What is ISO?
The International Organization for Standardization (ISO) is an independent, non-governmental international body founded in 1947. With members from 167 countries, ISO develops and publishes international standards covering almost every industry — from technology and manufacturing to food safety and healthcare. In information security, ISO is the most globally recognised standards body outside of the United States.
ISO standards are developed in partnership with the International Electrotechnical Commission (IEC) for technology-related standards — which is why information security standards carry the prefix ISO/IEC.
Learn more about ISO and the history of information security standards →
What is ISO 27001?
ISO/IEC 27001 is the world’s leading international standard for Information Security Management Systems (ISMS). It provides a systematic, risk-based approach to managing sensitive company information, ensuring it remains secure across people, processes and technology. Unlike prescriptive compliance frameworks, ISO 27001 is built around continuous improvement — organisations implement controls proportionate to their specific risks and business context.
ISO 27001 is certifiable — organisations can achieve formal third-party certification demonstrating their ISMS meets the standard’s requirements. This makes it the gold standard for demonstrating information security to customers, partners, regulators and investors globally.
| Standard Body | ISO/IEC — International Organization for Standardization |
| Current Version | ISO/IEC 27001:2022 |
| Mandatory or Voluntary | Voluntary (mandatory in some regulated sectors and contracts) |
| Geography | Global |
| Certifiable | Yes — third-party certification available |
| Official Resource | iso.org/standard/27001 |
What Changed from ISO 27001:2013 to 2022?
The 2022 revision was the first major update in nearly a decade. While the core ISMS structure remained intact, the Annex A controls were significantly restructured and updated to reflect the modern threat landscape.
| Area | 2013 Version | 2022 Version |
|---|---|---|
| Annex A Controls | 114 controls across 14 clauses | 93 controls across 4 themes |
| Structure | 14 control categories | 4 themes: Organisational, People, Physical, Technological |
| New Controls | None | 11 new controls including threat intelligence, cloud security, data masking |
| Attributes | Not available | New attribute system for filtering controls by type, concept, capability |
| Cyber Concepts | Not mapped | Controls mapped to Identify, Protect, Detect, Respond, Recover |
The Four Themes of ISO 27001:2022 Annex A
The 2022 version reorganised all controls into four clear themes, making it easier to assign ownership and implement controls across the organisation.
| Theme | Controls | Focus |
|---|---|---|
| Organisational | 37 controls | Policies, roles, responsibilities, supplier relationships, incident management |
| People | 8 controls | Screening, terms of employment, awareness, training, disciplinary process |
| Physical | 14 controls | Physical security perimeters, entry controls, equipment security, clear desk |
| Technological | 34 controls | Access control, cryptography, malware protection, logging, vulnerability management |
ISO 27001:2022 — All 93 Annex A Controls
The following table lists all 93 controls in ISO 27001:2022 Annex A, grouped by theme.
Organisational Controls (A.5)
| Control | Name | Description |
|---|---|---|
| A.5.1 | Policies for information security | Information security policy and topic-specific policies defined, approved, published and communicated |
| A.5.2 | Information security roles and responsibilities | Roles and responsibilities for information security defined and allocated |
| A.5.3 | Segregation of duties | Conflicting duties and areas of responsibility segregated to reduce opportunities for fraud and error |
| A.5.4 | Management responsibilities | Management require all personnel to apply information security in accordance with policy |
| A.5.5 | Contact with authorities | Appropriate contacts with relevant authorities established and maintained |
| A.5.6 | Contact with special interest groups | Contacts with special interest groups, forums and professional associations maintained |
| A.5.7 | Threat intelligence | Information relating to threats collected, analysed and used. New in 2022. |
| A.5.8 | Information security in project management | Information security integrated into project management |
| A.5.9 | Inventory of information and other associated assets | Inventory of assets and associated information assets identified and maintained |
| A.5.10 | Acceptable use of information and assets | Rules for acceptable use of information and assets identified, documented and implemented |
| A.5.11 | Return of assets | Personnel and external parties return assets upon change or termination of employment |
| A.5.12 | Classification of information | Information classified according to legal requirements, value, criticality and sensitivity |
| A.5.13 | Labelling of information | Appropriate set of procedures for information labelling developed and implemented |
| A.5.14 | Information transfer | Transfer policies, procedures and agreements in place for all types of transfer |
| A.5.15 | Access control | Rules controlling physical and logical access to information and assets established and implemented |
| A.5.16 | Identity management | Full lifecycle of identities managed |
| A.5.17 | Authentication information | Allocation and management of authentication information controlled by a management process |
| A.5.18 | Access rights | Access rights provisioned, reviewed, modified and removed based on business requirements |
| A.5.19 | Information security in supplier relationships | Processes and procedures defined to manage information security risks in supplier relationships |
| A.5.20 | Addressing security within supplier agreements | Relevant security requirements established and agreed with each supplier |
| A.5.21 | Managing security in the ICT supply chain | Processes and procedures defined to manage security risks in ICT product and service supply chain |
| A.5.22 | Monitoring, review and change management of supplier services | Regular monitoring, reviewing and auditing of supplier service delivery |
| A.5.23 | Information security for use of cloud services | Processes for acquisition, use, management and exit of cloud services. New in 2022. |
| A.5.24 | Information security incident management planning and preparation | Organisation plans and prepares for managing incidents by defining processes and roles |
| A.5.25 | Assessment and decision on information security events | Security events assessed and classified as incidents or false alarms |
| A.5.26 | Response to information security incidents | Incidents responded to in accordance with documented procedures |
| A.5.27 | Learning from information security incidents | Knowledge gained from incidents used to strengthen controls and improve ISMS |
| A.5.28 | Collection of evidence | Procedures for identification, collection, acquisition and preservation of evidence established |
| A.5.29 | Information security during disruption | Information security maintained during disruption |
| A.5.30 | ICT readiness for business continuity | ICT readiness planned, implemented, maintained and tested. New in 2022. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Legal, statutory, regulatory and contractual requirements identified and documented |
| A.5.32 | Intellectual property rights | Appropriate procedures implemented to protect intellectual property rights |
| A.5.33 | Protection of records | Records protected from loss, destruction, falsification, unauthorised access and release |
| A.5.34 | Privacy and protection of personal information | Privacy and protection of personal information as required by legislation and regulations |
| A.5.35 | Independent review of information security | Independent review of approach to managing information security at planned intervals |
| A.5.36 | Compliance with policies, rules and standards for information security | Compliance with security policy, topic-specific policies and standards reviewed regularly |
| A.5.37 | Documented operating procedures | Operating procedures for information processing documented and made available |
People Controls (A.6)
| Control | Name | Description |
|---|---|---|
| A.6.1 | Screening | Background verification checks on candidates carried out prior to employment |
| A.6.2 | Terms and conditions of employment | Employment agreements state responsibilities for information security |
| A.6.3 | Information security awareness, education and training | Awareness education and training relevant to their role provided to all staff |
| A.6.4 | Disciplinary process | Formal disciplinary process in place for security policy violations |
| A.6.5 | Responsibilities after termination or change of employment | Security responsibilities remaining after termination or change defined and enforced |
| A.6.6 | Confidentiality or non-disclosure agreements | NDAs reflecting the organisation’s needs for information protection identified and implemented |
| A.6.7 | Remote working | Security measures implemented when working remotely. New in 2022. |
| A.6.8 | Information security event reporting | Mechanism for reporting security events through appropriate channels provided |
Physical Controls (A.7)
| Control | Name | Description |
|---|---|---|
| A.7.1 | Physical security perimeters | Security perimeters defined and used to protect areas containing information and assets |
| A.7.2 | Physical entry | Secure areas protected by appropriate entry controls and access points |
| A.7.3 | Securing offices, rooms and facilities | Physical security for offices, rooms and facilities designed and implemented |
| A.7.4 | Physical security monitoring | Premises monitored for unauthorised physical access. New in 2022. |
| A.7.5 | Protecting against physical and environmental threats | Protection against physical and environmental threats such as natural disasters designed and implemented |
| A.7.6 | Working in secure areas | Security measures for working in secure areas designed and implemented |
| A.7.7 | Clear desk and clear screen | Clear desk rules for papers and removable media and clear screen rules for IT facilities defined |
| A.7.8 | Equipment siting and protection | Equipment sited and protected to reduce risks from environmental threats and unauthorised access |
| A.7.9 | Security of assets off-premises | Off-site assets protected taking into account risks of working outside the organisation’s premises |
| A.7.10 | Storage media | Storage media managed through acquisition, use, transportation and disposal lifecycle |
| A.7.11 | Supporting utilities | Facilities protected from power failures and other disruptions caused by utility failures |
| A.7.12 | Cabling security | Cables carrying power and data protected from interception, interference or damage |
| A.7.13 | Equipment maintenance | Equipment maintained correctly to ensure availability and integrity |
| A.7.14 | Secure disposal or re-use of equipment | Items of equipment verified to ensure data has been removed or securely overwritten prior to disposal |
Technological Controls (A.8)
| Control | Name | Description |
|---|---|---|
| A.8.1 | User endpoint devices | Information stored on, processed by or accessible via user endpoint devices protected |
| A.8.2 | Privileged access rights | Allocation and use of privileged access rights restricted and managed |
| A.8.3 | Information access restriction | Access to information and systems restricted in accordance with access control policy |
| A.8.4 | Access to source code | Read and write access to source code, development tools and software libraries managed |
| A.8.5 | Secure authentication | Secure authentication technologies and procedures implemented based on access restrictions |
| A.8.6 | Capacity management | Use of resources monitored and adjusted in line with current and expected capacity requirements |
| A.8.7 | Protection against malware | Protection against malware implemented and supported by appropriate user awareness |
| A.8.8 | Management of technical vulnerabilities | Information about technical vulnerabilities obtained and exposure evaluated |
| A.8.9 | Configuration management | Configurations including security configurations established, documented and monitored. New in 2022. |
| A.8.10 | Information deletion | Information deleted when no longer required. New in 2022. |
| A.8.11 | Data masking | Data masking used in accordance with access control policy. New in 2022. |
| A.8.12 | Data leakage prevention | Data leakage prevention measures applied to systems and networks. New in 2022. |
| A.8.13 | Information backup | Backup copies of information, software and systems maintained and tested |
| A.8.14 | Redundancy of information processing facilities | Redundancy implemented to meet availability requirements |
| A.8.15 | Logging | Logs recording activities, exceptions, faults and other events produced, stored, protected and analysed |
| A.8.16 | Monitoring activities | Networks, systems and applications monitored for anomalous behaviour. New in 2022. |
| A.8.17 | Clock synchronisation | Clocks of information processing systems synchronised to approved time sources |
| A.8.18 | Use of privileged utility programs | Use of utility programs that might be capable of overriding system controls restricted and controlled |
| A.8.19 | Installation of software on operational systems | Procedures to manage software installation on operational systems implemented |
| A.8.20 | Networks security | Networks and network devices secured, managed and controlled to protect information |
| A.8.21 | Security of network services | Security mechanisms, service levels and requirements of network services identified and included in agreements |
| A.8.22 | Segregation of networks | Groups of information services, users and systems segregated in networks |
| A.8.23 | Web filtering | Access to external websites managed to reduce exposure to malicious content. New in 2022. |
| A.8.24 | Use of cryptography | Rules for effective use of cryptography including key management defined and implemented |
| A.8.25 | Secure development life cycle | Rules for secure development of software and systems established and applied |
| A.8.26 | Application security requirements | Information security requirements identified and specified when developing or acquiring applications |
| A.8.27 | Secure system architecture and engineering principles | Principles for engineering secure systems established, documented and applied |
| A.8.28 | Secure coding | Secure coding principles applied to software development. New in 2022. |
| A.8.29 | Security testing in development and acceptance | Security testing processes defined and implemented in the development lifecycle |
| A.8.30 | Outsourced development | Outsourced development activities directed, monitored and reviewed |
| A.8.31 | Separation of development, test and production environments | Development, testing and production environments separated and secured |
| A.8.32 | Change management | Changes to information processing facilities and systems subject to change management procedures |
| A.8.33 | Test information | Test information appropriately selected, protected and managed |
| A.8.34 | Protection of information systems during audit testing | Audit tests and activities involving assessment of operational systems planned and agreed |
Securitora Assessment
ISO 27001:2022 is the most credible and globally recognised information security standard available. For any organisation looking to demonstrate security to enterprise customers, partners or regulators — particularly outside the United States — ISO 27001 certification is the gold standard. The 2022 update brings the standard firmly into the modern era with new controls covering cloud security, threat intelligence, data masking and remote working.
| Recommended for | All organisations seeking global credibility — especially those selling to enterprise or operating internationally |
| Difficulty to implement | Medium to High — requires significant documentation and a formal audit for certification |
| Best used with | NIST CSF 2.0 · ISO 27005 · SOC 2 Type II |
| Official resource | iso.org/standard/27001 → |