ISO/IEC 27001:2022  Requirements for an Information Security Management System

What are the requirements of ISO 27001:2022?

ISO 27001:2022 requirements for an information security management system (ISMS) are addressed in the standard. There are 10 sections (clauses) in ISO 27001, however only sections 4-10 contain requirements your organization must implement to pass the audit. Below we will break down the entire standard and each requirement your organization must implement in order to become certified to ISO 27001:2022. 

Clauses 0-3 are not requirements that your organization must meet, rather an introduction, explanations, references and definitions. 

Clause 0: Introduction

This section introduces the purpose, principles and key concepts of the standard, including risk-based thinking and the process approach.  

Clause 1: Scope

This section defines the scope of the ISO 27001:2022  standard. In summary, the scope includes specifying requirements for an ISMS of any organization. 

Clause 2: Normative References

The supporting standard referenced in ISO 27001:2022, and that is indispensable for its application, is ISO 27000:2018 which covers terminology and fundamentals. This and other supporting standards make up the 27001 series.

Section 3: Terms and Definitions

Terminology used throughout this standard comes directly from ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary

Now we will look at a summary of the main Clauses (4-10) of the 27001:2022 standard.  Click on each for more details.

Clause 4: Context of the Organization

When you are implementing your ISMS, the first step for ISO/IEC 27001 requirements is to align your business objectives and intent with the ISMS. Throughout this step it will be imperative to determine external and internal issues, and needs and expectations of interested parties. 

4.1 – Understanding the Organization and its Context
4.2 – Understanding the Needs and Expectations of Interested Parties
4.3 – Determining the Scope of the Information Security Management Systems
4.4 – Information Security Management Systems 

Learn More:

Clause 5: Leadership 

Section 5 of the ISO 27001:2022 requirements address leadership responsibility. Top management must demonstrate leadership and commitment, establish, and communicate an ISMS, and ensure responsibilities and authorities are assigned, communicated, and understood. Companies need to provide both resources and supporting persons necessary for ISO 27001. 

5.1 – Leadership & Commitment
5.2 – Information Security Policy
5.3 – Organizational Roles, Responsibilities & Authorities

Learn More:

Clause 6: Planning

Clause 6 of the ISO 27001 requirements addresses planning – specifically the planning of actions to address risks, opportunities and objectives. To understand risk management in context to ISO 27001, learn more about the requirements: 

6.1 – Actions to Address Risks and Opportunities
6.1.1 – General
6.1.2 – Information security risk assessment
6.1.3 – Information security risk treatment
6.2 – Information Security Objectives & Planning to Achieve them

Learn More:

Clause 7: Support

Clause 7 of the ISO 27001:2022 requirements covers the support needed for the ISMS. Resources, competence of employees, awareness, communication and documented information are the key resources needed to support the ISMS and each have their own subclause dedicated to ensure that they are being met. 

7.1 – Resources
7.2 – Competence
7.3 – Awareness
7.4 – Communication
7.5 – Documented Information
7.5.1 – General
7.5.2 – Creating and updating
7.5.3 – Control of documented information

Learn More:

Clause 8: Operation

Clause 8 covers the operations necessary to support ISMS processes. Processes are mandatory to implement and maintain information security. Each one of the processes must be planned, implemented and controlled to meet the requirements of ISO 27001:2022

8.1 – Operational Planning & Control
8.2 – Information Security Risk Assessment
8.3 – Information Security Risk Treatment

Learn More:

Clause 9: Performance Evaluation

Clause 9 of the ISMS requires your organization to monitor, measure, analyze and evaluate your ISMS. 

9.1 – Monitoring, Measurement, Analysis and Evaluation
9.2 – Internal Audit
9.2.1 – General
9.2.2 – Internal audit programme
9.3 – Management Review
9.3.1 – General
9.3.2 – Management review inputs
9.3.3 – Management review results

Learn More:

Clause 10: Improvement

ISO 27001:2022 requirements for clause 10 are based on continual improvement. Improvement follows up on the evaluation and addresses any nonconformities. When working to improve your ISMS, a continual improvement process should be implemented: Plan-Do-Check-Act (PDCA). Although PDCA is no longer mandatory, it is still the recommended cycle for improvements. 

10.1 – Continual Improvement
10.2 – Nonconformity and Corrective Action

Learn More:


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022