Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection — ISMS Requirements
Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISMS Requirements Architecture
ISO/IEC 27001:2022 is the most widely recognized international standard for information security management systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. This third edition (published October 2022) replaces ISO/IEC 27001:2013 and introduces significant structural and content changes, most notably the consolidation and reorganization of Annex A security controls from 114 to 93 controls organized into 4 themes instead of 14 domains.
ISO/IEC 27001 uses the Plan-Do-Check-Act (PDCA) cycle and follows the Annex SL high-level structure (Clauses 1–10) common to all modern ISO management system standards. This structure makes it straightforward to integrate with other management systems such as ISO 9001, ISO 14001, and ISO 22301.
The standard’s requirements are organized into ten clauses. Clauses 1–3 provide contextual information (scope, normative references, terms and definitions). Clause 4 (Context of the organization) requires organizations to determine external and internal issues relevant to their purpose, understand the needs and expectations of interested parties, and define the scope of the ISMS. Clause 5 (Leadership) mandates top management involvement, requiring the establishment of an information security policy and the assignment of roles and responsibilities. Clause 6 (Planning) addresses risk assessment and treatment planning. Clause 7 (Support) covers resources, competence, awareness, communication, and documented information. Clause 8 (Operation) deals with operational planning and control, including risk assessment and treatment execution. Clause 9 (Performance evaluation) requires monitoring, measurement, analysis, evaluation, internal audit, and management review. Clause 10 (Improvement) addresses nonconformity, corrective action, and continual improvement.
| Clause | Topic | Key Requirements |
|---|---|---|
| 4 | Context of the organization | Determine external/internal issues, interested parties, ISMS scope, ISMS processes |
| 5 | Leadership | Top management commitment, policy, roles and responsibilities |
| 6 | Planning | Risk assessment methodology, risk treatment plan, security objectives |
| 7 | Support | Resources, competence, awareness, communication, documented information |
| 8 | Operation | Operational planning, risk assessment execution, risk treatment execution |
| 9 | Performance evaluation | Monitoring, measurement, analysis, internal audit, management review |
| 10 | Improvement | Nonconformity handling, corrective action, continual improvement |
A common pitfall in ISO/IEC 27001 implementation is treating Clause 4 (Context of the organization) as a box-ticking exercise. Understanding your organization’s unique context — including business model, regulatory environment, threat landscape, and stakeholder expectations — is essential for designing a relevant and effective ISMS. A generic, template-driven approach produces a generic ISMS that may not address your specific risks.
Annex A Controls — The 2022 Update
The most significant change in the 2022 edition is the restructuring of Annex A controls. The previous 14 domains and 114 controls have been consolidated into 4 themes and 93 controls. The four themes are: Organizational controls (37 controls), People controls (8 controls), Physical controls (14 controls), and Technological controls (34 controls). This simplification reflects a more modern and practical approach to information security, moving from a siloed-domain mindset to a more integrated thematic structure that better represents how security is actually implemented in organizations.
| Theme | Number of Controls | Key Additions (2022) |
|---|---|---|
| Organizational | 37 | Threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring |
| People | 8 | Remote working, information security awareness and training (consolidated and enhanced) |
| Physical | 14 | Physical security monitoring, secure disposal or re-use of equipment (enhanced) |
| Technological | 34 | Information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding |
Eleven new controls were introduced in the 2022 edition, addressing contemporary security challenges: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. These additions reflect the evolving threat landscape and technology environment.
The 2022 edition also introduces the concept of “control attributes” — a classification system that tags each control with attributes such as control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities (governance, asset management, etc.), and security domains (governance and ecosystem, protection, defence, resilience). This attribute system enables organizations to filter, select, and report on controls from different perspectives without changing the underlying control definitions.
Organization that were certified to ISO/IEC 27001:2013 must transition to the 2022 edition to maintain their certification. The transition period is typically 3 years from the publication date. The gap analysis between 2013 and 2022 Annex A requires careful review, particularly for the 11 new controls, and organizations must update their Statement of Applicability (SoA), risk treatment plans, and associated policies and procedures to reflect the new structure.
Implementing ISO/IEC 27001:2022
Successful implementation of ISO/IEC 27001:2022 requires a structured approach that integrates security into the organization’s culture and operations. The recommended approach begins with securing top management commitment — without visible, sustained leadership support, ISMS implementation will struggle to gain the resources and cross-functional cooperation it requires. A formal project charter should define the scope, objectives, timeline, budget, and governance structure for the implementation.
The risk assessment process is the intellectual core of the ISMS. Organizations must define and apply a risk assessment methodology that identifies risks related to the confidentiality, integrity, and availability of information assets. The methodology should consider the risk criteria defined in Clause 6.1.2, including risk acceptance criteria and criteria for performing risk evaluations. The output of this process is a risk treatment plan that specifies which controls from Annex A (or other sources) will be implemented to mitigate identified risks to an acceptable level.
The Statement of Applicability (SoA) is a critical document that lists all controls from Annex A, indicates whether each control is applicable or not, and justifies inclusions and exclusions. The SoA must be reviewed and approved by management and serves as the foundation for the external certification audit. It demonstrates that the organization has systematically considered all relevant controls and made informed decisions based on risk assessment results.
Once the ISMS is implemented, the organization must establish a cycle of internal audits, management reviews, and corrective actions. Internal audits verify that the ISMS conforms to the organization’s own requirements and to the standard. Management reviews evaluate the ISMS’s continuing suitability, adequacy, and effectiveness. Both processes feed into the continual improvement cycle, ensuring that the ISMS evolves to address changing threats, business requirements, and organizational context.
Frequently Asked Questions
Q1: What are the main differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022?
The key differences include: (1) Annex A restructured from 14 domains to 4 themes (Organizational, People, Physical, Technological); (2) control count reduced from 114 to 93; (3) 11 new controls added addressing cloud services, threat intelligence, data leakage prevention, secure coding, and other contemporary topics; (4) introduction of control attributes for multi-perspective classification; (5) updated terminology and alignment with the latest Annex SL framework; (6) enhanced focus on cybersecurity and privacy protection (reflected in the revised title).
The key differences include: (1) Annex A restructured from 14 domains to 4 themes (Organizational, People, Physical, Technological); (2) control count reduced from 114 to 93; (3) 11 new controls added addressing cloud services, threat intelligence, data leakage prevention, secure coding, and other contemporary topics; (4) introduction of control attributes for multi-perspective classification; (5) updated terminology and alignment with the latest Annex SL framework; (6) enhanced focus on cybersecurity and privacy protection (reflected in the revised title).
Q2: Can an organization be certified to ISO/IEC 27001 without implementing all 93 controls?
Yes. ISO/IEC 27001 does not require implementation of all controls in Annex A. The organization must determine which controls are applicable based on its risk assessment and document the rationale in the Statement of Applicability (SoA). Controls that are not applicable must be explicitly justified as excluded. The certification audit verifies that the implemented controls are appropriate for the identified risks and that the exclusions are valid.
Yes. ISO/IEC 27001 does not require implementation of all controls in Annex A. The organization must determine which controls are applicable based on its risk assessment and document the rationale in the Statement of Applicability (SoA). Controls that are not applicable must be explicitly justified as excluded. The certification audit verifies that the implemented controls are appropriate for the identified risks and that the exclusions are valid.
Q3: How long does it typically take to implement ISO/IEC 27001 and achieve certification?
The timeline depends on organizational size, complexity, and existing security maturity. Typical implementation timelines range from 6 to 18 months. Small organizations with well-defined processes and existing security controls may achieve certification in 6–9 months. Large, complex organizations with multiple business units and legacy systems may require 12–18 months. The certification audit itself typically spans 3–5 days for a small to medium-sized organization, with recertification audits every 3 years and surveillance audits annually.
The timeline depends on organizational size, complexity, and existing security maturity. Typical implementation timelines range from 6 to 18 months. Small organizations with well-defined processes and existing security controls may achieve certification in 6–9 months. Large, complex organizations with multiple business units and legacy systems may require 12–18 months. The certification audit itself typically spans 3–5 days for a small to medium-sized organization, with recertification audits every 3 years and surveillance audits annually.
Q4: What is the relationship between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 specifies the mandatory requirements for an ISMS (the “what” — including the requirement to select applicable controls from Annex A). ISO/IEC 27002 provides implementation guidance for the controls listed in Annex A (the “how”). Organizations typically use 27001 for the certification framework and 27002 for detailed guidance on implementing specific security controls. The two standards are designed to be used together as a complementary pair.
ISO/IEC 27001 specifies the mandatory requirements for an ISMS (the “what” — including the requirement to select applicable controls from Annex A). ISO/IEC 27002 provides implementation guidance for the controls listed in Annex A (the “how”). Organizations typically use 27001 for the certification framework and 27002 for detailed guidance on implementing specific security controls. The two standards are designed to be used together as a complementary pair.
