What is ISO/IEC 27001:2022
ISO/IEC 27001:2022 is titled “Information technology — Security techniques — Information security management systems — Requirements”. The standard had its origin from BS7799 and was subsequently adopted by ISO and incorporated into the ISO 27000 series of standard and was implemented as ISO 27001:2005 as the first release and the current release is 27001:2022.
ISO/IEC 27001 is an international standard for information security management system (ISMS) and it is one of the well-known control framework which is certifiable by certification body. ISO/IEC 27001 is part of the ISO 27000 family of standards which comprises of 16 different standards in this family of ISMS.
ISO/IEC 27001 specifies the management system requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
Organizations regardless of sizes may implement ISO 27001 and those that meet the requirements may be certified by an accredited certification body following the completion of audit by the certification body. The standards contains 10 clauses where clauses 4 to 10 are mandatory for organization implementing ISO 27001 and wishing to achieve ISO 27001 certification status.
| Clauses 4 to 10 in ISO/IEC 27001:2022: |
| Clause 4. Context of Organization |
| Clause 5: Leadership |
| Clause 6: Planning |
| Clause 7: Support |
| Clause 8: Operation |
| Clause 9: Performance Evaluation |
| Clause 10: Improvement |
The standard like in all ISO standards uses a Plan Do Check Act methodology to achieve compliance level of the requirements stated in the standard. ISO/IEC 27001, advocates a risk based approach to establish, implement, maintain and continuously improving the ISMS within the organization using Annex A controls (ISO 27002:2013 – Information Technology — Security techniques — Code of practice for information security controls). ISO/IEC 27002:2013 contains 14 domains, 35 controls objectives and 114 controls. The selection of ISO 27002 controls is dependent upon organizational decisions and criteria for risk acceptance, risk treatment options and risk management approach applied to the organization.
The 14 control domains defined in ISO 27002:2013 are:
| 5. Information security policies |
| 6. Organization of information security |
| 7. Human resource security |
| 8. Asset management |
| 9. Access control |
| 10. Cryptography |
| 11. Physical and environmental security |
| 12. Operation security |
| 13. Communication security |
| 14. System acquisition, development and maintenance |
| 15. Supplier relationships |
| 16. Information security incident management |
| 17. Information security aspects of business continuity management |
| 18. Compliance |
We are information security consultant that can help your organization to simplify the implementation process of ISO/IEC 27001:2022 implementation and achieve certification status with our methodology and framework approach. For SME based in Singapore, we also help company in applying for the EDG grant for ISO 27001 and other standards adoption. Do reach out to us via email at [email protected]
