ISO 27001:2022 Security Domains
ISO 27001 Security Domains
This page focuses on the Security domains attribute (attribute e) in ISO/IEC 27001. The Security domains perspective helps organizations group and view controls according to four key domains—Governance and Ecosystem, Protection, Defence, and Resilience. Via classifying controls in this manner, organizations can more easily manage their information security program, highlight responsibilities, and ensure comprehensive risk management and compliance with ISO/IEC 27001.

Governance and Ecosystem Controls
5. Organizational
A.5.01 | Policies for information security |
A.5.02 | Information security roles and responsibilities |
A.5.03 | Segregation of duties |
A.5.04 | Management responsibilities |
A.5.08 | Information security in project management |
A.5.09 | Inventory of information and other associated assets |
A.5.10 | Acceptable use of information and associated assets |
A.5.19 | Information security in supplier relationships |
A.5.20 | Addressing information security within supplier agreements |
A.5.21 | Managing information security in the ICT supply chain |
A.5.22 | Monitoring, review and change management of supplier services |
A.5.23 | Information security for use of cloud services |
A.5.31 | Identification of legal, statutory, regulatory and contractual requirements |
A.5.32 | Intellectual property rights |
A.5.35 | Independent review of information security |
A.5.36 | Compliance with policies and standards for information security |
A.5.37 | Documented operating procedures |
6. People
7. Physical
N/A
Protection Controls
5. Organizational
A.5.02 | Information security roles and responsibilities |
A.5.08 | Information security in project management |
A.5.09 | Inventory of information and other associated assets |
A.5.10 | Acceptable use of information and associated assets |
A.5.11 | Return of assets |
A.5.12 | Classification of information |
A.5.13 | Labelling of information |
A.5.14 | Information transfer |
A.5.15 | Access control |
A.5.16 | Identity management |
A.5.17 | Authentication information |
A.5.18 | Access rights |
A.5.19 | Information security in supplier relationships |
A.5.20 | Addressing information security within supplier agreements |
A.5.21 | Managing information security in the ICT supply chain |
A.5.22 | Monitoring, review and change management of supplier services |
A.5.23 | Information security for use of cloud services |
A.5.29 | Information security during disruption |
A.5.31 | Identification of legal, statutory, regulatory and contractual requirements |
A.5.34 | Privacy and protection of PII |
A.5.37 | Documented operating procedures |
6. People
A.6.7 | Remote working |
7. Physical
A.7.01 | Physical security perimeter |
A.7.02 | Physical entry |
A.7.03 | Security offices, rooms and facilities |
A.7.04 | Physical security monitoring |
A.7.05 | Protecting against physical and environmental threats |
A.7.06 | Working in secure areas |
A.7.07 | Clear desk and clear screen |
A.7.08 | Equipment siting and protection |
A.7.09 | Security of assets off-premises |
A.7.10 | Storage media |
A.7.11 | Supporting utilities |
A.7.12 | Cabling security |
A.7.13 | Equipment maintenance |
A.7.14 | Secure disposal or re-use of equipment |
8. Technological
A.8.01 | User endpoint devices |
A.8.02 | Privileged access rights |
A.8.03 | Information access restriction |
A.8.04 | Access to source code |
A.8.05 | Secure authentication |
A.8.06 | Capacity management |
A.8.07 | Protection against malware |
A.8.08 | Management of technical vulnerabilities |
A.8.09 | Configuration management |
A.8.10 | Information deletion |
A.8.11 | Data masking |
A.8.12 | Data leakage prevention |
A.8.13 | Information backup |
A.8.14 | Redundancy of information processing facilities |
A.8.15 | Logging |
A.8.17 | Clock Synchronization |
A.8.18 | Use of privileged utility programs |
A.8.19 | Installation of software on operational systems |
A.8.20 | Network security |
A.8.21 | Security of network services |
A.8.22 | Segregation of networks |
A.8.23 | Web filtering |
A.8.24 | Use of cryptography |
A.8.25 | Secure development lifecycle |
A.8.26 | Application security requirements |
A.8.27 | Secure system architecture and engineering principles |
A.8.28 | Secure coding |
A.8.29 | Security testing in development and acceptance |
A.8.30 | Outsourced development |
A.8.31 | Separation of development, test and production environments |
A.8.32 | Change management |
A.8.33 | Test information |
A.8.34 | Protection of information systems during audit and testing |
Defence Controls
5. Organizational
A.5.05 | Contact with authorities |
A.5.06 | Contact with special interest groups |
A.5.07 | Threat intelligence |
A.5.12 | Classification of information |
A.5.13 | Labelling of information |
A.5.22 | Monitoring, review and change management of supplier services |
A.5.24 | Information security incident management responsibilities and preparation |
A.5.25 | Assessment and decision on information security events |
A.5.26 | Response to information security incidents |
A.5.27 | Learning form information security incidents |
A.5.28 | Collection of evidence |
A.5.33 | Protection of records |
A.5.37 | Documented operating procedures |
6. People
A.6.8 | Information security event reporting |
7. Physical
A.7.04 | Physical security monitoring |
Introduction to Security Domains
In ISO/IEC 27001, organizations can use various attributes to categorize and present controls based on different perspectives, audiences, and objectives. One of these perspectives is the Security domains attribute, which provides a strategic view of controls through four overarching security themes. This chapter introduces how Security domains supports coherent governance and risk management efforts while maintaining alignment with broader organizational requirements.
Explanation of Security Domains
The Security domains attribute provides a high-level categorization of controls into four overarching areas: Governance and Ecosystem, Protection, Defence, and Resilience. Each domain groups related controls so that organizations can manage and communicate their information security efforts in a cohesive way. Below is a more detailed explanation of each domain and how it contributes to an organization’s information security management.
1. Governance and Ecosystem
This domain focuses on the broader strategic and environmental context in which information security operates. It brings together two critical areas:
Information System Security Governance & Risk Management
– Governance Structure: Establishes the policies, frameworks, and decision-making bodies that guide an organization’s security posture.
– Roles and Responsibilities: Defines clear accountability for security-related decisions, ensuring that senior management, IT teams, and other stakeholders know their obligations.
– Risk Management Processes: Covers the identification, assessment, and treatment of risks to the organization’s information assets. This includes ongoing risk reviews and updates to security policies as needed.Ecosystem Cybersecurity Management
– Internal and External Stakeholders: Recognizes that security extends beyond the organization’s internal boundaries to include partners, suppliers, regulators, and customers.
– Third-Party Risk: Involves assessing the security practices of external parties and integrating those findings into overall governance.
– Legal and Regulatory Requirements: Ensures compliance with standards, laws, and regulations that govern how data is handled, stored, and protected in various jurisdictions.
2. Protection
The Protection domain brings together all the controls and measures designed to prevent security incidents and shield organizational assets from threats. It encompasses several sub-areas:
IT Security Architecture
– Design Principles: Involves secure network, system, and application design.
– Defense-in-Depth: Encourages multiple layers of security controls such as firewalls, intrusion prevention systems, and segmentation.IT Security Administration
– Security Procedures: Covers the day-to-day tasks and operational processes that ensure the secure configuration and maintenance of IT systems.
– Tool Management: Involves managing and configuring anti-malware, intrusion detection systems, and other protection tools.Identity and Access Management (IAM)
– Authentication and Authorization: Ensures only the right individuals have access to the right resources at the right time.
– Access Controls: Includes processes such as provisioning, de-provisioning, and role-based access control.IT Security Maintenance
– Patch Management: Regular updates and patches for software and systems.
– Vulnerability Management: Routine scanning, identification, and remediation of security weaknesses.Physical and Environmental Security
– Facility Access: Protects physical premises with locks, surveillance, and visitor management.
– Environmental Controls: Ensures stable conditions (temperature, humidity, power supply) to maintain system integrity and availability.
3. Defence
While Protection aims to prevent security incidents, the Defence domain focuses on detecting incidents promptly and responding effectively when they occur:
Detection
– Monitoring and Alerting: Involves continuous surveillance of networks, systems, and applications for signs of anomalous activity.
– Threat Intelligence: Incorporates threat feeds and intelligence reports to stay informed about emerging vulnerabilities and attack methods.
– Event Correlation: Uses security information and event management (SIEM) tools to correlate and analyze large volumes of log data.Computer Security Incident Management
– Incident Response Process: Defines procedures for identifying, containing, investigating, and resolving security incidents.
– Incident Coordination: Ensures effective communication among IT teams, management, legal counsel, and external stakeholders during an incident.
– Evidence Collection and Forensics: Handles potential legal or investigative requirements, ensuring that digital evidence is preserved correctly.
4. Resilience
Resilience addresses the ability of an organization to continue operations and recover quickly in the face of disruptions, whether caused by security incidents or other emergencies:
Continuity of Operations
– Business Continuity Planning: Ensures critical processes can run or quickly resume during disruptions.
– Disaster Recovery: Focuses on the rapid restoration of IT infrastructure and data after events like natural disasters or major cyberattacks.Crisis Management
– Command and Control Structure: Defines leadership hierarchy, communication channels, and decision-making protocols in crisis scenarios.
– Communication Plans: Outlines how and when to communicate with employees, customers, partners, and media outlets during and after a crisis.
– Plan Testing and Exercises: Conducts simulations, drills, and tabletop exercises to validate resilience strategies.
Through these activities, Resilience ensures that the organization not only survives disruptions but also learns and evolves from them. This proactive approach mitigates operational downtime, safeguards reputation, and strengthens stakeholder confidence.
Purpose and Value of Using Security Domains
The Security domains attribute is not just a way to label controls; it forms a strategic framework that enables organizations to more effectively plan, implement, and continually improve their information security posture. Below are several key benefits and the underlying reasons why Security domains can be so valuable:
Holistic Oversight
Comprehensive Perspective
By categorizing controls into four broad areas—Governance and Ecosystem, Protection, Defence, and Resilience—organizations gain a clear, top-down view of their entire security program. This prevents oversight of critical areas and ensures balance among governance structures, protective measures, detection and response capabilities, and business continuity.Integration with Business Objectives
Security domains help articulate the impact of security activities in the context of broader organizational goals. When senior leadership sees how Governance and Ecosystem supports risk management, or how Resilience underpins operational continuity, it becomes easier to justify investments and align security initiatives with overall strategy.Streamlined Accountability
Grouping controls by domain allows for the assignment of clear responsibilities to specific roles or departments. For instance, IT might own Protection, while a risk management or governance committee might oversee Governance and Ecosystem. This delineation helps avoid confusion over who is responsible for maintaining or updating particular controls.
Enhanced Risk Management
Targeted Threat Mitigation
Each domain addresses a specific stage or aspect of security—prevention (Protection), detection and response (Defence), and recovery (Resilience). Mapping threats and vulnerabilities to the relevant domain helps in systematically deploying controls where they can be most effective.Focus on Emerging Risks
Governance and Ecosystem provides a structure for continuously monitoring the internal and external environment. This includes changes in regulatory landscapes, third-party risks, and new threat vectors. As a result, the organization can promptly revise its strategies and controls when new risks emerge.Prioritization and Gap Identification
When controls are grouped under domains, organizations can more easily identify domains with insufficient coverage. This highlights areas needing additional investment or attention—such as improving detection capabilities in Defence or bolstering continuity planning in Resilience.
Focused Resource Allocation
Budget and Funding
Breaking down the security program into four domains helps management and security teams allocate budgets more strategically. Funding can be directed to areas with the highest risk or potential return on investment.Personnel and Skill Requirements
Each domain may require different skill sets. For example, Protection might emphasize technical engineering skills, while Governance and Ecosystem could focus on policy and compliance expertise. Knowing exactly which domain needs which skills streamlines recruitment and training efforts.Technology and Tool Investment
By understanding which technologies apply to which domain, organizations can invest in more specialized tools. For instance, a Security Information and Event Management (SIEM) solution could bolster Defence by enhancing detection and incident correlation, whereas robust backup solutions are critical for Resilience.
Improved Stakeholder Engagement
Clarity for Senior Management and Board
Presenting security controls and activities under distinct domains provides an accessible, high-level structure that resonates with non-technical leaders. It clarifies the “big picture” of how security supports business objectives.Collaboration with Other Departments
Departments such as HR, Legal, and Operations can better understand their roles when controls are grouped into well-defined domains. For example, HR can align training and background checks under Protection or Governance and Ecosystem, depending on the nature of the control.External Communication and Reporting
Explaining the organization’s security maturity to partners, customers, or regulators is more straightforward when using recognized high-level categories. Demonstrating that you have robust controls in Defence and Resilience can build confidence in your ability to respond to incidents and recover critical services.
Continuous Improvement and Adaptability
Scalable Framework
As an organization grows or as threats evolve, the Security domains model remains flexible. New controls or processes can be added to the relevant domain without overhauling the entire security strategy.Feedback Loops and Metrics
Monitoring performance within each domain—such as time to detect incidents in Defence or recovery time in Resilience—helps identify specific areas for improvement. Over time, these metrics drive continuous refinement of policies, processes, and controls.Alignment with Other Frameworks
Many security and risk management frameworks, from NIST to COBIT, emphasize similar pillars or domains. Using the ISO 27001 Security domains can complement other frameworks, ensuring consistent language and structure across multiple compliance requirements.
Practical Steps for Implementation
Implementing the Security domains attribute requires a structured approach to ensure each control is appropriately placed and managed. Below is a detailed roadmap to guide organizations through the process:
Map Existing Controls to Domains
Inventory All Controls
Begin by creating or updating a comprehensive list of all existing information security controls. This inventory should encompass technical measures (e.g., firewalls, authentication systems), procedural controls (e.g., incident response plans, guidelines), and physical safeguards (e.g., locked doors, CCTV).Analyze the Control’s Primary Function
For each control, determine its main objective. Is it focused on governance oversight, protective barriers, incident detection and response, or business continuity and crisis management? This step helps you understand which domain—Governance and Ecosystem, Protection, Defence, or Resilience—the control best fits into.Use Attribute Definitions
Refer to the detailed definitions of each domain to confirm that you are categorizing controls consistently. If a control appears to overlap multiple domains, determine where it is most effectively managed or most relevant. Alternatively, you can note any secondary domain associations for a more nuanced view.Document the Mapping
Record your mapping in a centralized repository (e.g., a spreadsheet or a governance, risk, and compliance (GRC) tool). This documentation should include the control name, description, owner, and the assigned security domain(s).
Identify Domain-Specific Gaps
Assess Coverage Within Each Domain
After mapping controls, evaluate whether each domain has sufficient coverage. For instance, do you have adequate detection capabilities under Defence? Are your continuity plans robust enough under Resilience?Evaluate Against Risks
Cross-reference your control inventory with a risk assessment or threat model. This helps determine if your current controls are mitigating identified risks effectively within each domain.Review Regulatory and Business Requirements
Align the Security domains with your organization’s legal, regulatory, and contractual obligations. Confirm that all necessary compliance controls are assigned and adequately addressed in the relevant domain.Create a Gap Remediation Plan
For each gap, define clear actions to close or reduce the gap. This might involve acquiring new tools, refining existing processes, or creating entirely new controls or procedures.
Assign Responsibilities and Owners
Establish Domain Leads
Assign a specific individual or team to oversee each domain. These “Domain Leads” ensure that relevant controls are maintained, updated, and effective. For example, a CISO or compliance officer may lead Governance and Ecosystem, while the IT Security Operations team could lead Protection.Delegate Control Owners
Each control within a domain should also have an owner (or owners) responsible for day-to-day implementation and oversight. Defining these responsibilities early avoids confusion and aids accountability.Define Reporting Structures
Ensure each domain lead reports regularly to the overall information security governance committee or equivalent body. This structured reporting keeps senior management informed about domain-specific risks, developments, and performance.
Integrate with Other Attributes and Frameworks
Combine with ISO 27001 Requirements
The Security domains attribute is just one perspective within ISO 27001. Cross-reference other clauses (e.g., risk assessment, performance evaluation) to ensure comprehensive alignment.Leverage Other Control Attributes
Many organizations also categorize controls by Control Type (Preventive, Detective, Corrective), Information Security Properties (Confidentiality, Integrity, Availability), and Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover). Combining these attributes provides a multidimensional view of how and why controls are implemented.Map to Other Frameworks
If your organization uses additional standards (NIST CSF, COBIT, PCI-DSS, etc.), align the Security domains with the corresponding sections or controls in these frameworks. This approach streamlines compliance efforts and ensures consistent messaging across multiple audits or assessments.
Communicate and Train
Educate Stakeholders
Develop clear, concise training materials or presentations that explain the four security domains, their purpose, and the organization’s overarching strategy. This clarity fosters buy-in from senior management and cooperation from operational teams.Domain-Specific Training
Provide tailored training for teams working within a specific domain. For example, staff in Protection may need technical courses on secure configurations or patch management, while those in Defence require training on incident detection tools and forensics.Awareness Campaigns
Raise general security awareness by sharing success stories or lessons learned from past incidents. Highlight how each domain plays a role in preventing or responding to such incidents.
Measure and Refine
Define Metrics and KPIs
Establish metrics specific to each domain. Protection could measure patching speed or vulnerability remediation time, Defence might track mean time to detect (MTTD) or mean time to respond (MTTR), and Resilience could focus on recovery time objectives (RTO) and recovery point objectives (RPO).Regular Performance Reviews
Schedule periodic reviews with each domain lead to assess performance against defined metrics. Discuss successes, challenges, and potential improvements.Continuous Improvement Loop
Use the insights from performance metrics, incident reports, and stakeholder feedback to refine or update controls within each domain. This ongoing process aligns with ISO 27001’s requirement for continuous improvement of the ISMS.
Potential Templates to Assist
the following types of templates could facilitate the use of the Security domains attribute:
- Security Domain Mapping Template
ISO 27002 controls spreadsheet template maps each control to one of the four security domains. - Risk Assessment Matrix by Domain
A matrix to prioritize risks and plan treatments aligned with each domain. - Incident Response Playbook
Documentation outlining escalation and remediation steps for the Defence and Resilience domains.
Conclusion
Implementing the Security domains attribute offers a strategic lens through which to view and manage ISO/IEC 27001 controls. By classifying controls as part of Governance and Ecosystem, Protection, Defence, or Resilience, organizations can align security objectives with risk management activities, ensure the coherence of security efforts, and communicate effectively with both internal stakeholders and external partners.