What is ISO/IEC 27001:2022

ISO 27001


ISO/IEC 27001:2022 is titled “Information technology — Security techniques — Information security management systems — Requirements”. The standard had its origin from BS7799 and was subsequently adopted by ISO and incorporated into the ISO 27000 series of standard and was implemented as ISO 27001:2005 as the first release and the current release is 27001:2022.

ISO/IEC 27001 is an international standard for information security management system (ISMS) and it is one of the well-known control framework which is certifiable by certification body. ISO/IEC 27001 is part of the ISO 27000 family of standards which comprises of 16 different standards in this family of ISMS.

ISO/IEC 27001 specifies the management system requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.

Organizations regardless of sizes may implement ISO 27001 and those that meet the requirements may be certified by an accredited certification body following the completion of audit by the certification body. The standards contains 10 clauses where clauses 4 to 10 are mandatory for organization implementing ISO 27001 and wishing to achieve ISO 27001 certification status.

Clauses 4 to 10 in ISO/IEC 27001:2022:
Clause 4. Context of Organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement

The standard like in all ISO standards uses a Plan Do Check Act methodology to achieve compliance level of the requirements stated in the standard. ISO/IEC 27001, advocates a risk based approach to establish, implement, maintain and continuously improving the ISMS within the organization using Annex A controls (ISO 27002:2013 –  Information Technology — Security techniques — Code of practice for information security controls). ISO/IEC 27002:2013 contains 14 domains, 35 controls objectives and 114 controls. The selection of ISO 27002 controls is dependent upon organizational decisions and criteria for risk acceptance, risk treatment options and risk management approach applied to the organization.

The 14 control domains defined in ISO 27002:2013 are:

5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operation security
13. Communication security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

We are information security consultant that can help your organization to simplify the implementation process of ISO/IEC 27001:2022 implementation and achieve certification status with our methodology and framework approach. For SME based in Singapore, we also help company in applying for the EDG grant for ISO 27001 and other standards adoption. Do reach out to us via email at [email protected]