Structure of ISO/IEC 27001:2022

The ISO/IEC 27001:2022 standard provides a structured framework for implementing and maintaining an effective Information Security Management System (ISMS). This latest edition of the standard has been updated to reflect modern cybersecurity realities and enhance alignment with related standards.

Understanding its structure is key for organizations aiming to comply with and benefit from its requirements.

The structure organizes content into clauses that systematically guide the establishment, operation, and continual improvement of an ISMS, supported by annexes that detail specific controls and guidelines.

Structure Overview

ISO/IEC 27001:2022 follows the High-Level Structure (HLS) common to many ISO management system standards, allowing for easier integration with standards such as ISO 9001 (Quality) and ISO 22301 (Business Continuity).

The standard consists of 10 main clauses (0 to 10) along with Annex A, which catalogs the control objectives and controls.

Main Clauses

Clause 0: Introduction and Scope - Provides the scope and defines the applicability of the standard regarding information security management.

Clause 1: Scope - Specifies the requirements for establishing, implementing, maintaining, and improving an ISMS tailored to organizational needs.

Clause 2: Normative References - Lists documents referenced by the standard, providing foundational concepts or terminology.

Clause 3: Terms and Definitions - Defines specific terminology used throughout the standard to ensure clarity and uniform understanding.

Clause 4: Context of the Organization - Requires understanding the organization's external and internal context and the needs and expectations of interested parties relevant to information security.

Clause 5: Leadership - Highlights top management’s responsibility for leadership, commitment, and support for the ISMS.

Clause 6: Planning - Deals with identifying risks and opportunities, setting information security objectives, and planning actions to address them.

Clause 7: Support - Covers resources, competence, awareness, communication, and documented information necessary for ISMS operation.

Clause 8: Operation - Focuses on executing and controlling ISMS processes, including risk assessment and treatment.

Clause 9: Performance Evaluation - Involves monitoring, measurement, analysis, evaluation, internal audit, and management review of the ISMS.

Clause 10: Improvement - Addresses nonconformities and corrective actions to continually improve the ISMS.

Annex A: Control Objectives and Controls

Annex A provides a comprehensive catalog of 93 controls structured into four categories (formerly 14 domains). The 2022 revision groups controls by attributes such as operational capabilities and cybersecurity concepts rather than the traditional domains.

Key areas covered include organizational controls, people controls, physical security, and technological controls. Organizations select applicable controls based on their risk assessment and Statement of Applicability.

Recent Updates in the 2022 Edition