ISO/IEC 27001

A structured overview of ISO 27001:2022, from the ten mandatory clauses, PDCA, to the subchapters and Annex A control themes.

What is ISO 27001?
The High Level Structure (Annex SL)
Clause 1: Scope
Clause 2: Normative References
Clause 3: Terms and Definitions
Clause 4: Context of the Organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement
Annex A: Information Security Controls
The ISMS Lifecycle

What is ISO 27001?

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS.

The 2022 revision (ISO/IEC 27001:2022) replaced the 2013 edition and brought the Annex A controls in line with ISO/IEC 27002:2022.

What it is not: ISO 27001 does not prescribe specific technical controls. It requires that an organization identify its risks and treat them systematically. How those risks are treated is largely left to the organization and Annex A provides a reference set of controls.

Certification: Organizations can be independently audited and certified against the standard by accredited certification bodies.

The High Level Structure (Annex SL)

ISO 27001 follows the High Level Structure (HLS), formerly called Annex SL, shared by all modern ISO management system standards (ISO 9001, ISO 14001, ISO 45001, etc.). This makes it easier to integrate multiple standards into a single management system.

The ten clauses are identical in numbering and intent across all HLS standards. Clauses 1-3 are informational. Clauses 4-10 contain the actual requirements.

Clause   Title                        Type
------   -----                        ----
      Scope                        Informational
      Normative References         Informational
      Terms and Definitions        Informational
      Context of the Organization  Requirement
      Leadership                   Requirement
      Planning                     Requirement
      Support                      Requirement
      Operation                    Requirement
      Performance Evaluation       Requirement
     Improvement                  Requirement
Annex A  Information Security         Reference control set
         Controls

Clause 1: Scope

Purpose: Defines what the standard applies to.

ISO 27001 applies to any organization, regardless of type, size, or nature, that wants to establish an ISMS. The standard uses the word “shall” for mandatory requirements.

Key point: The scope of the standard is the whole document. The scope of your organization’s ISMS is defined by you in Clause 4.3.

Clause 2: Normative References

Purpose: Lists documents that are indispensable for the application of this standard.

The only normative reference is ISO/IEC 27000, which provides the overview and vocabulary for the family of ISMS standards (the ISO 27000 series).

ISO 27000 series (selected standards):

Standard    Topic
--------    -----
     Overview and vocabulary
     ISMS requirements (this standard)
     Information security controls (guidance)
     Implementation guidance
     Monitoring, measurement, analysis, evaluation
     Information security risk management
     Cloud services
     PII in public clouds
     Privacy information management (PIMS)

Clause 3: Terms and Definitions

Purpose: Establishes the vocabulary used in the standard.

All terms and definitions are found in ISO/IEC 27000 rather than repeated here. Key concepts used throughout the standard:

Term                        Meaning
----                        -------
Information security        Preservation of confidentiality, integrity,
                            and availability (CIA) of information
ISMS                        Information Security Management System;
                            systematic approach to managing sensitive info
Risk                        Effect of uncertainty on objectives
Risk treatment              Process to modify risk (accept, avoid,
                            transfer, mitigate)
Control                     Measure that modifies risk (policy, procedure,
                            technical safeguard, etc.)
Interested party            Person or organization that can affect or
                            be affected by a decision or activity
Documented information      Information required to be controlled and
                            maintained by the organization

Clause 4: Context of the Organization

Purpose: Understand the environment in which the ISMS operates before doing anything else.

This clause is the foundation. You cannot set scope or assess risks without first understanding who you are, who cares about your information, and what external factors affect you.

4.1 Understanding the Organization and Its Context

Identify internal and external issues that are relevant to the organization’s purpose and that affect the ISMS’s ability to achieve its intended outcomes.

Internal issues examples:

Organizational structure and governance
Existing IT infrastructure and legacy systems
Contractual obligations and service agreements
Organizational culture and security awareness

External issues examples:

Legal, regulatory, and contractual requirements (GDPR, NIS2, sector rules)
The threat landscape relevant to the industry
Technology trends and supply chain dependencies
Geopolitical and market environment

Tools often used: SWOT analysis, PESTLE analysis.

4.2 Understanding the Needs and Expectations of Interested Parties

Identify the interested parties (stakeholders) relevant to the ISMS and determine their requirements.

Interested Party        Typical Requirements
----------------        --------------------
Customers               Data protection, breach notification
Regulators              Compliance with specific laws (GDPR, etc.)
Shareholders/board      Risk management, business continuity
Employees               Clear security policies, safe working practices
Suppliers/partners      Secure data exchange, contractual obligations
Auditors/certifiers     Evidence of conformance with the standard

4.3 Determining the Scope of the ISMS

Define the boundaries and applicability of the ISMS. The scope must consider:

The internal and external issues from 4.1
The requirements from interested parties in 4.2
Interfaces and dependencies between the organization and other parties

The scope must be documented. Exclusions from Annex A are allowed but must be justified (a control can only be excluded if it is not applicable to the organization and its risks).

Examples of scope statements:

“The ISMS covers all information assets supporting the development, hosting, and support of the SaaS platform, including the Amsterdam office and all remote employees.”
“Scope is limited to the payment processing environment as defined by the network segmentation diagram.”

4.4 Information Security Management System

The organization shall establish, implement, maintain, and continually improve an ISMS in accordance with the requirements of the standard.

This is the commitment clause: it binds the rest of the document together.

Clause 5: Leadership

Purpose: Ensure top management is accountable and actively drives the ISMS.

Without leadership commitment, an ISMS becomes a paper exercise. Clause 5 puts explicit obligations on top management (not just the security team).

5.1 Leadership and Commitment

Top management shall demonstrate leadership and commitment by:

Ensuring the information security policy and objectives are compatible with the strategic direction
Integrating ISMS requirements into business processes
Providing necessary resources
Communicating the importance of information security
Supporting other management roles to demonstrate leadership
Promoting continual improvement

Key shift: The standard explicitly places accountability at board/executive level, not just with a CISO or IT department.

5.2 Policy

Top management shall establish an information security policy that:

Is appropriate to the purpose of the organization
Includes information security objectives or a framework for setting them
Includes a commitment to satisfying applicable requirements
Includes a commitment to continual improvement

The policy must be documented, communicated internally, and available to interested parties as appropriate.

Policy vs. procedures:

Policy                          Procedure
------                          ---------
What and why (high level)       How and who (operational detail)
Set by top management           Set by responsible owners
Rarely changes                  Updated as processes change
Example: "We protect all        Example: "Access to production
customer data in line with      is granted by submitting a
applicable law."                ticket to IT with manager approval."

5.3 Organizational Roles, Responsibilities and Authorities

Top management shall assign and communicate responsibilities and authorities for roles relevant to information security, including:

Who is responsible for ensuring the ISMS conforms to the standard
Who reports on ISMS performance to top management

Common roles in practice:

Role                        Typical Responsibility
----                        ----------------------
CISO / Security Manager     Owns the ISMS day-to-day
IT Manager                  Owns technical controls
HR Manager                  Owns people controls (onboarding, training)
Legal / DPO                 Owns compliance and privacy
Asset owners                Responsible for specific information assets
Internal auditor            Conducts independent audits (Clause 9.2)

Clause 6: Planning

Purpose: Translate context and leadership intent into a concrete plan for managing information security risks.

This is where risk management happens. ISO 27001 does not prescribe a specific risk methodology: organizations choose their own: but the outputs must meet the requirements below.

6.1 Actions to Address Risks and Opportunities

6.1.1 General

When planning for the ISMS, the organization shall consider the issues from 4.1 and requirements from 4.2, and determine risks and opportunities that need to be addressed to:

Ensure the ISMS can achieve its intended outcomes
Prevent or reduce undesired effects
Achieve continual improvement

Plan actions to address these and evaluate their effectiveness.

6.1.2 Information Security Risk Assessment

Define and apply a risk assessment process that:

Establishes and maintains risk acceptance criteria
Ensures that repeated assessments produce consistent, valid, and comparable results
Identifies risks associated with the loss of CIA for information assets (within the ISMS scope)
Analyzes and evaluates the risks against defined criteria

Common risk assessment approaches:

Approach          Description
--------          -----------
Asset-based       Start with assets, identify threats and vulnerabilities
Scenario-based    Start with attack scenarios or threat actors
OCTAVE            Operationally Critical Threat, Asset, Vulnerability Eval.
ISO 27005         ISO's own risk management guidance standard

6.1.3 Information Security Risk Treatment

Define and apply a risk treatment process that:

Selects appropriate treatment options (modify, retain, avoid, share)
Determines controls necessary to implement the chosen options
Compares the determined controls with Annex A (to check nothing was missed)
Produces a Statement of Applicability (SoA): a mandatory document listing all Annex A controls with justification for inclusion or exclusion
Produces a risk treatment plan
Obtains risk owner approval of the residual risk

The Statement of Applicability (SoA) is one of the most important documents in the ISMS. It is always reviewed by certification auditors.

SoA Column              Content
----------              -------
Control reference       Annex A control number and title
Applicable?             Yes / No
Justification           Why included or excluded
Implementation status   Implemented / Planned / Not implemented

6.2 Information Security Objectives and Planning to Achieve Them

Establish information security objectives at relevant functions and levels. Objectives shall:

Be consistent with the information security policy
Be measurable (if practicable)
Take into account applicable requirements
Be monitored, communicated, and updated as appropriate

For each objective, document: what will be done, what resources are required, who is responsible, when it will be completed, and how results will be evaluated.

Example objective:

Objective: Reduce mean time to detect (MTTD) security incidents
           from 72 hours to 24 hours within 12 months.
Owner:     CISO
Resources: SIEM tool upgrade, analyst training budget
Measure:   Monthly MTTD from incident log

6.3 Planning of Changes

(New in ISO 27001:2022)

When the organization determines the need for changes to the ISMS, the changes shall be carried out in a planned manner. Considers: purpose of changes, potential consequences, integrity of the ISMS, availability of resources, allocation of responsibilities.

Clause 7: Support

Purpose: Ensure the ISMS has the resources, competent people, awareness, communication mechanisms, and documented information it needs to function.

7.1 Resources

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS. Resources include: people, infrastructure, technology, and budget.

7.2 Competence

The organization shall:

Determine the necessary competence of persons doing work affecting information security performance
Ensure those persons are competent (education, training, or experience)
Take actions to acquire necessary competence and evaluate their effectiveness
Retain documented evidence of competence

Competence evidence examples: training certificates, job descriptions, performance reviews, records of awareness sessions.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

The information security policy
Their contribution to the effectiveness of the ISMS and the benefits of improved information security performance
The implications of not conforming to ISMS requirements

Awareness is different from competence: everyone must be aware of the basics, while only relevant roles need deep competence.

7.4 Communication

Determine the need for internal and external communications relevant to the ISMS, including: what to communicate, when, with whom, and how.

Direction       Examples
---------       --------
Internal        Security policy updates, incident notifications,
                awareness campaigns, management review results
External        Breach notifications (to regulators/customers),
                supplier security requirements, certification scope

7.5 Documented Information

7.5.1 General

The ISMS shall include documented information required by the standard plus any additional documented information the organization determines is necessary.

Mandatory documents required by the standard:

Category      Document                                 Clause
--------      --------------------------------------   ------
Context       ISMS Scope                               4.3
Leadership    Information Security Policy              5.2
Planning      Risk Assessment Methodology              6.1.2
Planning      Risk Treatment Process                   6.1.3
Planning      Statement of Applicability               6.1.3
Planning      Risk Treatment Plan                      6.1.3
Planning      Information Security Objectives          6.2
Support       Competence Evidence                      7.2
Support       Awareness Evidence                       7.3
Support       Document Control                         7.5
Operation     Risk Assessment Results                  8.2
Operation     Risk Treatment Results                   8.3
Performance   Monitoring & Measurement Results         9.1
Performance   Internal Audit Programme & Results       9.2
Performance   Management Review Results                9.3
Improvement   Nonconformities & Corrective Actions     10.2

7.5.2 Creating and Updating

When creating and updating documented information, ensure appropriate: identification and description (title, date, author), format and media, and review and approval for suitability and adequacy.

7.5.3 Control of Documented Information

Documented information shall be controlled to ensure it is available and suitable for use where and when it is needed, and adequately protected. Address: distribution, access, retrieval, use, storage, version control, and disposal.

Clause 8: Operation

Purpose: Actually do what was planned in Clause 6.

Clause 8 is where planning meets execution. The ISMS must be operated, not just documented.

8.1 Operational Planning and Control

Plan, implement, control, and maintain the processes needed to meet information security requirements. Implement the plans from Clause 6. Control planned changes, review unintended changes, and take mitigating actions as necessary.

Ensure outsourced processes are controlled.

8.2 Information Security Risk Assessment

Perform information security risk assessments at planned intervals or when significant changes are proposed or occur. Retain documented results.

The frequency is defined by the organization: annual is common, but events (new product launches, acquisitions, incidents, major changes) should trigger ad hoc assessments.

8.3 Information Security Risk Treatment

Implement the information security risk treatment plan and retain documented results.

This is about execution: applying the controls, policies, and technical measures decided in 6.1.3.

Clause 9: Performance Evaluation

Purpose: Check whether the ISMS is working. Measure, audit, and review.

The Plan-Do-Check-Act cycle requires a checking phase. Clause 9 provides three complementary mechanisms: measurement (ongoing), internal audit (periodic independent check), and management review (strategic oversight).

9.1 Monitoring, Measurement, Analysis and Evaluation

The organization shall determine:

What needs to be monitored and measured (including controls, processes, and objectives)
Methods for monitoring, measurement, analysis, and evaluation
When monitoring and measurement shall be performed
When results shall be analysed and evaluated
Who shall monitor and measure
Who shall analyse and evaluate results

Results must be retained as documented evidence.

Example metrics:

Metric                              Frequency
------                              ---------
Number of security incidents        Monthly
Mean time to detect (MTTD)          Monthly
Mean time to respond (MTTR)         Monthly
Patch compliance rate               Weekly
Security awareness training %       Quarterly
Vulnerability scan findings         Monthly

9.2 Internal Audit

9.2.1 General

Conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organization’s own requirements and the standard’s requirements, and is effectively implemented and maintained.

9.2.2 Internal Audit Programme

Plan, establish, implement, and maintain an audit programme including:

Frequency, methods, responsibilities, planning requirements, and reporting
Consideration of the importance of the processes concerned and results of previous audits

Auditors shall be objective and impartial: they must not audit their own work. Results retained as documented evidence.

Audit programme example:

Quarter   Focus Area                      Auditor
-------   ----------                      -------
Q1        Access control, HR security     External consultant
Q2        Asset management, physical      Internal (different dept)
Q3        Incident management, BCM        Internal (different dept)
Q4        Full ISMS scope review          External consultant

9.3 Management Review

9.3.1 General

Top management shall review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

9.3.2 Management Review Inputs

The review shall include consideration of:

Status of actions from previous management reviews
Changes in external/internal issues relevant to the ISMS
Changes in needs/expectations of interested parties
Feedback on information security performance (incidents, audit results, monitoring results, nonconformities, corrective actions, objectives)
Feedback from interested parties
Results of risk assessment and status of risk treatment plan
Opportunities for continual improvement

9.3.3 Management Review Results

Outputs shall include decisions related to:

Opportunities for continual improvement
Any need for changes to the ISMS

Results retained as documented evidence.

Clause 10: Improvement

Purpose: Act on what was learned in Clause 9 to continually improve.

10.1 Continual Improvement

The organization shall continually improve the suitability, adequacy, and effectiveness of the ISMS.

This is not optional: the standard requires ongoing improvement, not a static one-time implementation.

10.2 Nonconformity and Corrective Action

When a nonconformity occurs (something that doesn’t meet a requirement), the organization shall:

React to the nonconformity and take action to control and correct it
Deal with the consequences
Determine the root cause
Determine if similar nonconformities exist or could occur
Implement necessary actions
Review the effectiveness of corrective actions taken
Make changes to the ISMS if necessary

Retain documented evidence of: the nature of the nonconformity, any actions taken, and the results of corrective actions.

Nonconformity examples:

Finding                                 Root Cause Example
-------                                 ------------------
Access not revoked when staff left      No offboarding process
Risk assessment not done in 18 months   No scheduled trigger in calendar
SoA not reviewed after acquisition      Change management process gap
Audit finding from last year not closed Corrective action not tracked

Annex A: Information Security Controls

Annex A provides a reference set of controls. The 2022 edition reorganized the 2013 controls from 14 domains/114 controls into 4 themes/93 controls.

Each control in Annex A is described in detail in ISO/IEC 27002:2022.

Overview of the Four Themes

Theme   Title                    Controls    Focus
-----   -----                    --------    -----
5       Organizational controls  37          Policies, roles, processes,
                                             supplier relationships
6       People controls          8           HR, awareness, remote work,
                                             confidentiality
7       Physical controls        14          Physical access, equipment,
                                             secure areas
8       Technological controls   34          Access control, encryption,
                                             logging, vulnerability mgmt

Theme 5: Organizational Controls (37 controls)

Selected controls:

Control   Title
-------   -----
1       Policies for information security
2       Information security roles and responsibilities
3       Segregation of duties
4       Management responsibilities
5       Contact with authorities
6       Contact with special interest groups
7       Threat intelligence  [new in 2022]
8       Information security in project management
9       Inventory of information and other associated assets
10      Acceptable use of information and other assets
11      Return of assets
12      Classification of information
13      Labelling of information
14      Information transfer
15      Access control
16      Identity management
17      Authentication information
18      Access rights
19      Information security in supplier relationships
20      Addressing information security in supplier agreements
21      Managing information security in the ICT supply chain [new]
22      Monitoring, review, change mgmt of supplier services
23      Information security for use of cloud services  [new]
24      Information security incident mgmt planning and preparation
25      Assessment and decision on information security events
26      Response to information security incidents
27      Learning from information security incidents
28      Collection of evidence
29      Information security during disruption
30      ICT readiness for business continuity
31      Legal, statutory, regulatory and contractual requirements
32      Intellectual property rights
33      Protection of records
34      Privacy and protection of personal information
35      Independent review of information security
36      Compliance with policies, rules, standards
37      Documented operating procedures

Theme 6: People Controls (8 controls)

Control   Title
-------   -----
1       Screening
2       Terms and conditions of employment
3       Information security awareness, education, and training
4       Disciplinary process
5       Responsibilities after termination or change of employment
6       Confidentiality or non-disclosure agreements
7       Remote working  [new in 2022]
8       Information security event reporting

Theme 7: Physical Controls (14 controls)

Control   Title
-------   -----
1       Physical security perimeters
2       Physical entry
3       Securing offices, rooms, and facilities
4       Physical security monitoring  [new in 2022]
5       Protecting against physical and environmental threats
6       Working in secure areas
7       Clear desk and clear screen
8       Equipment siting and protection
9       Security of assets off-premises
10      Storage media
11      Supporting utilities
12      Cabling security
13      Equipment maintenance
14      Secure disposal or re-use of equipment

Theme 8: Technological Controls (34 controls)