ISO/IEC 27001:2022 Requirements for an Information Security Management System
What are the requirements of ISO 27001:2022?
ISO 27001:2022 requirements for an information security management system (ISMS) are addressed in the standard. There are 10 sections (clauses) in ISO 27001, however only sections 4-10 contain requirements your organization must implement to pass the audit. Below we will break down the entire standard and each requirement your organization must implement in order to become certified to ISO 27001:2022.
Clauses 0-3 are not requirements that your organization must meet, rather an introduction, explanations, references and definitions.
Clause 0: Introduction
This section introduces the purpose, principles and key concepts of the standard, including risk-based thinking and the process approach.
Clause 1: Scope
This section defines the scope of the ISO 27001:2022 standard. In summary, the scope includes specifying requirements for an ISMS of any organization.
Clause 2: Normative References
The supporting standard referenced in ISO 27001:2022, and that is indispensable for its application, is ISO 27000:2018 which covers terminology and fundamentals. This and other supporting standards make up the 27001 series.
Section 3: Terms and Definitions
Terminology used throughout this standard comes directly from ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
Now we will look at a summary of the main Clauses (4-10) of the 27001:2022 standard. Click on each for more details.
Learn More: Required documents and records for ISO/IEC 27001
Clause 4: Context of the Organization
When you are implementing your ISMS, the first step for ISO/IEC 27001 requirements is to align your business objectives and intent with the ISMS. Throughout this step it will be imperative to determine external and internal issues, and needs and expectations of interested parties.
4.1 – Understanding the Organization and its Context
4.2 – Understanding the Needs and Expectations of Interested Parties
4.3 – Determining the Scope of the Information Security Management Systems
4.4 – Information Security Management Systems
Learn More:
Clause 5: Leadership
Section 5 of the ISO 27001:2022 requirements address leadership responsibility. Top management must demonstrate leadership and commitment, establish, and communicate an ISMS, and ensure responsibilities and authorities are assigned, communicated, and understood. Companies need to provide both resources and supporting persons necessary for ISO 27001.
5.1 – Leadership & Commitment
5.2 – Information Security Policy
5.3 – Organizational Roles, Responsibilities & Authorities
Learn More:
Clause 6: Planning
Clause 6 of the ISO 27001 requirements addresses planning – specifically the planning of actions to address risks, opportunities and objectives. To understand risk management in context to ISO 27001, learn more about the requirements:
6.1 – Actions to Address Risks and Opportunities
6.1.1 – General
6.1.2 – Information security risk assessment
6.1.3 – Information security risk treatment
6.2 – Information Security Objectives & Planning to Achieve them
Learn More:
Clause 7: Support
Clause 7 of the ISO 27001:2022 requirements covers the support needed for the ISMS. Resources, competence of employees, awareness, communication and documented information are the key resources needed to support the ISMS and each have their own subclause dedicated to ensure that they are being met.
7.1 – Resources
7.2 – Competence
7.3 – Awareness
7.4 – Communication
7.5 – Documented Information
7.5.1 – General
7.5.2 – Creating and updating
7.5.3 – Control of documented information
Learn More:
Clause 8: Operation
Clause 8 covers the operations necessary to support ISMS processes. Processes are mandatory to implement and maintain information security. Each one of the processes must be planned, implemented and controlled to meet the requirements of ISO 27001:2022
8.1 – Operational Planning & Control
8.2 – Information Security Risk Assessment
8.3 – Information Security Risk Treatment
Learn More:
Clause 9: Performance Evaluation
Clause 9 of the ISMS requires your organization to monitor, measure, analyze and evaluate your ISMS.
9.1 – Monitoring, Measurement, Analysis and Evaluation
9.2 – Internal Audit
9.2.1 – General
9.2.2 – Internal audit programme
9.3 – Management Review
9.3.1 – General
9.3.2 – Management review inputs
9.3.3 – Management review results
Learn More:
Clause 10: Improvement
ISO 27001:2022 requirements for clause 10 are based on continual improvement. Improvement follows up on the evaluation and addresses any nonconformities. When working to improve your ISMS, a continual improvement process should be implemented: Plan-Do-Check-Act (PDCA). Although PDCA is no longer mandatory, it is still the recommended cycle for improvements.
10.1 – Continual Improvement
10.2 – Nonconformity and Corrective Action
Learn More:
MAKE ISO 27001 CERTIFICATION SIMPLE AND FOOLPROOF!
Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.
