ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a robust framework to protect sensitive data. The standard requires organizations to implement 93 controls across 14 domains, organized into four key themes: Organizational, People, Physical, and Technological Controls. Below, we explore these themes and their associated controls to help you strengthen your organization’s security posture.
Organizational Controls
Organizational controls form the backbone of an effective ISMS, focusing on leadership, policies, and governance (Clauses 5-6). These controls align business objectives with risk management, ensuring a structured approach to information security.
Key Focus Areas:
Leadership and Governance: Establishing clear policies and assigning roles to drive accountability.
Risk Management: Integrating security objectives with business goals to mitigate risks effectively.
Supplier Relationships: Ensuring security extends to third-party vendors and cloud services.
Incident Management: Preparing for and responding to security incidents with structured processes.
Controls (37):
Policies for information security
Information security roles and responsibilities
Segregation of duties
Management responsibilities
Contact with authorities
Contact with special interest groups
Threat intelligence (new)
Information security in project management
Inventory of information and other associated assets (changed)
Acceptable use of information and other associated assets (changed)
Return of assets
Classification of information
Labelling of information
Information transfer
Access control
Identity management
Authentication information (new)
Access rights (changed)
Information security in supplier relationships
Addressing information security within supplier agreements
Managing information security in the ICT supply chain (new)
Monitoring, review, and change management of supplier services (changed)
Information security for use of cloud services (new)
Information security incident management planning and preparation (changed)
Assessment and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
Information security during disruption (changed)
ICT readiness for business continuity (new)
Identification of legal, statutory, regulatory, and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of PII
Independent review of information security
Compliance with policies and standards for information security
Documented operating procedures
People Controls
People are both an organization’s greatest asset and a potential vulnerability. Clause 7 emphasizes competence, awareness, and culture to mitigate human-related risks.
Key Focus Areas:
Training and Awareness: Equipping employees with the knowledge to recognize and prevent security threats.
Accountability: Establishing clear responsibilities and consequences for security lapses.
Remote Work Security: Addressing risks associated with distributed work environments.
Controls (8):
Screening
Terms and conditions of employment
Information security awareness, education, and training
Disciplinary process
Responsibilities after termination or change of employment
Confidentiality or non-disclosure agreements
Remote working (new)
Information security event reporting
Physical Controls
Physical controls extend security beyond IT, focusing on protecting facilities, equipment, and access points (Annex A.7). These measures ensure a balance between digital and physical security.
Key Focus Areas:
Environmental Security: Safeguarding against physical and environmental threats like fire or theft.
Access Management: Securing entry points and sensitive areas.
Equipment Protection: Ensuring secure handling and disposal of assets.
Controls (14):
Physical security perimeter
Physical entry controls
Securing offices, rooms, and facilities
Physical security monitoring
Protecting against physical and environmental threats
Working in secure areas
Clear desk and clear screen
Equipment siting and protection
Security of assets off-premises
Storage media (new)
Supporting utilities
Cabling security
Equipment maintenance
Secure disposal or reuse of equipment
Technological Controls
Technological controls (Annex A and Clause 8) focus on integrating advanced tools like encryption and access controls with operational processes to provide comprehensive protection.
Key Focus Areas:
Secure Systems: Implementing robust authentication, encryption, and network security.
Development Security: Ensuring secure coding practices and testing.
Data Protection: Preventing data leaks and ensuring proper backups.
Controls (34):
User endpoint devices (new)
Privileged access rights
Information access restriction
Access to source code
Secure authentication
Capacity management
Protection against malware
Management of technical vulnerabilities
Configuration management
Information deletion (new)
Data masking (new)
Data leakage prevention (new)
Information backup
Redundancy of information processing facilities
Logging
Monitoring activities
Clock synchronization
Use of privileged utility programs
Installation of software on operational systems
Network controls
Security of network services
Segregation in networks
Web filtering (new)
Use of cryptography
Secure development lifecycle
Application security requirements (new)
Secure system architecture and engineering principles (new)
Security testing in development and acceptance
Outsourced development
Separation of development, test, and production environments
Change management
Test information
Protection of information systems during audit and testing
Conclusion
ISO 27001:2022’s 93 controls, organized under four themes, provide a comprehensive framework for securing your organization’s information assets. By addressing organizational governance, human factors, physical environments, and technological safeguards, businesses can build a resilient ISMS that aligns with modern security challenges. Implementing these controls not only enhances security but also demonstrates a commitment to protecting sensitive data, fostering trust with stakeholders.
Reading Time: 3 minutesThe recent bribery scandal at Hong Kong’s Anderson Road construction project—where subcontractors bribed supervisors to overlook substandard steel reinforcements—highlights the catastrophic consequences of weak anti-bribery controls. This…
Reading Time: 2 minutesAs we look beyond 2025, Quality Management Systems (QMS) are poised for a transformative evolution driven by technological advancements, sustainability, and a heightened focus on customer experience.…
Reading Time: 2 minutesFederation of Hong Kong Industries (FHKI) has achieved the prestigious ISO 37001:2016 Anti-Bribery Management System Certification
Reading Time: 5 minutesOmnichat's achievement of ISO 27001 Certification is more than a corporate accomplishment—it's a promise to their clients, partners, and the broader digital ecosystem. It underscores their pledge…
Reading Time: 2 minutes5 Key Considerations Before Applying for ISO 9001 Certification: Steps to Ensure Successful Certification Table of Contents If you want to enhance your company’s competitiveness, obtaining ISO…
Reading Time: 4 minutesWhat Is ISO 17100 and Its Impact on the Translation Industry? As globalization continues to foster cross-border communication, the need for high-quality translation services becomes paramount. ISO…
Reading Time: 4 minutesSOC 2 or ISO 27001 Framework is Right for Your Business? 1. Introduction to SOC 2 and ISO 27001 1.1 Overview of SOC 2 SOC 2 (System…
Reading Time: 4 minutesVulnerability Scanning: An Essential Guide for Cybersecurity Table of Contents 1. Introduction to Vulnerability Scanning In today’s rapidly evolving cybersecurity landscape, organizations face a continuous battle against…