ISO 27001
ISO/IEC 27001:2022
The international standard for information security management systems (ISMS). The 2022 revision reorganises Annex A into 93 controls across four themes: organizational, people, physical and technological.
Who it applies to
Any organization, of any size or sector, that wants to certify its information security management system. Certification is voluntary but is frequently required contractually by enterprise customers and partners.
A.5 Organizational
- A.5.1 Policies for information security10 mapped
Define, approve, publish and review a set of information security policies.
- A.5.7 Threat intelligence
Collect and analyse information about information security threats to produce actionable intelligence.
- A.5.9 Inventory of information and other associated assets6 mapped
Maintain an inventory of information and associated assets, including owners.
- A.5.15 Access control15 mapped
Establish and implement rules to control physical and logical access to information based on business and security requirements.
A.8 Technological
- A.8.8 Management of technical vulnerabilities10 mapped
Obtain information about technical vulnerabilities, evaluate exposure and take appropriate remediation measures.
- A.8.16 Monitoring activities9 mapped
Monitor networks, systems and applications for anomalous behaviour and act on potential incidents.
- A.8.24 Use of cryptography13 mapped
Define and implement rules for the effective use of cryptography, including key management.
- A.8.9 Configuration management10 mapped
Establish, document, implement, monitor and review the configuration of hardware, software, services and networks.
- A.8.13 Information backup6 mapped
Maintain and regularly test backup copies of information, software and systems in line with the backup policy.