ISO 27001

ISO 27001:2022 is part of a set of international standards for information security management systems, developed by the International Organization for Standardization (ISO). It provides a framework for organizations to develop, implement, and maintain an information security management system (ISMS) to protect the confidentiality, integrity, and availability of information assets. The standard is based on a risk assessment approach and includes the necessary controls and processes needed to prevent, detect, and respond to any security incidents.

ISO 27001 Controls

Organizational controls
Policies for information security
Information security roles and responsibilities
Segregation of duties
Management responsibilities
Contact with authorities
Contact with special interest groups
Threat intelligence
Information security in projectmanagement
Inventory of information and other associated assets
Acceptable use of information and other associated assets
Return of assets
Classification of information
Labelling of information
Information transfer
Access control
Identity management
Authentication information
Access rights
Information security in supplier relationships
Addressing information security within supplier agreements
Managing information security in the information
and communication technology (ICT) supply-chain
Monitoring, review and change management of supplier services
Information security for use of cloud services
Information security incident management planning and preparation
Assessment and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
Information security during disruption
ICT readiness for business continuity
Legal, statutory, regulatory and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of personal identifiable information (PII)
Independent review of information security
Compliance with policies, rules and standards for information security
Documented operating procedures
People controls
Terms and conditions of employment
Information security awareness, education and training
Disciplinary process
Responsibilities after termination or change of employment
Confidentiality or non-disclosure agreements
Remote working
Information security event reporting
Physical controls
Physical security perimeters
Physical entry
Securing offices, rooms and facilities
Physical security monitoring
Protecting against physical and environmental threats
Working in secure areas
Clear desk and clear screen
Equipment siting and protection
Security of assets off-premises
Storage media
Supporting utilities
Cabling security
Equipment maintenance
Secure disposal or re-use of equipment
Technological controls
User end point devices
Privileged access rights
Information access restriction
Access to source code
Secure authentication
Capacity management
Protection against malware
Management of technical vulnerabilities
Configuration management
Information deletion
Data masking
Data leakage prevention
Information backup
Redundancy of information processing facilities
Monitoring activities
Clock synchronization
Use of privileged utility programs
Installation of software on operational systems
Networks security
Security of network services
Segregation of networks
Web filtering
Use of cryptography
Secure development life cycle
Application security requirements
Secure system architecture and engineering principles
Secure coding
Security testing in development and acceptance
Outsourced development
Separation of development, test and production environments
Change management
Test information
Protection of information systems during audit testing
Scroll to Top