ISO 27001:2022 Security Domains

ISO 27001 Security Domains

This page focuses on the Security domains attribute (attribute e) in ISO/IEC 27001. The Security domains perspective helps organizations group and view controls according to four key domains—Governance and Ecosystem, Protection, Defence, and Resilience. Via classifying controls in this manner, organizations can more easily manage their information security program, highlight responsibilities, and ensure comprehensive risk management and compliance with ISO/IEC 27001.

Iso 27001 Security Domains

Governance and Ecosystem Controls

A.5.01Policies for information security
A.5.02Information security roles and responsibilities
A.5.03Segregation of duties
A.5.04Management responsibilities
A.5.08Information security in project management
A.5.09Inventory of information and other associated assets
A.5.10Acceptable use of information and associated assets
A.5.19Information security in supplier relationships
A.5.20Addressing information security within supplier agreements
A.5.21Managing information security in the ICT supply chain
A.5.22Monitoring, review and change management of supplier services
A.5.23Information security for use of cloud services
A.5.31Identification of legal, statutory, regulatory and contractual requirements
A.5.32Intellectual property rights
A.5.35Independent review of information security
A.5.36Compliance with policies and standards for information security
A.5.37Documented operating procedures

 

A.6.1Screening
A.6.2Terms and conditions of employment
A.6.3Information security awareness, education and training
A.6.4Disciplinary process
A.6.5Responsibilities after termination or change of employment
A.6.6Confidentiality or non-disclosure agreements

N/A

A.8.06Capacity management
A.8.08Management of technical vulnerabilities
A.8.30Outsourced development
A.8.34Protection of information systems during audit and testing

 

Protection Controls

A.5.02Information security roles and responsibilities
A.5.08Information security in project management
A.5.09Inventory of information and other associated assets
A.5.10Acceptable use of information and associated assets
A.5.11Return of assets
A.5.12Classification of information
A.5.13Labelling of information
A.5.14Information transfer
A.5.15Access control
A.5.16Identity management
A.5.17Authentication information
A.5.18Access rights
A.5.19Information security in supplier relationships
A.5.20Addressing information security within supplier agreements
A.5.21Managing information security in the ICT supply chain
A.5.22Monitoring, review and change management of supplier services
A.5.23Information security for use of cloud services
A.5.29Information security during disruption
A.5.31Identification of legal, statutory, regulatory and contractual requirements
A.5.34Privacy and protection of PII
A.5.37Documented operating procedures
A.6.7Remote working

 

A.7.01Physical security perimeter
A.7.02Physical entry
A.7.03Security offices, rooms and facilities
A.7.04Physical security monitoring
A.7.05Protecting against physical and environmental threats
A.7.06Working in secure areas
A.7.07Clear desk and clear screen
A.7.08Equipment siting and protection
A.7.09Security of assets off-premises
A.7.10Storage media
A.7.11Supporting utilities
A.7.12Cabling security
A.7.13Equipment maintenance
A.7.14Secure disposal or re-use of equipment

 

A.8.01User endpoint devices
A.8.02Privileged access rights
A.8.03Information access restriction
A.8.04Access to source code
A.8.05Secure authentication
A.8.06Capacity management
A.8.07Protection against malware
A.8.08Management of technical vulnerabilities
A.8.09Configuration management
A.8.10Information deletion
A.8.11Data masking
A.8.12Data leakage prevention
A.8.13Information backup
A.8.14Redundancy of information processing facilities
A.8.15Logging
A.8.17Clock Synchronization
A.8.18Use of privileged utility programs
A.8.19Installation of software on operational systems
A.8.20Network security
A.8.21Security of network services
A.8.22Segregation of networks
A.8.23Web filtering
A.8.24Use of cryptography
A.8.25Secure development lifecycle
A.8.26Application security requirements
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding
A.8.29Security testing in development and acceptance
A.8.30Outsourced development
A.8.31Separation of development, test and production environments
A.8.32Change management
A.8.33Test information
A.8.34Protection of information systems during audit and testing

 

Defence Controls

A.5.05Contact with authorities
A.5.06Contact with special interest groups
A.5.07Threat intelligence
A.5.12Classification of information
A.5.13Labelling of information
A.5.22Monitoring, review and change management of supplier services
A.5.24Information security incident management responsibilities and preparation
A.5.25Assessment and decision on information security events
A.5.26Response to information security incidents
A.5.27Learning form information security incidents
A.5.28Collection of evidence
A.5.33Protection of records
A.5.37Documented operating procedures
A.6.8Information security event reporting

 

A.7.04Physical security monitoring

 

A.8.07Protection against malware
A.8.08Management of technical vulnerabilities
A.8.12Data leakage prevention
A.8.15Logging
A.8.16Monitoring activities
A.8.17Clock Synchronization
A.8.26Application security requirements

Resilience Controls

A.5.01Policies for information security
A.5.02Information security roles and responsibilities
A.5.05Contact with authorities
A.5.07Threat intelligence
A.5.29Information security during disruption
A.5.30ICT readiness for business continuity

N/A

A.7.13Equipment maintenance
A.8.14Redundancy of information processing facilities

 

Introduction to Security Domains

In ISO/IEC 27001, organizations can use various attributes to categorize and present controls based on different perspectives, audiences, and objectives. One of these perspectives is the Security domains attribute, which provides a strategic view of controls through four overarching security themes. This chapter introduces how Security domains supports coherent governance and risk management efforts while maintaining alignment with broader organizational requirements.

Explanation of Security Domains

The Security domains attribute provides a high-level categorization of controls into four overarching areas: Governance and Ecosystem, Protection, Defence, and Resilience. Each domain groups related controls so that organizations can manage and communicate their information security efforts in a cohesive way. Below is a more detailed explanation of each domain and how it contributes to an organization’s information security management.


1. Governance and Ecosystem

This domain focuses on the broader strategic and environmental context in which information security operates. It brings together two critical areas:

  1. Information System Security Governance & Risk Management
    – Governance Structure: Establishes the policies, frameworks, and decision-making bodies that guide an organization’s security posture.
    – Roles and Responsibilities: Defines clear accountability for security-related decisions, ensuring that senior management, IT teams, and other stakeholders know their obligations.
    – Risk Management Processes: Covers the identification, assessment, and treatment of risks to the organization’s information assets. This includes ongoing risk reviews and updates to security policies as needed.

  2. Ecosystem Cybersecurity Management
    – Internal and External Stakeholders: Recognizes that security extends beyond the organization’s internal boundaries to include partners, suppliers, regulators, and customers.
    – Third-Party Risk: Involves assessing the security practices of external parties and integrating those findings into overall governance.
    – Legal and Regulatory Requirements: Ensures compliance with standards, laws, and regulations that govern how data is handled, stored, and protected in various jurisdictions.


2. Protection

The Protection domain brings together all the controls and measures designed to prevent security incidents and shield organizational assets from threats. It encompasses several sub-areas:

  1. IT Security Architecture
    – Design Principles: Involves secure network, system, and application design.
    – Defense-in-Depth: Encourages multiple layers of security controls such as firewalls, intrusion prevention systems, and segmentation.

  2. IT Security Administration
    – Security Procedures: Covers the day-to-day tasks and operational processes that ensure the secure configuration and maintenance of IT systems.
    – Tool Management: Involves managing and configuring anti-malware, intrusion detection systems, and other protection tools.

  3. Identity and Access Management (IAM)
    – Authentication and Authorization: Ensures only the right individuals have access to the right resources at the right time.
    – Access Controls: Includes processes such as provisioning, de-provisioning, and role-based access control.

  4. IT Security Maintenance
    – Patch Management: Regular updates and patches for software and systems.
    – Vulnerability Management: Routine scanning, identification, and remediation of security weaknesses.

  5. Physical and Environmental Security
    – Facility Access: Protects physical premises with locks, surveillance, and visitor management.
    – Environmental Controls: Ensures stable conditions (temperature, humidity, power supply) to maintain system integrity and availability.


3. Defence

While Protection aims to prevent security incidents, the Defence domain focuses on detecting incidents promptly and responding effectively when they occur:

  1. Detection
    – Monitoring and Alerting: Involves continuous surveillance of networks, systems, and applications for signs of anomalous activity.
    – Threat Intelligence: Incorporates threat feeds and intelligence reports to stay informed about emerging vulnerabilities and attack methods.
    – Event Correlation: Uses security information and event management (SIEM) tools to correlate and analyze large volumes of log data.

  2. Computer Security Incident Management
    – Incident Response Process: Defines procedures for identifying, containing, investigating, and resolving security incidents.
    – Incident Coordination: Ensures effective communication among IT teams, management, legal counsel, and external stakeholders during an incident.
    – Evidence Collection and Forensics: Handles potential legal or investigative requirements, ensuring that digital evidence is preserved correctly.


4. Resilience

Resilience addresses the ability of an organization to continue operations and recover quickly in the face of disruptions, whether caused by security incidents or other emergencies:

  1. Continuity of Operations
    – Business Continuity Planning: Ensures critical processes can run or quickly resume during disruptions.
    – Disaster Recovery: Focuses on the rapid restoration of IT infrastructure and data after events like natural disasters or major cyberattacks.

  2. Crisis Management
    – Command and Control Structure: Defines leadership hierarchy, communication channels, and decision-making protocols in crisis scenarios.
    – Communication Plans: Outlines how and when to communicate with employees, customers, partners, and media outlets during and after a crisis.
    – Plan Testing and Exercises: Conducts simulations, drills, and tabletop exercises to validate resilience strategies.

Through these activities, Resilience ensures that the organization not only survives disruptions but also learns and evolves from them. This proactive approach mitigates operational downtime, safeguards reputation, and strengthens stakeholder confidence.

Purpose and Value of Using Security Domains

The Security domains attribute is not just a way to label controls; it forms a strategic framework that enables organizations to more effectively plan, implement, and continually improve their information security posture. Below are several key benefits and the underlying reasons why Security domains can be so valuable:


Holistic Oversight

  • Comprehensive Perspective
    By categorizing controls into four broad areas—Governance and Ecosystem, Protection, Defence, and Resilience—organizations gain a clear, top-down view of their entire security program. This prevents oversight of critical areas and ensures balance among governance structures, protective measures, detection and response capabilities, and business continuity.

  • Integration with Business Objectives
    Security domains help articulate the impact of security activities in the context of broader organizational goals. When senior leadership sees how Governance and Ecosystem supports risk management, or how Resilience underpins operational continuity, it becomes easier to justify investments and align security initiatives with overall strategy.

  • Streamlined Accountability
    Grouping controls by domain allows for the assignment of clear responsibilities to specific roles or departments. For instance, IT might own Protection, while a risk management or governance committee might oversee Governance and Ecosystem. This delineation helps avoid confusion over who is responsible for maintaining or updating particular controls.


Enhanced Risk Management

  • Targeted Threat Mitigation
    Each domain addresses a specific stage or aspect of security—prevention (Protection), detection and response (Defence), and recovery (Resilience). Mapping threats and vulnerabilities to the relevant domain helps in systematically deploying controls where they can be most effective.

  • Focus on Emerging Risks
    Governance and Ecosystem provides a structure for continuously monitoring the internal and external environment. This includes changes in regulatory landscapes, third-party risks, and new threat vectors. As a result, the organization can promptly revise its strategies and controls when new risks emerge.

  • Prioritization and Gap Identification
    When controls are grouped under domains, organizations can more easily identify domains with insufficient coverage. This highlights areas needing additional investment or attention—such as improving detection capabilities in Defence or bolstering continuity planning in Resilience.


Focused Resource Allocation

  • Budget and Funding
    Breaking down the security program into four domains helps management and security teams allocate budgets more strategically. Funding can be directed to areas with the highest risk or potential return on investment.

  • Personnel and Skill Requirements
    Each domain may require different skill sets. For example, Protection might emphasize technical engineering skills, while Governance and Ecosystem could focus on policy and compliance expertise. Knowing exactly which domain needs which skills streamlines recruitment and training efforts.

  • Technology and Tool Investment
    By understanding which technologies apply to which domain, organizations can invest in more specialized tools. For instance, a Security Information and Event Management (SIEM) solution could bolster Defence by enhancing detection and incident correlation, whereas robust backup solutions are critical for Resilience.


Improved Stakeholder Engagement

  • Clarity for Senior Management and Board
    Presenting security controls and activities under distinct domains provides an accessible, high-level structure that resonates with non-technical leaders. It clarifies the “big picture” of how security supports business objectives.

  • Collaboration with Other Departments
    Departments such as HR, Legal, and Operations can better understand their roles when controls are grouped into well-defined domains. For example, HR can align training and background checks under Protection or Governance and Ecosystem, depending on the nature of the control.

  • External Communication and Reporting
    Explaining the organization’s security maturity to partners, customers, or regulators is more straightforward when using recognized high-level categories. Demonstrating that you have robust controls in Defence and Resilience can build confidence in your ability to respond to incidents and recover critical services.


Continuous Improvement and Adaptability

  • Scalable Framework
    As an organization grows or as threats evolve, the Security domains model remains flexible. New controls or processes can be added to the relevant domain without overhauling the entire security strategy.

  • Feedback Loops and Metrics
    Monitoring performance within each domain—such as time to detect incidents in Defence or recovery time in Resilience—helps identify specific areas for improvement. Over time, these metrics drive continuous refinement of policies, processes, and controls.

  • Alignment with Other Frameworks
    Many security and risk management frameworks, from NIST to COBIT, emphasize similar pillars or domains. Using the ISO 27001 Security domains can complement other frameworks, ensuring consistent language and structure across multiple compliance requirements.

Practical Steps for Implementation

Implementing the Security domains attribute requires a structured approach to ensure each control is appropriately placed and managed. Below is a detailed roadmap to guide organizations through the process:


Map Existing Controls to Domains

  1. Inventory All Controls
    Begin by creating or updating a comprehensive list of all existing information security controls. This inventory should encompass technical measures (e.g., firewalls, authentication systems), procedural controls (e.g., incident response plans, guidelines), and physical safeguards (e.g., locked doors, CCTV).

  2. Analyze the Control’s Primary Function
    For each control, determine its main objective. Is it focused on governance oversight, protective barriers, incident detection and response, or business continuity and crisis management? This step helps you understand which domain—Governance and Ecosystem, Protection, Defence, or Resilience—the control best fits into.

  3. Use Attribute Definitions
    Refer to the detailed definitions of each domain to confirm that you are categorizing controls consistently. If a control appears to overlap multiple domains, determine where it is most effectively managed or most relevant. Alternatively, you can note any secondary domain associations for a more nuanced view.

  4. Document the Mapping
    Record your mapping in a centralized repository (e.g., a spreadsheet or a governance, risk, and compliance (GRC) tool). This documentation should include the control name, description, owner, and the assigned security domain(s).


Identify Domain-Specific Gaps

  1. Assess Coverage Within Each Domain
    After mapping controls, evaluate whether each domain has sufficient coverage. For instance, do you have adequate detection capabilities under Defence? Are your continuity plans robust enough under Resilience?

  2. Evaluate Against Risks
    Cross-reference your control inventory with a risk assessment or threat model. This helps determine if your current controls are mitigating identified risks effectively within each domain.

  3. Review Regulatory and Business Requirements
    Align the Security domains with your organization’s legal, regulatory, and contractual obligations. Confirm that all necessary compliance controls are assigned and adequately addressed in the relevant domain.

  4. Create a Gap Remediation Plan
    For each gap, define clear actions to close or reduce the gap. This might involve acquiring new tools, refining existing processes, or creating entirely new controls or procedures.


Assign Responsibilities and Owners

  1. Establish Domain Leads
    Assign a specific individual or team to oversee each domain. These “Domain Leads” ensure that relevant controls are maintained, updated, and effective. For example, a CISO or compliance officer may lead Governance and Ecosystem, while the IT Security Operations team could lead Protection.

  2. Delegate Control Owners
    Each control within a domain should also have an owner (or owners) responsible for day-to-day implementation and oversight. Defining these responsibilities early avoids confusion and aids accountability.

  3. Define Reporting Structures
    Ensure each domain lead reports regularly to the overall information security governance committee or equivalent body. This structured reporting keeps senior management informed about domain-specific risks, developments, and performance.


Integrate with Other Attributes and Frameworks

  1. Combine with ISO 27001 Requirements
    The Security domains attribute is just one perspective within ISO 27001. Cross-reference other clauses (e.g., risk assessment, performance evaluation) to ensure comprehensive alignment.

  2. Leverage Other Control Attributes
    Many organizations also categorize controls by Control Type (Preventive, Detective, Corrective), Information Security Properties (Confidentiality, Integrity, Availability), and Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover). Combining these attributes provides a multidimensional view of how and why controls are implemented.

  3. Map to Other Frameworks
    If your organization uses additional standards (NIST CSF, COBIT, PCI-DSS, etc.), align the Security domains with the corresponding sections or controls in these frameworks. This approach streamlines compliance efforts and ensures consistent messaging across multiple audits or assessments.


Communicate and Train

  1. Educate Stakeholders
    Develop clear, concise training materials or presentations that explain the four security domains, their purpose, and the organization’s overarching strategy. This clarity fosters buy-in from senior management and cooperation from operational teams.

  2. Domain-Specific Training
    Provide tailored training for teams working within a specific domain. For example, staff in Protection may need technical courses on secure configurations or patch management, while those in Defence require training on incident detection tools and forensics.

  3. Awareness Campaigns
    Raise general security awareness by sharing success stories or lessons learned from past incidents. Highlight how each domain plays a role in preventing or responding to such incidents.


Measure and Refine

  1. Define Metrics and KPIs
    Establish metrics specific to each domain. Protection could measure patching speed or vulnerability remediation time, Defence might track mean time to detect (MTTD) or mean time to respond (MTTR), and Resilience could focus on recovery time objectives (RTO) and recovery point objectives (RPO).

  2. Regular Performance Reviews
    Schedule periodic reviews with each domain lead to assess performance against defined metrics. Discuss successes, challenges, and potential improvements.

  3. Continuous Improvement Loop
    Use the insights from performance metrics, incident reports, and stakeholder feedback to refine or update controls within each domain. This ongoing process aligns with ISO 27001’s requirement for continuous improvement of the ISMS.

Potential Templates to Assist

the following types of templates could facilitate the use of the Security domains attribute:

  1. Security Domain Mapping Template
    ISO 27002 controls spreadsheet template
    maps each control to one of the four security domains.
  2. Risk Assessment Matrix by Domain
    A matrix to prioritize risks and plan treatments aligned with each domain.
  3. Incident Response Playbook
    Documentation outlining escalation and remediation steps for the Defence and Resilience domains.

Conclusion

Implementing the Security domains attribute offers a strategic lens through which to view and manage ISO/IEC 27001 controls. By classifying controls as part of Governance and Ecosystem, Protection, Defence, or Resilience, organizations can align security objectives with risk management activities, ensure the coherence of security efforts, and communicate effectively with both internal stakeholders and external partners.