ISO/IEC 27001:2022
Information Security Management Systems — Requirements
Current Version: ISO/IEC 27001:2022 (Third Edition)
Published: October 25, 2022
Pages: 19 pages
Jointly Published By: ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission)
Overview
ISO/IEC 27001 is the world's leading standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company and customer information based on periodic risk assessments in line with evolving security threats.
Purpose and Scope
Purpose
Establish, implement, maintain, and continually improve an Information Security Management System that:
- Preserves confidentiality, integrity, and availability of information
- Manages information security risks through risk assessment and treatment
- Provides confidence to interested parties that risks are adequately managed
Scope
Applies to organizations of any size, any industry, in any country. The standard is generic and intended to be applicable to all organizations regardless of type, size, or nature.
Structure: Clauses 4-10 (Mandatory ISMS Requirements)
Clause 4: Context of the Organization
Understand organization, interested parties, and ISMS scope
Clause 5: Leadership
Top management must demonstrate leadership and commitment to ISMS
Clause 6: Planning
Risk assessment, risk treatment, and information security objectives
Clause 7: Support
Resources, competence, awareness, communication, documented information
Clause 8: Operation
Operational planning, risk assessment, risk treatment implementation
Clause 9: Performance Evaluation
Monitor, measure, analyze, evaluate, internal audit, management review
Clause 10: Improvement
Nonconformity, corrective action, continual improvement
Annex A: 93 Information Security Controls
Major Change in 2022 Version: Reduced from 114 controls (14 categories) to 93 controls (4 themes)
Four Control Themes
1. Organizational Controls (37 controls)
- Policies, roles, asset management, access control policies
- Information security roles and responsibilities
- Segregation of duties
- Management responsibilities
- Contact with authorities and special interest groups
2. People Controls (8 controls)- Screening, terms and conditions of employment
- Information security awareness, education, and training
- Disciplinary process
- Responsibilities after termination or change of employment
3. Physical Controls (14 controls)- Physical security perimeters, physical entry
- Securing offices, rooms, and facilities
- Equipment security, disposal, and removal
- Clear desk and clear screen policy
- Storage media, media handling
4. Technological Controls (34 controls)- User access management, privileged access rights
- Information access restriction
- Authentication, secure system configuration
- Deletion of information
- Data masking, data leakage prevention
- Backup, redundancy, logging
- Monitoring, clock synchronization
- Software installation, networks security
- Transfer of information, messaging
- Web filtering, secure coding
- Development, test, and production environments
- Vulnerability management, use of cryptography
11 New Controls in 2022 Version
- Threat intelligence - Stay informed about information security threats
- Information security for use of cloud services - Processes for acquisition, use, management of cloud services
- ICT readiness for business continuity - Plan and prepare ICT systems for business continuity
- Physical security monitoring - Monitor premises continuously for unauthorized physical access
- Configuration management - Security configurations for hardware, software, services, networks
- Information deletion - Delete information stored in systems, devices, or other storage media when no longer required
- Data masking - Limit exposure of sensitive data according to applicable legislation
- Data leakage prevention - Detect and prevent unauthorized disclosure and extraction of information
- Monitoring activities - Networks, systems, and applications monitored for anomalous behavior
- Web filtering - Manage access to external websites to reduce exposure to malicious content
- Secure coding - Apply secure coding principles in software development
Risk-Based Approach
ISO 27001 requires:
- Risk Assessment: Identify information security risks to organization's information and information processing facilities
- Risk Treatment: Select and implement appropriate controls from Annex A (or other sources)
- Risk Acceptance: Document residual risks and obtain risk owner acceptance
- Continuous Monitoring: Regularly assess and treat risks as they evolve
Organizations can:
- Implement all 93 Annex A controls, OR
- Justify why certain controls are not applicable through Statement of Applicability (SoA)
Certification Process
Three-Year Certification Cycle
Year 1: Initial Certification Audit
- Stage 1: Documentation review and readiness assessment
- Stage 2: On-site audit of ISMS implementation and effectiveness
- Certification decision
Years 2-3: Surveillance Audits- Annual surveillance audits (lighter than initial audit)
- Verify ISMS continues to meet requirements
- Review changes, improvements, nonconformities
Year 3: Recertification Audit- Full re-assessment of entire ISMS
- Occurs before current certificate expires
- New 3-year cycle begins
Certification Body Requirements
- Must be accredited by national accreditation body
- US: ANAB (ANSI National Accreditation Board)
- Certification bodies audited against ISO/IEC 17021
- Only accredited bodies can issue ISO 27001 certificates
Transition from ISO 27001:2013 to 2022
Transition Deadline: October 31, 2025
- Organizations certified to 2013 version must transition to 2022 version
- Certificate conversions must occur during regular surveillance or recertification audits
- After deadline, 2013 certificates become invalid
Key Changes:- Control structure reorganized (14 categories → 4 themes)
- Control count reduced (114 → 93 controls)
- 11 new controls added for modern threats
- 24 controls merged from multiple controls
- Control language modernized and clarified
Massachusetts Compliance Considerations
Alignment with MA 201 CMR 17.00
ISO 27001 implementation
exceeds Massachusetts data security requirements:
- 201 CMR 17.00 requires written information security program (WISP)
- ISO 27001 ISMS satisfies and surpasses WISP requirements
- ISO 27001 certification demonstrates robust compliance with MA law
Applicable MA Industries
- Healthcare: Aligns with HIPAA Security Rule requirements
- Financial Services: Supports GLBA compliance
- Technology/SaaS: Demonstrates security to enterprise clients
- Professional Services: Legal, accounting, consulting firms handling client data
- State/Local Government: Agencies managing sensitive information
Benefits for MA Organizations
- Demonstrate compliance with state and federal regulations
- Competitive advantage when bidding for contracts
- Reduced cyber insurance premiums
- Enhanced reputation with clients and partners
Company Size Applicability
No minimum size requirements:
- Designed for organizations of all sizes
- Small businesses can implement scaled version
- Large enterprises implement comprehensive ISMS
- Scalable based on organizational context and risk
Implementation Costs and Timeline
Small Organizations (< 50 employees):
- Costs: $12,000-$50,000 over 3 years
- Implementation: 6-12 months
- Includes consulting, internal resources, certification audit fees
Medium Organizations (50-500 employees):- Costs: $50,000-$150,000 over 3 years
- Implementation: 9-18 months
- More complex scope, multiple locations
Large Organizations (500+ employees):- Costs: $100,000-$300,000+ over 3 years
- Implementation: 12-24 months
- Global operations, extensive IT infrastructure
Mandatory vs Voluntary
Voluntary Standard:
- Not mandated by law (unlike HIPAA, GDPR)
- Organizations voluntarily pursue certification
- Business drivers include:
- Client contractual requirements
- Competitive differentiation
- Risk management
- Regulatory compliance support
Increasing Business Necessity:
- Enterprise clients increasingly require ISO 27001 certification
- Government contracts may specify ISO 27001
- Cyber insurance may offer premium reductions
- Supply chain security requirements
Relationship to Other Frameworks
NIST Frameworks
- 80% control overlap with NIST SP 800-53
- Official mapping to NIST Cybersecurity Framework
- Complements NIST 800-171 for federal contractors
SOC 2
- Approximately 80% control overlap with SOC 2 Trust Services Criteria
- ISO 27001 certification supports SOC 2 preparation
- Different purposes: ISO 27001 (management system) vs SOC 2 (point-in-time audit)
HIPAA
- ISO 27001 Annex A controls map to HIPAA Security Rule requirements
- Certification demonstrates security maturity for covered entities
- Supports HIPAA compliance but doesn't replace it
GDPR
- Article 32 references ISO 27001 as example of appropriate security measures
- Certification helps demonstrate GDPR compliance
- Privacy controls align with GDPR requirements
PCI DSS
- Both address information security controls
- ISO 27001 broader scope than payment card data
- Can be complementary for organizations handling payments
Annual Requirements
- Internal Audits: At least annually (Clause 9.2)
- Management Review: At least annually (Clause 9.3)
- Surveillance Audits: Annual audit by certification body (Years 2-3)
- Risk Assessments: Regularly review and update
- ISMS Updates: Continuous monitoring and improvement
Enforcement and Penalties
No regulatory enforcement or penalties:
- Voluntary standard - no legal penalties for non-certification
- Certification bodies can suspend or withdraw certificates for non-compliance
- Market consequences:
- Loss of competitive advantage
- Contract ineligibility
- Client trust erosion
- Insurance implications
Certificate Suspension/Withdrawal:
- Nonconformities not corrected within required timeframe
- Failure to maintain ISMS effectiveness
- Refusal of surveillance audit access
- Misuse of certification mark
Key Benefits
- Risk Management: Systematic approach to information security risks
- Competitive Advantage: Demonstrates security maturity to clients
- Regulatory Compliance: Supports HIPAA, GDPR, 201 CMR 17.00, etc.
- Cost Savings: Reduced breach risk, potential insurance discounts
- Customer Confidence: Independent third-party verification
- Continuous Improvement: Culture of security and improvement
- Global Recognition: Accepted worldwide as gold standard
Official Resources
- ISO Website: https://www.iso.org/standard/27001
- ISO/IEC 27001:2022 Standard: Purchase from ISO or national standards bodies
- ANAB (US Accreditation): https://anab.qualtraxcloud.com/
- IAF CertSearch: https://www.iaf.nu/certsearch/ (verify certificates)
Implementation Best Practices
- Secure Leadership Support: Essential for resources and organizational buy-in
- Define Clear Scope: Start small, expand gradually
- Conduct Thorough Risk Assessment: Foundation of entire ISMS
- Document Everything: Policies, procedures, records
- Engage Employees: Security awareness training for all staff
- Choose Accredited Certification Body: Verify ANAB accreditation
- Plan for Continuous Improvement: ISMS is never "done"
- Monitor Compliance: Regular internal audits and reviews
Summary for Framework Documentation
- International standard published October 25, 2022
- 93 Annex A controls across 4 themes (Organizational, People, Physical, Technological)
- 3-year certification cycle with annual surveillance audits
- Transition deadline: October 31, 2025 from 2013 version
- Risk-based approach: Tailor controls to organizational risk
- Voluntary but increasingly necessary for business competitiveness
- Aligns with MA 201 CMR 17.00 and exceeds requirements
- Globally recognized as gold standard for information security
- Scalable: Applicable to organizations of all sizes
- Certification required: By accredited certification body (ANAB in US)