$
iso27001 --standard 2022
ISO/IEC 27001:2022 Reference
Complete clause reference, all 93 Annex A controls across 4 domains, and an AI assistant that answers your compliance questions instantly.
ISO/IEC 27001:2022
Published Oct 2022
93 Controls · 4 Themes
Standards Currency Status
Verified Jun 11, 2026
Verified via Claude AI · Checked weekly · Last run Thu, Jun 11 2026 at 10:27 PM GMT+0000
Powered by Claude · Rate limited · For informational purposes only
ISMS Normative Clauses (4–10)
Cl. 4
Context of the Organization
4 sub-clauses
Understand the organization's context — internal and external issues, interested parties, scope of the ISMS, and information security management system requirements. Defines what the ISMS must cover and why.
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the ISMS
4.4 Information security management system
Cl. 5
Leadership
3 sub-clauses
Top management must demonstrate leadership and commitment to the ISMS, establish the information security policy, and assign roles and responsibilities. Leadership is a critical success factor for certification.
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
Cl. 6
Planning
3 sub-clauses
Address risks and opportunities through an information security risk assessment and risk treatment process. Establish information security objectives and plan how to achieve them. Statement of Applicability (SoA) is produced here.
6.1 Actions to address risks and opportunities (incl. risk assessment & treatment)
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes
Cl. 7
Support
5 sub-clauses
Provide the resources, competence, awareness, communication, and documented information needed to establish, implement, maintain, and continually improve the ISMS.
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
Cl. 8
Operation
3 sub-clauses
Plan, implement, and control the processes needed to meet ISMS requirements. Conduct information security risk assessments regularly and implement the selected risk treatment plan.
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
Cl. 9
Performance Evaluation
3 sub-clauses
Monitor, measure, analyse, and evaluate ISMS performance. Conduct internal audits on a planned schedule and hold management reviews to ensure the ISMS remains suitable, adequate, and effective.
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Cl. 10
Improvement
2 sub-clauses
Respond to nonconformities and take corrective actions. Continually improve the suitability, adequacy, and effectiveness of the ISMS.
10.1 Continual improvement
10.2 Nonconformity and corrective action
Annex A — Information Security Controls
A.5
Organizational Controls
37 controls
A.5.1
Policies for information security
Information security policies and topic-specific policies are defined, approved by management, published, communicated to all relevant personnel, and reviewed at planned intervals.
A.5.2
Information security roles and responsibilities
All information security responsibilities are defined and allocated in accordance with the ISMS requirements.
A.5.3
Segregation of duties
Conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of assets.
A.5.4
Management responsibilities
Management requires all personnel to apply information security in accordance with the established policies, topic-specific policies, and procedures.
A.5.5
Contact with authorities
Appropriate contacts with relevant authorities are established and maintained.
A.5.6
Contact with special interest groups
Appropriate contacts with special interest groups or security forums and professional associations are established and maintained.
A.5.7
Threat intelligence
Information relating to information security threats is collected and analyzed to produce threat intelligence.
A.5.8
Information security in project management
Information security is integrated into project management, regardless of the type of project.
A.5.9
Inventory of information and other associated assets
An inventory of information and associated assets, including owners, is developed and maintained.
A.5.10
Acceptable use of information and other associated assets
Rules for acceptable use and procedures for handling information and other assets are identified, documented, and implemented.
A.5.11
Return of assets
Personnel and third parties return all organizational assets in their possession when leaving or changing roles.
A.5.12
Classification of information
Information is classified according to the security needs of the organization based on confidentiality, integrity, availability, and relevant interested party requirements.
A.5.13
Labelling of information
An appropriate set of procedures for information labelling is developed and implemented in accordance with the information classification scheme.
A.5.14
Information transfer
Information transfer rules, procedures, or agreements are in place for transfers within the organization and between the organization and third parties.
A.5.15
Access control
Rules to control physical and logical access to information and assets are established and implemented based on business and information security requirements.
A.5.16
Identity management
The full life cycle of identities is managed, including provisioning, maintaining, and deprovisioning digital identities.
A.5.17
Authentication information
Allocation and management of authentication information is controlled by a management process, including advising personnel on appropriate handling.
A.5.18
Access rights
Access rights to information and other associated assets are provisioned, reviewed, modified, and removed in accordance with the topic-specific access control policy.
A.5.19
Information security in supplier relationships
Processes and procedures are defined and implemented to manage the information security risks associated with the use of supplier products and services.
A.5.20
Addressing information security within supplier agreements
Relevant information security requirements are established and agreed with each supplier based on the type of supplier relationship.
A.5.21
Managing information security in the ICT supply chain
Processes and procedures are defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
A.5.22
Monitoring, review and change management of supplier services
The organization regularly monitors, reviews, evaluates and manages change in supplier information security practices and service delivery.
A.5.23
Information security for use of cloud services
Processes for acquisition, use, management, and exit of cloud services are established in accordance with the organization's information security requirements.
A.5.24
Information security incident management planning and preparation
The organization plans and prepares for managing information security incidents by defining, establishing, and communicating incident management processes, roles, and responsibilities.
A.5.25
Assessment and decision on information security events
The organization assesses information security events and decides if they are to be categorized as information security incidents.
A.5.26
Response to information security incidents
Information security incidents are responded to in accordance with the documented procedures.
A.5.27
Learning from information security incidents
Knowledge gained from information security incidents is used to strengthen and improve the information security controls.
A.5.28
Collection of evidence
The organization establishes and implements procedures for the identification, collection, acquisition, and preservation of evidence related to information security events.
A.5.29
Information security during disruption
The organization plans how to maintain information security at an appropriate level during disruption.
A.5.30
ICT readiness for business continuity
ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
A.5.31
Legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to information security and the approach to meet these requirements are identified, documented, and kept up to date.
A.5.32
Intellectual property rights
The organization implements appropriate procedures to protect intellectual property rights.
A.5.33
Protection of records
Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release.
A.5.34
Privacy and protection of PII
The organization identifies and meets the requirements regarding the preservation of privacy and protection of personally identifiable information (PII) as applicable.
A.5.35
Independent review of information security
The organization's approach to managing information security and its implementation, including people, processes, and technologies, is reviewed independently at planned intervals or when significant changes occur.
A.5.36
Compliance with policies, rules and standards for information security
Compliance with the organization's information security policy, topic-specific policies, rules, and standards is regularly reviewed.
A.5.37
Documented operating procedures
Operating procedures for information processing facilities are documented and made available to personnel who need them.
A.6
People Controls
8 controls
A.6.1
Screening
Background verification checks on all candidates for employment are carried out prior to joining, in accordance with applicable laws, regulations, and ethics and proportional to the business requirements, information classification, and perceived risks.
A.6.2
Terms and conditions of employment
Employment contractual agreements state the personnel's and the organization's responsibilities for information security.
A.6.3
Information security awareness, education and training
Personnel of the organization and relevant interested parties receive appropriate information security awareness, education, and training and regular updates of the organization's information security policy.
A.6.4
Disciplinary process
A disciplinary process is formalized and communicated to take actions against personnel and other interested parties who have committed an information security policy violation.
A.6.5
Responsibilities after termination or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment are defined, enforced, and communicated to relevant personnel and interested parties.
A.6.6
Confidentiality or non-disclosure agreements
Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information are identified, documented, regularly reviewed, and signed by personnel and other relevant interested parties.
A.6.7
Remote working
Security measures are implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organization's premises.
A.6.8
Information security event reporting
The organization provides a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
A.7
Physical Controls
14 controls
A.7.1
Physical security perimeters
Security perimeters are defined and used to protect areas that contain information and other associated assets.
A.7.2
Physical entry
Secure areas are protected by appropriate entry controls and access points to ensure only authorized personnel are allowed access.
A.7.3
Securing offices, rooms and facilities
Physical security for offices, rooms, and facilities is designed and implemented.
A.7.4
Physical security monitoring
Premises are continuously monitored for unauthorized physical access.
A.7.5
Protecting against physical and environmental threats
Protection against physical and environmental threats, such as natural disasters, malicious attacks, or accidents, is designed and implemented.
A.7.6
Working in secure areas
Security measures for working in secure areas are designed and implemented.
A.7.7
Clear desk and clear screen
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities are defined and appropriately enforced.
A.7.8
Equipment siting and protection
Equipment is sited securely and protected to reduce the risks from physical and environmental threats and from unauthorized access and to safeguard associated utilities, cabling infrastructure, and other items.
A.7.9
Security of assets off-premises
Off-site assets are protected, taking into account the different risks of working outside the organization's premises.
A.7.10
Storage media
Storage media are managed through their life cycle of acquisition, use, transportation, and disposal in accordance with the organization's classification scheme and handling requirements.
A.7.11
Supporting utilities
Information processing facilities are protected from power failures and other disruptions caused by failures in supporting utilities.
A.7.12
Cabling security
Cables carrying power, data, or supporting information services are protected from interception, interference, or damage.
A.7.13
Equipment maintenance
Equipment is maintained correctly to ensure availability, integrity, and confidentiality of information.
A.7.14
Secure disposal or re-use of equipment
Items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
A.8
Technological Controls
34 controls
A.8.1
User end point devices
Information stored on, processed by, or accessible via user end point devices is protected.
A.8.2
Privileged access rights
The allocation and use of privileged access rights is restricted and managed.
A.8.3
Information access restriction
Access to information and other associated assets is restricted in accordance with the established topic-specific access control policy.
A.8.4
Access to source code
Read and write access to source code, development tools, and software libraries is appropriately managed.
A.8.5
Secure authentication
Secure authentication technologies and procedures are implemented based on information access restrictions and the topic-specific policy on access control.
A.8.6
Capacity management
The use of resources is monitored and adjusted in line with current and expected capacity requirements.
A.8.7
Protection against malware
Protection against malware is implemented and supported by appropriate user awareness.
A.8.8
Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use is obtained in a timely fashion, the organization's exposure to such vulnerabilities is evaluated, and appropriate measures are taken.
A.8.9
Configuration management
Configurations, including security configurations, of hardware, software, services, and networks are established, documented, implemented, monitored, and reviewed.
A.8.10
Information deletion
Information stored in information systems, devices, or in any other storage media is deleted when no longer required.
A.8.11
Data masking
Data masking is used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, considering applicable legislation.
A.8.12
Data leakage prevention
Data leakage prevention measures are applied to systems, networks, and any other devices that process, store, or transmit sensitive information.
A.8.13
Information backup
Backup copies of information, software, and systems are maintained and regularly tested in accordance with the agreed topic-specific backup policy.
A.8.14
Redundancy of information processing facilities
Information processing facilities are implemented with sufficient redundancy to meet availability requirements.
A.8.15
Logging
Logs that record activities, exceptions, faults, and other relevant events are produced, stored, protected, and analyzed.
A.8.16
Monitoring activities
Networks, systems, and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
A.8.17
Clock synchronization
The clocks of information processing systems used by the organization are synchronized to approved time sources.
A.8.18
Use of privileged utility programs
The use of utility programs that might be capable of overriding system and application controls is restricted and tightly controlled.
A.8.19
Installation of software on operational systems
Procedures and measures are implemented to securely manage software installation on operational systems.
A.8.20
Networks security
Networks and network devices are secured, managed, and controlled to protect information in systems and applications.
A.8.21
Security of network services
Security mechanisms, service levels, and service requirements of network services are identified, implemented, and monitored.
A.8.22
Segregation of networks
Groups of information services, users, and information systems are segregated in the organization's networks.
A.8.23
Web filtering
Access to external websites is managed to reduce exposure to malicious content.
A.8.24
Use of cryptography
Rules for the effective use of cryptography, including cryptographic key management, are defined and implemented.
A.8.25
Secure development life cycle
Rules for the secure development of software and systems are established and applied.
A.8.26
Application security requirements
Information security requirements are identified, specified, and approved when developing or acquiring applications.
A.8.27
Secure system architecture and engineering principles
Principles for engineering secure systems are established, documented, maintained, and applied to any information system development or acquisition activities.
A.8.28
Secure coding
Secure coding principles are applied to software development.
A.8.29
Security testing in development and acceptance
Security testing processes are defined and implemented in the development life cycle.
A.8.30
Outsourced development
The organization supervises and monitors the activity related to outsourced system development.
A.8.31
Separation of development, test and production environments
Development, testing, and production environments are separated and secured.
A.8.32
Change management
Changes to information processing facilities and information systems are subject to change management procedures.
A.8.33
Test information
Test information is appropriately selected, protected, and managed.
A.8.34
Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of operational systems are planned and agreed between the tester and appropriate management.
Disclaimer: This reference is provided for informational and educational purposes only. For official certification, consult your accredited certification body and the official ISO/IEC 27001:2022 standard document. Control descriptions are summaries — refer to the official standard for normative text.