ISO 27001 : 2022 | 4 themes 93 controls

09/11/2025
27001
Reading Time: 4 minutes

Understanding the 4 Themes of ISO 27001:2022

ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a robust framework to protect sensitive data. The standard requires organizations to implement 93 controls across 14 domains, organized into four key themes: Organizational, People, Physical, and Technological Controls. Below, we explore these themes and their associated controls to help you strengthen your organization’s security posture.

ISO 27001 Vulnerability Scanning Tools

Organizational Controls

Organizational controls form the backbone of an effective ISMS, focusing on leadership, policies, and governance (Clauses 5-6). These controls align business objectives with risk management, ensuring a structured approach to information security.

Key Focus Areas:

  • Leadership and Governance: Establishing clear policies and assigning roles to drive accountability.
  • Risk Management: Integrating security objectives with business goals to mitigate risks effectively.
  • Supplier Relationships: Ensuring security extends to third-party vendors and cloud services.
  • Incident Management: Preparing for and responding to security incidents with structured processes.

Controls (37):

  1. Policies for information security
  2. Information security roles and responsibilities
  3. Segregation of duties
  4. Management responsibilities
  5. Contact with authorities
  6. Contact with special interest groups
  7. Threat intelligence (new)
  8. Information security in project management
  9. Inventory of information and other associated assets (changed)
  10. Acceptable use of information and other associated assets (changed)
  11. Return of assets
  12. Classification of information
  13. Labelling of information
  14. Information transfer
  15. Access control
  16. Identity management
  17. Authentication information (new)
  18. Access rights (changed)
  19. Information security in supplier relationships
  20. Addressing information security within supplier agreements
  21. Managing information security in the ICT supply chain (new)
  22. Monitoring, review, and change management of supplier services (changed)
  23. Information security for use of cloud services (new)
  24. Information security incident management planning and preparation (changed)
  25. Assessment and decision on information security events
  26. Response to information security incidents
  27. Learning from information security incidents
  28. Collection of evidence
  29. Information security during disruption (changed)
  30. ICT readiness for business continuity (new)
  31. Identification of legal, statutory, regulatory, and contractual requirements
  32. Intellectual property rights
  33. Protection of records
  34. Privacy and protection of PII
  35. Independent review of information security
  36. Compliance with policies and standards for information security
  37. Documented operating procedures
ISO 27001 : 2022 | 4 themes 93 controls 1

People Controls

People are both an organization’s greatest asset and a potential vulnerability. Clause 7 emphasizes competence, awareness, and culture to mitigate human-related risks.

Key Focus Areas:

  • Training and Awareness: Equipping employees with the knowledge to recognize and prevent security threats.
  • Accountability: Establishing clear responsibilities and consequences for security lapses.
  • Remote Work Security: Addressing risks associated with distributed work environments.

Controls (8):

  1. Screening
  2. Terms and conditions of employment
  3. Information security awareness, education, and training
  4. Disciplinary process
  5. Responsibilities after termination or change of employment
  6. Confidentiality or non-disclosure agreements
  7. Remote working (new)
  8. Information security event reporting
ISO 27001 Certification

Physical Controls

Physical controls extend security beyond IT, focusing on protecting facilities, equipment, and access points (Annex A.7). These measures ensure a balance between digital and physical security.

Key Focus Areas:

  • Environmental Security: Safeguarding against physical and environmental threats like fire or theft.
  • Access Management: Securing entry points and sensitive areas.
  • Equipment Protection: Ensuring secure handling and disposal of assets.

Controls (14):

  1. Physical security perimeter
  2. Physical entry controls
  3. Securing offices, rooms, and facilities
  4. Physical security monitoring
  5. Protecting against physical and environmental threats
  6. Working in secure areas
  7. Clear desk and clear screen
  8. Equipment siting and protection
  9. Security of assets off-premises
  10. Storage media (new)
  11. Supporting utilities
  12. Cabling security
  13. Equipment maintenance
  14. Secure disposal or reuse of equipment
NIST ISO 27001

Technological Controls

Technological controls (Annex A and Clause 8) focus on integrating advanced tools like encryption and access controls with operational processes to provide comprehensive protection.

Key Focus Areas:

  • Secure Systems: Implementing robust authentication, encryption, and network security.
  • Development Security: Ensuring secure coding practices and testing.
  • Data Protection: Preventing data leaks and ensuring proper backups.

Controls (34):

  1. User endpoint devices (new)
  2. Privileged access rights
  3. Information access restriction
  4. Access to source code
  5. Secure authentication
  6. Capacity management
  7. Protection against malware
  8. Management of technical vulnerabilities
  9. Configuration management
  10. Information deletion (new)
  11. Data masking (new)
  12. Data leakage prevention (new)
  13. Information backup
  14. Redundancy of information processing facilities
  15. Logging
  16. Monitoring activities
  17. Clock synchronization
  18. Use of privileged utility programs
  19. Installation of software on operational systems
  20. Network controls
  21. Security of network services
  22. Segregation in networks
  23. Web filtering (new)
  24. Use of cryptography
  25. Secure development lifecycle
  26. Application security requirements (new)
  27. Secure system architecture and engineering principles (new)
  28. Security testing in development and acceptance
  29. Outsourced development
  30. Separation of development, test, and production environments
  31. Change management
  32. Test information
  33. Protection of information systems during audit and testing

Conclusion

ISO 27001:2022’s 93 controls, organized under four themes, provide a comprehensive framework for securing your organization’s information assets. By addressing organizational governance, human factors, physical environments, and technological safeguards, businesses can build a resilient ISMS that aligns with modern security challenges. Implementing these controls not only enhances security but also demonstrates a commitment to protecting sensitive data, fostering trust with stakeholders.

ISO 9001 Logo_Gabriel Consultant
Gabriel Consultant in ISO Consulting
Service with 20 years of experience.
ISO 14001 Certification logo
Ecovadis_Silver Badge_Gabriel Consultant
EcoVadis_Badges_Approved-Partner-2025
Find Us
© 2024 Gabriel Consultant. All rights reserved
Find Us
ISO 14001 Certification logo
ISO 9001 Logo_Gabriel Consultant
Ecovadis_Silver Badge_Gabriel Consultant
EcoVadis_Badges_Approved-Partner-2025
© 2024 Gabriel Consultant. All rights reserved
Standard

Office Hour: 9:00- 18:00

Tel : +852 23664622

Email : info@gabriel.hk

Free 30 Min Consultation Call

Request an economy and speedy way to get an ISO Certification