ISO 27001:2022 is part of a set of international standards for information security management systems, developed by the International Organization for Standardization (ISO). It provides a framework for organizations to develop, implement, and maintain an information security management system (ISMS) to protect the confidentiality, integrity, and availability of information assets. The standard is based on a risk assessment approach and includes the necessary controls and processes needed to prevent, detect, and respond to any security incidents.
ISO 27001 Controls
| Organizational controls |
| Policies for information security |
| Information security roles and responsibilities |
| Segregation of duties |
| Management responsibilities |
| Contact with authorities |
| Contact with special interest groups |
| Threat intelligence |
| Information security in projectmanagement |
| Inventory of information and other associated assets |
| Acceptable use of information and other associated assets |
| Return of assets |
| Classification of information |
| Labelling of information |
| Information transfer |
| Access control |
| Identity management |
| Authentication information |
| Access rights |
| Information security in supplier relationships |
| Addressing information security within supplier agreements |
| Managing information security in the information and communication technology (ICT) supply-chain |
| Monitoring, review and change management of supplier services |
| Information security for use of cloud services |
| Information security incident management planning and preparation |
| Assessment and decision on information security events |
| Response to information security incidents |
| Learning from information security incidents |
| Collection of evidence |
| Information security during disruption |
| ICT readiness for business continuity |
| Legal, statutory, regulatory and contractual requirements |
| Intellectual property rights |
| Protection of records |
| Privacy and protection of personal identifiable information (PII) |
| Independent review of information security |
| Compliance with policies, rules and standards for information security |
| Documented operating procedures |
| People controls |
| Screening |
| Terms and conditions of employment |
| Information security awareness, education and training |
| Disciplinary process |
| Responsibilities after termination or change of employment |
| Confidentiality or non-disclosure agreements |
| Remote working |
| Information security event reporting |
| Physical controls |
| Physical security perimeters |
| Physical entry |
| Securing offices, rooms and facilities |
| Physical security monitoring |
| Protecting against physical and environmental threats |
| Working in secure areas |
| Clear desk and clear screen |
| Equipment siting and protection |
| Security of assets off-premises |
| Storage media |
| Supporting utilities |
| Cabling security |
| Equipment maintenance |
| Secure disposal or re-use of equipment |
| Technological controls |
| User end point devices |
| Privileged access rights |
| Information access restriction |
| Access to source code |
| Secure authentication |
| Capacity management |
| Protection against malware |
| Management of technical vulnerabilities |
| Configuration management |
| Information deletion |
| Data masking |
| Data leakage prevention |
| Information backup |
| Redundancy of information processing facilities |
| Logging |
| Monitoring activities |
| Clock synchronization |
| Use of privileged utility programs |
| Installation of software on operational systems |
| Networks security |
| Security of network services |
| Segregation of networks |
| Web filtering |
| Use of cryptography |
| Secure development life cycle |
| Application security requirements |
| Secure system architecture and engineering principles |
| Secure coding |
| Security testing in development and acceptance |
| Outsourced development |
| Separation of development, test and production environments |
| Change management |
| Test information |
| Protection of information systems during audit testing |
