Understanding the 4 Themes of ISO 27001:2022

ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a robust framework to protect sensitive data. The standard requires organizations to implement 93 controls across 14 domains, organized into four key themes: Organizational, People, Physical, and Technological Controls. Below, we explore these themes and their associated controls to help you strengthen your organization’s security posture.

Organizational Controls

Organizational controls form the backbone of an effective ISMS, focusing on leadership, policies, and governance (Clauses 5-6). These controls align business objectives with risk management, ensuring a structured approach to information security.

Key Focus Areas:

• Leadership and Governance: Establishing clear policies and assigning roles to drive accountability.
• Risk Management: Integrating security objectives with business goals to mitigate risks effectively.
• Supplier Relationships: Ensuring security extends to third-party vendors and cloud services.
• Incident Management: Preparing for and responding to security incidents with structured processes.

Controls (37):

1. Policies for information security
2. Information security roles and responsibilities
3. Segregation of duties
4. Management responsibilities
5. Contact with authorities
6. Contact with special interest groups
7. Threat intelligence (new)
8. Information security in project management
9. Inventory of information and other associated assets (changed)
10. Acceptable use of information and other associated assets (changed)
11. Return of assets
12. Classification of information
13. Labelling of information
14. Information transfer
15. Access control
16. Identity management
17. Authentication information (new)
18. Access rights (changed)
19. Information security in supplier relationships
20. Addressing information security within supplier agreements
21. Managing information security in the ICT supply chain (new)
22. Monitoring, review, and change management of supplier services (changed)
23. Information security for use of cloud services (new)
24. Information security incident management planning and preparation (changed)
25. Assessment and decision on information security events
26. Response to information security incidents
27. Learning from information security incidents
28. Collection of evidence
29. Information security during disruption (changed)
30. ICT readiness for business continuity (new)
31. Identification of legal, statutory, regulatory, and contractual requirements
32. Intellectual property rights
33. Protection of records
34. Privacy and protection of PII
35. Independent review of information security
36. Compliance with policies and standards for information security
37. Documented operating procedures

People Controls

People are both an organization’s greatest asset and a potential vulnerability. Clause 7 emphasizes competence, awareness, and culture to mitigate human-related risks.

Key Focus Areas:

• Training and Awareness: Equipping employees with the knowledge to recognize and prevent security threats.
• Accountability: Establishing clear responsibilities and consequences for security lapses.
• Remote Work Security: Addressing risks associated with distributed work environments.

Controls (8):

1. Screening
2. Terms and conditions of employment
3. Information security awareness, education, and training
4. Disciplinary process
5. Responsibilities after termination or change of employment
6. Confidentiality or non-disclosure agreements
7. Remote working (new)
8. Information security event reporting

Physical Controls

Physical controls extend security beyond IT, focusing on protecting facilities, equipment, and access points (Annex A.7). These measures ensure a balance between digital and physical security.

Key Focus Areas:

• Environmental Security: Safeguarding against physical and environmental threats like fire or theft.
• Access Management: Securing entry points and sensitive areas.
• Equipment Protection: Ensuring secure handling and disposal of assets.

Controls (14):

1. Physical security perimeter
2. Physical entry controls
3. Securing offices, rooms, and facilities
4. Physical security monitoring
5. Protecting against physical and environmental threats
6. Working in secure areas
7. Clear desk and clear screen
8. Equipment siting and protection
9. Security of assets off-premises
10. Storage media (new)
11. Supporting utilities
12. Cabling security
13. Equipment maintenance
14. Secure disposal or reuse of equipment

Technological Controls

Technological controls (Annex A and Clause 8) focus on integrating advanced tools like encryption and access controls with operational processes to provide comprehensive protection.

Key Focus Areas:

• Secure Systems: Implementing robust authentication, encryption, and network security.
• Development Security: Ensuring secure coding practices and testing.
• Data Protection: Preventing data leaks and ensuring proper backups.

Controls (34):

1. User endpoint devices (new)
2. Privileged access rights
3. Information access restriction
4. Access to source code
5. Secure authentication
6. Capacity management
7. Protection against malware
8. Management of technical vulnerabilities
9. Configuration management
10. Information deletion (new)
11. Data masking (new)
12. Data leakage prevention (new)
13. Information backup
14. Redundancy of information processing facilities
15. Logging
16. Monitoring activities
17. Clock synchronization
18. Use of privileged utility programs
19. Installation of software on operational systems
20. Network controls
21. Security of network services
22. Segregation in networks
23. Web filtering (new)
24. Use of cryptography
25. Secure development lifecycle
26. Application security requirements (new)
27. Secure system architecture and engineering principles (new)
28. Security testing in development and acceptance
29. Outsourced development
30. Separation of development, test, and production environments
31. Change management
32. Test information
33. Protection of information systems during audit and testing

Conclusion

ISO 27001:2022’s 93 controls, organized under four themes, provide a comprehensive framework for securing your organization’s information assets. By addressing organizational governance, human factors, physical environments, and technological safeguards, businesses can build a resilient ISMS that aligns with modern security challenges. Implementing these controls not only enhances security but also demonstrates a commitment to protecting sensitive data, fostering trust with stakeholders.