ISO/IEC 27001
ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements
(third edition)
Abstract
ISO/IEC 27001 "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. [ISO/IEC 27001] also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization ...”
[Source: ISO/IEC 27001:2022]
Introduction
ISO/IEC 27001:2022 (known colloquially as “ISO 27001”, “ISO27001”, “27001” or “two seven double-oh one”) formally specifies an Information Security Management System, a governance arrangement comprising a structured suite of organised activities with which to manage risks relating to the confidentiality, integrity and availability of information (called ‘information security risks’ in the standard).
According to the ISO directives part 1 annex SL, a management system is “a set of interrelated or interacting elements of an organisation to establish policies and objectives, as well as processes to achieve those objectives. A management system can address a single discipline or several disciplines. The management system elements include the organisation’s structure, roles and responsibilities, planning and operation”.
An ISMS is therefore a set of interrelated or interacting elements of an organisation to establish policies and objectives relating to the security of information, as well as processes to achieve those objectives.
An ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks. The ISMS ensures that the security arrangements are appropriately designed and fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts. Adaptation is important in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as opposed to more prescriptive and rigid approaches such as PCI-DSS.
Flexibility allows the standard to apply to all types of organisations (e.g. commercial enterprises, government agencies, non-profits, clubs) of all sizes (from micro-businesses to sprawling multinationals) in all industries (e.g. retail, banking, defence, healthcare, education and government), worldwide. Given such a huge brief, the standard is necessarily generic, specifying the bare minimum.
ISO/IEC 27001 does not formally demand specific information security controls since the controls that are required vary markedly across the wide range of organisations adopting the standard. The information security controls from ISO/IEC 27002:2022 are summarised in annex A to ISO/IEC 27001, rather like a menu. Organisations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, perhaps but not necessarily drawing on those listed in the menu and potentially supplementing or replacing them with other a la carte options (extended or custom control sets). The key to selecting applicable controls is to undertake a comprehensive assessment of the organisation’s information risks, which is one vital and mandatory part of the ISMS.
Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through information security controls - a risk treatment decision within the specified risk management process. Appropriate governance arrangements and management controls are also appropriate to direct, control and oversee the ISMS: the standard gives fairly rudimentary and circumspect guidance in these areas.
Scope
The standard applies to any organisation that needs to protect and legitimately exploit information, systematically.
The information can include:
Business information belonging to the organisation itself, such as financial, HR and operating info, trade secrets, intellectual property such as trademarks, patents and brands, plus workers' knowledge and experience;
Business information belonging to third parties, such as commercial software and content licensed or given to the organisation for custodianship, plus public or community-owned information; and
Personal information belonging to individuals such as workers or supplier and customer contacts.
Structure
Introduction - the standard describes a process for systematically managing information risks.
Scope - it specifies generic ISMS requirements suitable for organisations of any type, size or nature, in any location.
Normative references - only ISO/IEC 27000 is considered absolutely essential reading for users of ’27001.
Terms and definitions - see ISO/IEC 27000.
Context of the organisation - understanding the organisational/business context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 starkly states that “The organisation shall establish, implement, maintain and continually improve” the ISMS, meaning that it must be operational, not merely designed and documented.
Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
Planning - outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage ISMS changes.
Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
Operation - more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they may be audited by certification auditors: certification is optional).
Performance evaluation - monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS.
Annex A Information security control reference - names the controls documented in ISO/IEC 27002:2022. The annex is ‘normative’ meaning that certified organisations are expected to use it to check their ISMS for completeness (according to clause 6.2), but that does not mean they are required to implement the controls: given their particular information risks, they may prefer other controls or risk treatments. Refer to ISO/IEC 27002 for lots more detail on the security controls, including useful implementation guidance, and ISO/IEC 27005 to understand information risk management.
Bibliography - points readers to related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.
Status
The first edition, based on BS 7799 Part 2 (1999), was published in 2005.
The second edition, completely revised with substantial changes to align with other ISO management systems standards, was published in 2013, followed by two corrigenda.
The third edition, published in 2022, has some wording changes to the main-body clauses to reflect the revised ISO directives part 1 annex SL common structure/boilerplate for all the ISO management systems standards, plus a completely restructured and revised Annex A reflecting ISO/IEC 27002:2022.
According to the International Accreditation Forum’s Mandatory Document 26, all ISO/IEC 27001 accreditation bodies and certified organisations should have adopted or migrated to the third edition by 31 October 2025.
An amendment to ISO/IEC 27001:2022 was published in February 2024, formally clarifying that, in clauses 4.1 and 4.2, the ‘relevance of climate change should be considered’ - a timely reminder to think broadly when considering the context and purpose of the ISMS. SC 27 may yet expand on that through another ISO27k standard. [Meanwhile, take a look at "Secure the planet" for clues about links between information security and climate change.]
Commentary
Whereas ISO/IEC 27001 does not use the word ‘governance’, a ‘management system’ combines a governance structure with a number of management controls to ensure management’s strategic intent is put into effect, becoming an integral part of the organisation. In the case of an ISMS, the system enables management to direct, oversee, control and gain assurance in information risk, security, privacy and related areas. Other ISO management systems standards based on the same ISO boilerplate text presumably avoid the word ‘governance’ as well. This could be considered a systematic flaw in ISO’s management systems approach. However, companion standards such as ISO/IEC 27014 provide guidance in that area.
Planning for updates to any certification standard is tricky because of the need to allow time for the accreditation and certification bodies to plan and enact their transition arrangements, although ISO deliberately and pointedly stays clear of accreditation and certification so, in theory, it should not really matter. In practice, it does, meaning a delicate and ambiguous relationship between standards and certification.
An ISMS documented almost entirely in the form of thought-provoking diagrams, mindmaps or motivational videos rather than the usual boring, wordy, static documents would be novel, radical, creative, perhaps even brilliant. If only I had the clients willing to give it a go ...