checklist can streamline daily security monitoring tasks and help your team respond more quickly to anomalies.
Business Continuity & Disaster Recovery Templates
These templates help you plan for the Recover function. They outline backup strategies, recovery time objectives, and other critical measures to restore normal operations if incidents cause major disruptions. Integrating these templates into your overall cybersecurity plan ensures that continuity efforts are synchronized with the rest of your security strategy.
Conclusion
By adopting the Cybersecurity Concepts attribute (Identify, Protect, Detect, Respond, Recover) within ISO/IEC 27001, your organization gains a structured way to classify and manage security controls. Mapping each control to one of these five functions clarifies your security posture and helps you prioritize resources where they are needed most. Integrating these concepts with other ISO/IEC 27001 attributes and leveraging relevant templates creates a comprehensive, dynamic approach to risk management. This strategy can lead to a more resilient security environment, greater alignment with business objectives, and a clear framework for continuous improvement.