Skip to main contentChat with us

ISO/IEC 27001:2022 · Requirements & Controls

ISO 27001:2022 Requirements &
Controls

Comprehensive breakdown of all 7 clauses (4-10) and 93 Annex A controls. Everything you need to understand and implement ISO 27001.

Clauses 4–10 are mandatory for every certified organization; the 93 Annex A controls are selected by risk and recorded in the Statement of Applicability (SoA).

Get a Free ISO 27001 ConsultationExplore the ISO 27001 Hub
7Mandatory clauses (4–10)
93Annex A controls
4Control themes

ISO/IEC 27001:2022 · Accredited certification bodies (TÜV SÜD, BSI, DNV) · Last reviewed June 2026

ISO/IEC 27001:2022 requirements fall into two parts. First, the seven mandatory management-system clauses (4–10) that every certified organization must implement: context, leadership, planning, support, operation, performance evaluation, and improvement. Second, the 93 Annex A controls grouped into four themes — Organizational (37), People (8), Physical (14), and Technological (34) — from which you select applicable controls based on your risk assessment and document the result in a Statement of Applicability (SoA). The clauses are non-negotiable; the controls are risk-driven. Certification is awarded by an accredited certification body (such as TÜV SÜD, BSI, or DNV) after Stage 1 and Stage 2 audits — Tranquility Cybersecurity (TCSA) prepares your ISMS so it passes, but does not issue the certificate. See the standard at ISO/IEC 27001.

ISO 27001:2022 Standard

7 Core Clauses (4-10)

The mandatory requirements that every organization must implement to achieve ISO 27001 certification.

Clause 4

Context of the Organization

Understanding your organization and its context, including internal and external issues that affect the ISMS.

  • Understand organization and its context
  • Understand needs and expectations of interested parties
  • Determine scope of the ISMS
  • Establish the information security management system
Clause 5

Leadership

Top management commitment, establishing information security policy, and assigning organizational roles and responsibilities.

  • Leadership and commitment from top management
  • Establish information security policy
  • Assign organizational roles, responsibilities, and authorities
Clause 6

Planning

Risk assessment, risk treatment, and setting information security objectives and plans to achieve them.

  • Actions to address risks and opportunities
  • Information security risk assessment
  • Information security risk treatment
  • Information security objectives and planning
Clause 7

Support

Resources, competence, awareness, communication, and documented information required for the ISMS.

  • Provide necessary resources
  • Ensure competence of personnel
  • Create awareness about information security
  • Establish communication processes
  • Control documented information
Clause 8

Operation

Operational planning, risk assessment and treatment implementation.

  • Operational planning and control
  • Information security risk assessment
  • Information security risk treatment
Clause 9

Performance Evaluation

Monitoring, measurement, analysis, evaluation, internal audit, and management review.

  • Monitoring, measurement, analysis and evaluation
  • Internal audit program
  • Management review of the ISMS
Clause 10

Improvement

Nonconformity, corrective action, and continual improvement of the ISMS.

  • Address nonconformities and take corrective action
  • Continual improvement of the ISMS

Annex A Controls

93 Security Controls Across 4 Categories

ISO 27001:2022 Annex A provides a comprehensive catalog of information security controls organized into Organizational, People, Physical, and Technological categories.

Organizational Controls

37 Controls

Policies, procedures, and organizational structures for information security management.

Key Controls:

  • Information security policies (5.1)
  • Information security roles and responsibilities (5.2)
  • Segregation of duties (5.3)
  • Management responsibilities (5.4)
  • Contact with authorities (5.5)
  • Asset management (5.9)
  • Acceptable use of assets (5.10)
  • Return of assets (5.11)
  • Classification of information (5.12)
  • Labelling of information (5.13)

People Controls

8 Controls

Human resource security controls covering the employee lifecycle.

Key Controls:

  • Screening (6.1)
  • Terms and conditions of employment (6.2)
  • Information security awareness, education and training (6.3)
  • Disciplinary process (6.4)
  • Responsibilities after termination (6.5)
  • Confidentiality or non-disclosure agreements (6.6)
  • Remote working (6.7)
  • Information security event reporting (6.8)

Physical Controls

14 Controls

Physical security controls to protect facilities, equipment, and assets.

Key Controls:

  • Physical security perimeters (7.1)
  • Physical entry (7.2)
  • Securing offices, rooms and facilities (7.3)
  • Physical security monitoring (7.4)
  • Protecting against physical and environmental threats (7.5)
  • Working in secure areas (7.6)
  • Clear desk and clear screen (7.7)
  • Equipment siting and protection (7.8)
  • Security of assets off-premises (7.9)
  • Storage media (7.10)

Technological Controls

34 Controls

Technical security controls for systems, networks, and data protection.

Key Controls:

  • User endpoint devices (8.1)
  • Privileged access rights (8.2)
  • Information access restriction (8.3)
  • Secure authentication (8.5)
  • Protection against malware (8.7)
  • Configuration management (8.9)
  • Information backup (8.13)
  • Logging (8.15)
  • Networks security (8.20)
  • Use of cryptography (8.24)

Frequently Asked Questions

ISO 27001:2022 requirements, clauses, and Annex A controls — answered.

Do I need to implement all 93 Annex A controls?

No. You select controls based on your risk assessment and document them in the Statement of Applicability (SoA), justifying any exclusions. Most organizations apply 70–85 controls depending on their risk profile and business context.

What is the difference between the clauses and the Annex A controls?

Clauses 4–10 are mandatory management-system requirements that define the ISMS framework (what you must do). Annex A controls are security measures you select based on your risk assessment (how you do it). All clauses are mandatory; Annex A controls are risk-based.

What are the mandatory documented information requirements?

ISO 27001:2022 requires the ISMS scope, information security policy, risk assessment methodology, risk assessment report, risk treatment plan, Statement of Applicability (SoA), internal audit programme, and management review records. Additional documentation depends on the Annex A controls you select.

Who issues the ISO 27001 certificate?

An accredited certification body — for example TÜV SÜD, BSI, or DNV — issues the certificate after a successful Stage 1 (documentation) and Stage 2 (implementation) audit. Tranquility Cybersecurity is the consultant that prepares your ISMS to pass; we are not the certification body and do not issue the certificate.

What changed in ISO 27001:2022 versus the 2013 version?

The 2022 revision reorganized Annex A from 14 categories (114 controls) into 4 themes (93 controls) and added 11 new controls covering cloud security, threat intelligence, data masking, web filtering, and secure coding. Clauses 4–10 remain largely unchanged.

Keep Exploring

Related Reading

ISO 27001

ISO 27001 Knowledge Hub

All 93 Annex A controls, all clauses, every guide in the cluster.

Read more
ISO 27001

ISO 27001 Clauses (4–10)

All 23 ISMS clauses explained — from context to continual improvement.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
ISO 27001

ISO 27001 Implementation

The phased ISMS build, from scoping to surveillance audits.

Read more
ISO 27001

ISO 27001 Cost Guide

What certification actually costs in India, by company size.

Read more
Service

ISO 27001 Consulting in India

Fixed-fee, lead-auditor-run certification programs.

Read more

Continue your research with the ISO 27001 hub, see how we guide companies to certification through our ISO 27001 consulting service in India, or review outcomes from past engagements on our proof page.

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations

Keep Exploring

Related Reading

ISO 27001

ISO 27001 Knowledge Hub

All 93 Annex A controls, all clauses, every guide in the cluster.

Read more
ISO 27001

ISO 27001 Clauses (4–10)

All 23 ISMS clauses explained — from context to continual improvement.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
ISO 27001

ISO 27001 Implementation

The phased ISMS build, from scoping to surveillance audits.

Read more
ISO 27001

ISO 27001 Cost Guide

What certification actually costs in India, by company size.

Read more
Service

ISO 27001 Consulting in India

Fixed-fee, lead-auditor-run certification programs.

Read more