Complete Requirements Guide

ISO 27001:2022 Requirements & Controls

Comprehensive breakdown of all 7 clauses (4-10) and 93 Annex A controls. Everything you need to understand and implement ISO 27001.

Clauses

Annex A Controls

Control Categories

Mandatory Docs

ISO 27001:2022 Standard

7 Core Clauses (4-10)

The mandatory requirements that every organization must implement to achieve ISO 27001 certification.

Clause 4

Context of the Organization

Understanding your organization and its context, including internal and external issues that affect the ISMS.

Understand organization and its context

Understand needs and expectations of interested parties

Determine scope of the ISMS

Establish the information security management system

Clause 5

Leadership

Top management commitment, establishing information security policy, and assigning organizational roles and responsibilities.

Leadership and commitment from top management

Establish information security policy

Assign organizational roles, responsibilities, and authorities

Clause 6

Planning

Risk assessment, risk treatment, and setting information security objectives and plans to achieve them.

Actions to address risks and opportunities

Information security risk assessment

Information security risk treatment

Information security objectives and planning

Clause 7

Support

Resources, competence, awareness, communication, and documented information required for the ISMS.

Provide necessary resources

Ensure competence of personnel

Create awareness about information security

Establish communication processes

Control documented information

Clause 8

Operation

Operational planning, risk assessment and treatment implementation.

Operational planning and control

Information security risk assessment

Information security risk treatment

Clause 9

Performance Evaluation

Monitoring, measurement, analysis, evaluation, internal audit, and management review.

Monitoring, measurement, analysis and evaluation

Internal audit program

Management review of the ISMS

Clause 10

Improvement

Nonconformity, corrective action, and continual improvement of the ISMS.

Address nonconformities and take corrective action

Continual improvement of the ISMS

Annex A Controls

93 Security Controls Across 4 Categories

ISO 27001:2022 Annex A provides a comprehensive catalog of information security controls organized into Organizational, People, Physical, and Technological categories.

Organizational Controls

37 Controls

Policies, procedures, and organizational structures for information security management.

Key Controls:

Information security policies (5.1)

Information security roles and responsibilities (5.2)

Segregation of duties (5.3)

Management responsibilities (5.4)

Contact with authorities (5.5)

Asset management (5.9)

Acceptable use of assets (5.10)

Return of assets (5.11)

Classification of information (5.12)

Labelling of information (5.13)

People Controls

8 Controls

Human resource security controls covering the employee lifecycle.

Key Controls:

Screening (6.1)

Terms and conditions of employment (6.2)

Information security awareness, education and training (6.3)

Disciplinary process (6.4)

Responsibilities after termination (6.5)

Confidentiality or non-disclosure agreements (6.6)

Remote working (6.7)

Information security event reporting (6.8)

Physical Controls

14 Controls

Physical security controls to protect facilities, equipment, and assets.

Key Controls:

Physical security perimeters (7.1)

Physical entry (7.2)

Securing offices, rooms and facilities (7.3)

Physical security monitoring (7.4)

Protecting against physical and environmental threats (7.5)

Working in secure areas (7.6)

Clear desk and clear screen (7.7)

Equipment siting and protection (7.8)

Security of assets off-premises (7.9)

Storage media (7.10)

Technological Controls

34 Controls

Technical security controls for systems, networks, and data protection.

Key Controls:

User endpoint devices (8.1)

Privileged access rights (8.2)

Information access restriction (8.3)

Secure authentication (8.5)

Protection against malware (8.7)

Configuration management (8.9)

Information backup (8.13)

Logging (8.15)

Networks security (8.20)

Use of cryptography (8.24)

Common Questions

Frequently Asked Questions

Ready to Implement ISO 27001 Requirements?

Get expert guidance on implementing all clauses and controls. Our consultants will help you navigate requirements, select appropriate controls, and achieve certification.

Get Free Consultation View Certification Guide