Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog ISO 27001 Requirements – 2022 Standard List

ISO 27001 Requirements – 2022 Standard List

ISO27001 (ISO/IEC 27001 to give it its full name) is the international standard for information security. It is a document, published by ISO that defines a set of requirements. If an organization meets all of these requirements, they can be certified by a certification body (an auditing company) and receive a certificate to prove it. Organizations become certified to show to others (and themselves) that a third party has checked that they are doing what’s necessary to address their information security risks. This can reassure customers and potential customers, satisfy regulators and save time when responding to tender questionnaires, amongst other things. The ISO27001 standard has recently been updated, so we’re going to look at the 2022 version (the latest).

ISO 27001 Graphic with laptop and cyber icons

What are the ISO 27001 requirements?

But what do these requirements look like? Well, the structure of ISO27001 is in two parts. First there is the information security management system (ISMS) which defines how information security is managed within the organization. Second, there are the Annex A controls, which is a set of ninety-three good ideas that can be used to make the organization more secure. The organization can choose which of these are applicable to them, based on their assessment of their risks, so they may not need to implement all of them.

Let’s go into the requirements for the ISMS in a bit more detail, before talking about the Annex A controls.

The ISMS requirements

After a foreword and introduction, the ISO27001 standard document is organized into clauses numbered 1 to 10. The requirements themselves are contained in clauses 4 to 10 (clauses 1 to 3 are basically supporting information) and can generally be recognised by the use of the word “shall”, for example “The organization shall establish, implement, maintain and continually improve an information security management system,” (from Clause 4.4).

To give you an idea of the contents of clauses 4 to 10, we’ll go through them in turn.

Clause 4 - Context of the organization

This clause is about understanding as much as possible about the organization itself and the environment in which it operates. The key point about the ISMS is that it should be appropriate and relevant to the specifics of the business it is protecting. To ensure this, the people implementing and running the ISMS must be able to answer questions about what the organization does, where, how and who for (plus many others).

The ISMS will also be affected by the situation within the organization (internal issues) and outside the organization (external issues). Internal issues are factors such as the culture, management structure, locations, management style, financial performance, employee relations, level of training etc. that define the organization. External issues are those less under the organization’s control such as the economic, social, political and legal environment that it must operate within. All these issues (internal and external) will have bearing on the priorities, objectives, operation and maintenance of the ISMS.

The context clause is also the one where the scope of the ISMS is defined. Again, this needs careful consideration. If your organization is small, it usually makes sense to place everything it does within the scope because often it can be more difficult to manage a limitation to the scope than to simply cover everything.

Clause 5 - Leadership

The leadership clause of the standard is about showing that top management are serious about the ISMS and are right behind it. They may do this in various ways. The first is by demonstrating management commitment; partly this is by simply saying that they support the ISMS in meetings, in articles in internal and external magazines, in presentations to employees and interested parties etc. and partly by making sure the right resources and processes are in place to support the ISMS, for example people, budget, management reviews, plans etc.

The second way for top management to show they are serious about the ISMS is to ensure that there are appropriate information security policies in place. These need to be signed off by top management and distributed to everyone that they might be relevant to. Generally, most organizations take one of two approaches to policy creation; they either go for a single, all-encompassing information security policy or they go for a more modular approach with individual policies used to address specific issues. There isn’t a single right answer for information security policies in the context of the ISO27001 standard; the main point is that whatever you do choose to state in your policies, you can show that it is being communicated, understood and followed within the organization.

Lastly, top management need to make sure that everyone involved in the ISMS knows what their role(s) and associated responsibilities and authorities are. Remember to ensure that information security is included in the day-to-day responsibilities of existing roles rather than trying to create a parallel organization structure just for information security; it needs to be business as usual not an add-on.

Remember also that demonstrating leadership is an ongoing process, not a one-off activity solely during implementation.

Clause 6 - Planning

The general ethos of the ISO/IEC 27001 standard is to be proactive in managing information security and a central concept to this is risk assessment. This involves considering what could go wrong and then taking steps to do something about it in advance rather than waiting for it to happen. The standard points out that not everything that happens is necessarily negative and that there may be positive “opportunities” along the way too.

A risk assessment needs to be conducted to analyse and evaluate the impact and likelihood of various events occurring. This will give you the opportunity to do something about those risks that are both likely and have a significant impact i.e. to treat the risks.

Once the risks have been identified, assessed and evaluated, the risk treatment plan is created. The key point to remember in treating risk is that it is a trade-off. Few organizations have limitless funds and so the money spent in treating risk needs to result in a larger benefit than the cost.

Within the planning clause of the standard we also need to set out what the ISMS is intended to achieve and how it will be done. In terms of the ISMS there are two main levels of objectives. The first is the high-level objectives set out when defining the context of the ISMS. These tend to be quite broad and non-specific in order to describe why the ISMS is necessary in the first place and these objectives probably won’t change much. The second level of objectives is more action-oriented and will refer to a fixed timeframe. The plan sets out specific objectives, including how success will be measured, the timeframe and who is responsible for getting it done.

It’s important to keep the ISMS up to date, so changes to it need to be thought about and implemented carefully. Changes could be as a result of unexpected events such as a pandemic, or based on reasonable notice, for example with amended legislation or regulation.

Clause 7 - Support

Covering resources, competence, awareness, communication and documented information, this clause describes some of the background areas that need to be in place for the ISMS to function properly.

The standard simply requires that adequate resources are provided for the ISMS to function effectively. This is really a test of the level of management commitment as described earlier.

You will need a method of defining the competences needed, possibly by conducting a survey of the people involved in the implementation and running of the ISMS, collating the results and then reporting on those areas in which further training or knowledge needs to be gained. You will need to ensure that appropriate records of training are kept and are available to view by the auditor.

The required information security awareness programme may be delivered in various ways, including at specially arranged events or at regular team meetings, depending on the timescale required and the opportunities available. Note that the focus of this is awareness rather than detailed training and that anyone with a more involved role to play in the ISMS may need more in-depth training.

Specific procedures may be required relating to business-as-usual communication with internal and external parties about information security.

Documented information required by the standard must be controlled which basically means keeping it secure, managing changes to it and ensuring that those that need it have access to it.

Clause 8 - Operation

Interestingly, this clause of the ISO27001 standard is very short and basically repeats what has been stated in other sections. This contrasts with other standards, such as ISO22301 (business continuity) and ISO 9001 (quality management), where most of the requirements are within the Operation clause.

However, there is a need to set out the processes of the ISMS and how they interact.

Clause 9 - Performance evaluation

The performance evaluation clause of the standard is about how you determine whether the ISMS is doing what it is supposed to do.

The ISO27001 standard does not tell you what you should measure. It simply requires that you be precise about what it is you have decided to measure and that you do something about it if your measurements show problems. It’s a good idea to create a documented procedure for the collection and reporting of each measurement because if it is done differently each time then the results will not be helpful.

Having chosen your measurements you need to decide what does “good” look like; what numerical values would mean that performance is in line with expectations? Again, the definition of your objectives may need tweaking over time as you gain experience with taking the measurements and your ISMS moves from implementation mode into ongoing operation mode.

The standard requires that there is an internal auditing programme in place which audits all aspects of the ISMS within a reasonable period. If you embrace the idea of internal auditing as a useful early warning of any issues at external audit, then you won’t go far wrong. Internal audits should ensure that there are no surprises during the annual certification/surveillance audit which should allow everyone a higher degree of confidence in the ISMS.

Management review is another key part of the ISMS which, if you get it right, will hold together everything else and make audits (internal and external) a relatively straightforward experience. The ISO27001 standard is specific about what these reviews should cover but it is less forthcoming about how often they should take place. This is one of those areas where you will need to try it and see what works for your organization; too often and it becomes an unacceptable administrative overhead; too infrequent and you risk losing control of your ISMS. In all cases, every management review must be minuted and the resulting actions tracked through to completion.

Clause 10 - Improvement

Continual improvement used to get a lot more attention in previous versions of this and similar standards, but the requirements have now become considerably watered down, with only a general commitment needed to show conformity.

Despite the clause heading of “Improvement”, this section of the standard talks mostly about nonconformities and corrective actions. The ISO definition of a nonconformity is the rather general “non-fulfilment of a requirement” and since a requirement can be pretty much anything, it is best to bring any actions, requests, ideas etc. together in a single place and manage them from there.

The Annex A Controls

The reference controls within Annex A of the ISO/IEC 27001 standard form a significant part of the overall document and of the implementation effort involved. But it’s easy to make the mistake of assuming that, because these controls are listed in the standard, they must be implemented to become certified. This is not necessarily the case.

The 93 controls within Annex A are effectively a menu to be chosen from when creating your risk treatment plan. Some of them may not be required because they address a risk you don’t have. Similarly, you may decide to address a risk using a different control than the suggested one from Annex A; this is acceptable. However, it may also be the case that you need to introduce more controls than those in Annex A if your level of risk in a certain area is high.

The key is to adopt a considered, sensible approach based on what your risk assessment is telling you. If you feel you can justify your actions to an auditor, then varying the controls from those in Annex A is not a barrier to certification.

Having said this, the controls within Annex A are very sensible measures which, taken together, allow many different areas of risk to be addressed in a comprehensive way, so think hard before you decide to do anything different; your default position should be that you will implement the Annex A control.

The controls are grouped into four fairly uneven categories:

  • A.5. Organizational controls (37 controls)
  • A.6. People controls (8 controls)
  • A.7. Physical controls (14 controls)
  • A.8. Technological controls (34 controls)

The controls are described in more detail in a guidance document called ISO27002.

The Statement of Applicability

As we mentioned before, this is a required document that simply lists the Annex A controls and states whether each of them is applicable or not and, if they are, whether they have been implemented.

What needs to be in place to meet the ISO 27001 requirements?

In terms of documentation, there are actually very few “mandatory” items that are mentioned by name in the standard, the Statement of Applicability being one of them. But it may be useful to list those aspects that must be covered somewhere within your documented information (as the standard calls it). These are:

  • External and internal issues relevant to your ISMS
  • Interested parties and their requirements
  • The scope of your ISMS
  • Information security policy
  • Information security objectives and plans to achieve them
  • Roles, responsibilities and authorities
  • A risk assessment and treatment process
  • Risks and opportunities
  • A risk treatment plan
  • Statement of Applicability
  • Competency plans and records
  • An information security awareness programme
  • Internal and external communications about the ISMS
  • ISMS processes
  • Monitoring and measurement results
  • An internal audit programme and reports
  • Management reviews
  • A process and records to deal with nonconformities

Note that it is often helpful to document more than this, to make sure that things happen in a consistent way. Many of the Annex A controls will also benefit from documentation of some form, such as policies and procedures.

Conclusion

We’ve been through a summary of the ISO 27001 requirements for an ISMS, and as you can see, there is a lot to do. However, often what is required is the formalisation of existing processes rather than putting in place completely new ones, so you may well be meeting many of the requirements already. For the others, this is why we created the CertiKit ISO27001 Toolkit – to get you from where you are now to certified as quickly and painlessly as possible.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

More ISO27001 Resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Love the product, love the style, and especially the presentation. Every time I show it to executive levels, they are impressed with the overall view, and how it translates easily.

Net Road Show
USA

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy