Articles on: ISO 27001

Guide to ISO/IEC 27001:2022 – Information Security Management

What is ISO 27001 information security management?

ISO/IEC 27001 is the international standard for information security management.


Part of the ISO 27000 series, ISO 27001 sets out a framework for all organisations to establish, implement, operate, monitor, review, maintain and continually improve an ISMS (information security management system).


Certification to the ISO 27001 standard is recognised worldwide as proof that your organisation’s information security management is aligned with best practice.


What is an ISMS?

An ISMS takes a systematic approach to securing the CIA (confidentiality, integrity and availability) of corporate information assets.


An ISO 27001 ISMS consists of organisational, people, physical and technological controls, selected on the basis of regular risk assessments.


Its technology- and vendor-neutral approach makes it suitable for all organisations, whatever their size, complexity, sector or location.


ISO 27001 has changed

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022. As of 30 April 2024, certification bodies can no longer offer (re)certification to the 2013 edition of the Standard.


For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and how they affect your organisation, visit ISO 27001 and ISO 27002:2022 updates.


ISO 27001 benefits

ISO 27001 is one of the most popular information security standards in existence. Independent accredited certification to the Standard is recognised worldwide. The number of certifications has grown by more than 450% in the past ten years.


Implementing the Standard helps you meet the requirements of laws such as the UK and EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations. It also helps reduce the costs associated with data breaches.


Protect your data, wherever it is

Protect all forms of information, whether digital, hard copy or in the Cloud.


Increase your attack resilience

Increase your organisation’s resilience to cyber attacks.

Reduce information security costs

Implement only the security controls you need, helping you get the most out of your budget.


Respond to evolving security threats

Constantly adapt to changes both in the wider environment and inside the organisation.


Improve company culture

An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security as part of their everyday working practices.


Meet contractual obligations

Certification demonstrates your organisation’s commitment to data security and provides a valuable credential when tendering for new business.


How to achieve ISO 27001 compliance

Implementing an ISMS involves the following:


  • Scoping the project.
  • Securing management commitment and adequate resources.
  • Identifying interested parties and applicable legal and contractual requirements.
  • Conducting a risk assessment.
  • Selecting and implementing the required controls.
  • Developing internal competence to manage the project.
  • Developing the appropriate documentation.
  • Conducting staff awareness training.
  • Continually measuring, monitoring, reviewing and auditing the ISMS.
  • Implementing the necessary corrective and preventive actions.


ISO 27001 and risk management

Risk management forms the cornerstone of an ISMS. All ISMS projects rely on regular information security risk assessments to determine which security controls to implement and maintain.


The Standard defines its requirements for the risk management process, including risk assessment and treatment, in Clause 6.1.


ISO 27001 clauses and controls


ISO 27001:2022 has ten management system clauses. Together with Annex A, which lists the 93 information security controls from ISO 27002:2022, they support the implementation and maintenance of an ISMS.


  • Scope
  • Normative references
  • Terms and definitions
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement


Although the 2022 version of the Standard has fewer controls than the 2013 version, this is because many controls have been merged rather than removed. ISO 27002:2022 also introduces 11 new controls.


The 93 controls are grouped into four themes:


  • Organisational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls)


ISO 27001 doesn’t require all 93 to be implemented. Instead, your risk assessment should define which controls are required, and you should justify why other controls are excluded.

Updated on: 22/08/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!