Scribd
Upload
90 views26 pages

4.1 Standar International ISO IEC 27001-2022

This document is the International Standard ISO/IEC 27001 which provides requirements for an Information Security Management System (ISMS). The standard specifies the requirements to help organizations manage risks to security and establish, implement, maintain and continually improve an ISMS. It covers best practices for risks and controls across a number of security domains.

Uploaded by

Feri Andi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views26 pages

4.1 Standar International ISO IEC 27001-2022

This document is the International Standard ISO/IEC 27001 which provides requirements for an Information Security Management System (ISMS). The standard specifies the requirements to help organizations manage risks to security and establish, implement, maintain and continually improve an ISMS. It covers best practices for risks and controls across a number of security domains.

Uploaded by

Feri Andi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

INTERNATIONAL ISO/IEC

STANDARD 27001

Third edition
2022-10

LY
ON
SE
Information security, cybersecurity
and privacy protection — Information
security management systems —

O
Requirements

RP
Sécurité de l'information, cybersécurité et protection de la vie
privée — Systèmes de management de la sécurité de l'information —
Exigences
PU
GN
NI
AI
TR
R
FO

Reference number
ISO/IEC 27001:2022(E)

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

© ISO/IEC 2022
ISO/IEC 27001:2022(E)

LY
ON
O SE
RP
PU
N G
NI
AI
TR
R

COPYRIGHT PROTECTED DOCUMENT


© ISO/IEC 2022
FO

ŽŽ”‹‰Š–•”‡•‡”˜‡†ǤŽ‡••‘–Š‡”™‹•‡•’‡ ‹ϐ‹‡†ǡ‘””‡“—‹”‡†‹–Š‡ ‘–‡š–‘ˆ‹–•‹’Ž‡‡–ƒ–‹‘ǡ‘’ƒ”–‘ˆ–Š‹•’—„Ž‹ ƒ–‹‘ƒ›


„‡”‡’”‘†— ‡†‘”—–‹Ž‹œ‡†‘–Š‡”™‹•‡‹ƒ›ˆ‘”‘”„›ƒ›‡ƒ•ǡ‡Ž‡ –”‘‹ ‘”‡ Šƒ‹ ƒŽǡ‹ Ž—†‹‰’Š‘–‘ ‘’›‹‰ǡ‘”’‘•–‹‰‘
–Š‡‹–‡”‡–‘”ƒ‹–”ƒ‡–ǡ™‹–Š‘—–’”‹‘”™”‹––‡’‡”‹••‹‘Ǥ‡”‹••‹‘ ƒ„‡”‡“—‡•–‡†ˆ”‘‡‹–Š‡” ƒ––Š‡ƒ††”‡••„‡Ž‘™
‘” ǯ•‡„‡”„‘†›‹–Š‡ ‘—–”›‘ˆ–Š‡”‡“—‡•–‡”Ǥ
 ‘’›”‹‰Š–‘ˆϐ‹ ‡
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

ͶͲͳȈŠǤ†‡Žƒ†‘‡–ͺ
 ǦͳʹͳͶ‡”‹‡”ǡ ‡‡˜ƒ
Š‘‡ǣΪͶͳʹʹ͹ͶͻͲͳͳͳ
ƒ‹Žǣ ‘’›”‹‰Š–̷‹•‘Ǥ‘”‰
Website: [Link]
—„Ž‹•Š‡†‹™‹–œ‡”Žƒ†

ii © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Contents ƒ‰‡

Foreword........................................................................................................................................................................................................................................ iv
Introduction .................................................................................................................................................................................................................................v

LY
1 Scope ................................................................................................................................................................................................................................. 1
2 Normative references ..................................................................................................................................................................................... 1
͵ ‡”•ƒ††‡ϐ‹‹–‹‘• .................................................................................................................................................................................... 1

ON
4 Context of the organization ...................................................................................................................................................................... 1
ͶǤͳ 
 †‡”•–ƒ†‹‰–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†‹–• ‘–‡š– ..................................................................................................... 1
ͶǤʹ 
 †‡”•–ƒ†‹‰–Š‡‡‡†•ƒ†‡š’‡ –ƒ–‹‘•‘ˆ‹–‡”‡•–‡†’ƒ”–‹‡• ........................................................... 1
ͶǤ͵ 
 ‡–‡”‹‹‰–Š‡• ‘’‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ....................................... 2
ͶǤͶ  ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡................................................................................................................... 2

SE
5 Leadership .................................................................................................................................................................................................................. 2
ͷǤͳ  ‡ƒ†‡”•Š‹’ƒ† ‘‹–‡– ..................................................................................................................................................... 2
ͷǤʹ ‘Ž‹ › ............................................................................................................................................................................................................... ͵

O
ͷǤ͵  ”‰ƒ‹œƒ–‹‘ƒŽ”‘Ž‡•ǡ”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡• ....................................................................................... ͵

6 Planning ........................................................................................................................................................................................................................ 3

RP
͸Ǥͳ  –‹‘•–‘ƒ††”‡••”‹••ƒ†‘’’‘”–—‹–‹‡• ................................................................................................................. ͵

͸ǤͳǤͳ  ‡‡”ƒŽ ........................................................................................................................................................................................ ͵
͸ǤͳǤʹ  ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡– ............................................................................................................ Ͷ
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

͸ǤͳǤ͵  ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡– ................................................................................................................ Ͷ


͸Ǥʹ  ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ†’Žƒ‹‰–‘ƒ Š‹‡˜‡–Š‡ ................................................................. 5
PU
7 Support ........................................................................................................................................................................................................................... 6
7.1 Resources .................................................................................................................................................................................................... 6
7.2 Competence ............................................................................................................................................................................................... 6
͹Ǥ͵  ™ƒ”‡‡••................................................................................................................................................................................................... 6
G

͹ǤͶ ‘—‹ ƒ–‹‘ ...................................................................................................................................................................................... 6


͹Ǥͷ ‘ —‡–‡†‹ˆ‘”ƒ–‹‘ .............................................................................................................................................................. 6
͹ǤͷǤͳ  ‡‡”ƒŽ ........................................................................................................................................................................................ 6
N

͹ǤͷǤʹ ”‡ƒ–‹‰ƒ†—’†ƒ–‹‰ ................................................................................................................................................... 7


͹ǤͷǤ͵   ‘–”‘Ž‘ˆ†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ ................................................................................................................. 7
NI

8 Operation ..................................................................................................................................................................................................................... 7
ͺǤͳ 
 ’‡”ƒ–‹‘ƒŽ’Žƒ‹‰ƒ† ‘–”‘Ž ......................................................................................................................................... 7
ͺǤʹ  ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡– ............................................................................................................................... ͺ
AI

ͺǤ͵  ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡– .................................................................................................................................. ͺ


9 Performance evaluation .............................................................................................................................................................................. 8
TR

ͻǤͳ  ‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘............................................................................................. ͺ

ͻǤʹ  –‡”ƒŽƒ—†‹– ........................................................................................................................................................................................... ͺ
ͻǤʹǤͳ ‡‡”ƒŽ ........................................................................................................................................................................................ ͺ
ͻǤʹǤʹ –‡”ƒŽƒ—†‹–’”‘‰”ƒ‡ ......................................................................................................................................... ͻ
ͻǤ͵  ƒƒ‰‡‡–”‡˜‹‡™ .......................................................................................................................................................................... ͻ

R

ͻǤ͵Ǥͳ ‡‡”ƒŽ ........................................................................................................................................................................................ ͻ


ͻǤ͵Ǥʹ ƒƒ‰‡‡–”‡˜‹‡™‹’—–• ...................................................................................................................................... ͻ
ͻǤ͵Ǥ͵ ƒƒ‰‡‡–”‡˜‹‡™”‡•—Ž–• ..................................................................................................................................... ͻ
FO

10 Improvement......................................................................................................................................................................................................... 10
ͳͲǤͳ 
 ‘–‹—ƒŽ‹’”‘˜‡‡– ............................................................................................................................................................... 10
ͳͲǤʹ 
 ‘ ‘ˆ‘”‹–›ƒ† ‘””‡ –‹˜‡ƒ –‹‘............................................................................................................................. 10
Annex A ȋ‘”ƒ–‹˜‡Ȍ Information security controls reference........................................................................................... 11
Bibliography............................................................................................................................................................................................................................. 19

© ISO/IEC 2022 – All rights reserved iii


ISO/IEC 27001:2022(E)

Foreword
 ȋ–Š‡ –‡”ƒ–‹‘ƒŽ ”‰ƒ‹œƒ–‹‘ ˆ‘” –ƒ†ƒ”†‹œƒ–‹‘Ȍ ƒ†  ȋ–Š‡ –‡”ƒ–‹‘ƒŽ Ž‡ –”‘–‡ Š‹ ƒŽ
‘‹••‹‘Ȍ ˆ‘” –Š‡ •’‡ ‹ƒŽ‹œ‡† •›•–‡ ˆ‘” ™‘”Ž†™‹†‡ •–ƒ†ƒ”†‹œƒ–‹‘Ǥ ƒ–‹‘ƒŽ „‘†‹‡• –Šƒ– ƒ”‡
‡„‡”• ‘ˆ  ‘”  ’ƒ”–‹ ‹’ƒ–‡ ‹ –Š‡ †‡˜‡Ž‘’‡– ‘ˆ –‡”ƒ–‹‘ƒŽ –ƒ†ƒ”†• –Š”‘—‰Š –‡ Š‹ ƒŽ

LY
‘‹––‡‡• ‡•–ƒ„Ž‹•Š‡† „› –Š‡ ”‡•’‡ –‹˜‡ ‘”‰ƒ‹œƒ–‹‘ –‘ †‡ƒŽ ™‹–Š ’ƒ”–‹ —Žƒ” ϐ‹‡Ž†• ‘ˆ –‡ Š‹ ƒŽ
ƒ –‹˜‹–›Ǥ ƒ† –‡ Š‹ ƒŽ ‘‹––‡‡• ‘ŽŽƒ„‘”ƒ–‡‹ϐ‹‡Ž†•‘ˆ—–—ƒŽ‹–‡”‡•–Ǥ–Š‡”‹–‡”ƒ–‹‘ƒŽ
‘”‰ƒ‹œƒ–‹‘•ǡ‰‘˜‡”‡–ƒŽƒ†‘Ǧ‰‘˜‡”‡–ƒŽǡ‹Ž‹ƒ‹•‘™‹–Š ƒ† ǡƒŽ•‘–ƒ‡’ƒ”–‹–Š‡

ON
™‘”Ǥ
Š‡ ’”‘ ‡†—”‡• —•‡† –‘ †‡˜‡Ž‘’ –Š‹• †‘ —‡– ƒ† –Š‘•‡ ‹–‡†‡† ˆ‘” ‹–• ˆ—”–Š‡” ƒ‹–‡ƒ ‡
ƒ”‡ †‡• ”‹„‡† ‹ –Š‡ Ȁ  ‹”‡ –‹˜‡•ǡ ƒ”– ͳǤ  ’ƒ”–‹ —Žƒ”ǡ –Š‡ †‹ˆˆ‡”‡– ƒ’’”‘˜ƒŽ ”‹–‡”‹ƒ
‡‡†‡† ˆ‘” –Š‡ †‹ˆˆ‡”‡– –›’‡• ‘ˆ †‘ —‡– •Š‘—Ž† „‡ ‘–‡†Ǥ Š‹• †‘ —‡– ™ƒ• †”ƒˆ–‡† ‹
ƒ ‘”†ƒ ‡ ™‹–Š –Š‡ ‡†‹–‘”‹ƒŽ ”—Ž‡• ‘ˆ –Š‡ Ȁ  ‹”‡ –‹˜‡•ǡ ƒ”– ʹ ȋ•‡‡ [Link]/directives or

SE
™™™Ǥ‹‡ Ǥ ŠȀ‡„‡”•̴‡š’‡”–•Ȁ”‡ˆ†‘ •).
––‡–‹‘ ‹• †”ƒ™ –‘ –Š‡ ’‘••‹„‹Ž‹–› –Šƒ– •‘‡ ‘ˆ –Š‡ ‡Ž‡‡–• ‘ˆ –Š‹• †‘ —‡– ƒ› „‡ –Š‡ •—„Œ‡ –
‘ˆ ’ƒ–‡– ”‹‰Š–•Ǥ  ƒ†  •ŠƒŽŽ ‘– „‡ Š‡Ž† ”‡•’‘•‹„Ž‡ ˆ‘” ‹†‡–‹ˆ›‹‰ ƒ› ‘” ƒŽŽ •— Š ’ƒ–‡–
”‹‰Š–•Ǥ ‡–ƒ‹Ž• ‘ˆ ƒ› ’ƒ–‡– ”‹‰Š–• ‹†‡–‹ϐ‹‡† †—”‹‰ –Š‡ †‡˜‡Ž‘’‡– ‘ˆ –Š‡ †‘ —‡– ™‹ŽŽ „‡ ‹ –Š‡

O
–”‘†— –‹‘ƒ†Ȁ‘”‘–Š‡ Ž‹•–‘ˆ’ƒ–‡–†‡ Žƒ”ƒ–‹‘•”‡ ‡‹˜‡†ȋ•‡‡™™™Ǥ‹•‘Ǥ‘”‰Ȁ’ƒ–‡–•) or the IEC
Ž‹•–‘ˆ’ƒ–‡–†‡ Žƒ”ƒ–‹‘•”‡ ‡‹˜‡†ȋ•‡‡Š––’•ǣȀȀ’ƒ–‡–•Ǥ‹‡ Ǥ Š).

‘•–‹–—–‡ƒ‡†‘”•‡‡–Ǥ RP
›–”ƒ†‡ƒ‡—•‡†‹–Š‹•†‘ —‡–‹•‹ˆ‘”ƒ–‹‘‰‹˜‡ˆ‘”–Š‡ ‘˜‡‹‡ ‡‘ˆ—•‡”•ƒ††‘‡•‘–

‘” ƒ ‡š’Žƒƒ–‹‘ ‘ˆ –Š‡ ˜‘Ž—–ƒ”› ƒ–—”‡ ‘ˆ •–ƒ†ƒ”†•ǡ –Š‡ ‡ƒ‹‰ ‘ˆ  •’‡ ‹ϐ‹  –‡”• ƒ†
PU
‡š’”‡••‹‘• ”‡Žƒ–‡† –‘ ‘ˆ‘”‹–› ƒ••‡••‡–ǡ ƒ• ™‡ŽŽ ƒ• ‹ˆ‘”ƒ–‹‘ ƒ„‘—– ̵• ƒ†Š‡”‡ ‡ –‘
–Š‡ ‘”Ž† ”ƒ†‡ ”‰ƒ‹œƒ–‹‘ ȋȌ ’”‹ ‹’Ž‡• ‹ –Š‡ ‡ Š‹ ƒŽ ƒ””‹‡”• –‘ ”ƒ†‡ ȋȌ •‡‡
[Link]/iso/[Link]Ǥ –Š‡ ǡ•‡‡™™™Ǥ‹‡ Ǥ ŠȀ—†‡”•–ƒ†‹‰Ǧ•–ƒ†ƒ”†•.
Š‹• †‘ —‡– ™ƒ• ’”‡’ƒ”‡† „› ‘‹– ‡ Š‹ ƒŽ ‘‹––‡‡ Ȁ   ͳǡ Information Technologyǡ
G

—„ ‘‹––‡‡ʹ͹ǡInformation security, cybersecurity and privacy protection.


Š‹• –Š‹”† ‡†‹–‹‘ ƒ ‡Ž• ƒ† ”‡’Žƒ ‡• –Š‡ •‡ ‘† ‡†‹–‹‘ ȋ Ȁ  ʹ͹ͲͲͳǣʹͲͳ͵Ȍǡ ™Š‹ Š Šƒ• „‡‡
N

–‡ Š‹ ƒŽŽ›”‡˜‹•‡†Ǥ –ƒŽ•‘‹ ‘”’‘”ƒ–‡•–Š‡‡ Š‹ ƒŽ‘””‹‰‡†ƒ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵Ȁ‘”ͳǣʹͲͳͶƒ†


Ȁ ʹ͹ͲͲͳǣʹͲͳ͵Ȁ‘”ʹǣʹͲͳͷǤ
NI

Š‡ƒ‹ Šƒ‰‡•ƒ”‡ƒ•ˆ‘ŽŽ‘™•ǣ
Ȅ –Š‡ –‡š– Šƒ• „‡‡ ƒŽ‹‰‡† ™‹–Š –Š‡ Šƒ”‘‹œ‡† •–”— –—”‡ ˆ‘” ƒƒ‰‡‡– •›•–‡ •–ƒ†ƒ”†•
AI

ƒ† Ȁ ʹ͹ͲͲʹǣʹͲʹʹǤ


› ˆ‡‡†„ƒ  ‘” “—‡•–‹‘• ‘ –Š‹• †‘ —‡– •Š‘—Ž† „‡ †‹”‡ –‡† –‘ –Š‡ —•‡”ǯ• ƒ–‹‘ƒŽ •–ƒ†ƒ”†•
TR

„‘†›Ǥ  ‘’Ž‡–‡ Ž‹•–‹‰ ‘ˆ –Š‡•‡ „‘†‹‡• ƒ „‡ ˆ‘—† ƒ– [Link]/[Link] ƒ†
™™™Ǥ‹‡ Ǥ ŠȀƒ–‹‘ƒŽǦ ‘‹––‡‡•.
R
FO

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

iv © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Introduction
0.1 General
Š‹•†‘ —‡–Šƒ•„‡‡’”‡’ƒ”‡†–‘’”‘˜‹†‡”‡“—‹”‡‡–•ˆ‘”‡•–ƒ„Ž‹•Š‹‰ǡ‹’Ž‡‡–‹‰ǡƒ‹–ƒ‹‹‰

LY
ƒ† ‘–‹—ƒŽŽ› ‹’”‘˜‹‰ ƒ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡Ǥ Š‡ ƒ†‘’–‹‘ ‘ˆ ƒ
‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹•ƒ•–”ƒ–‡‰‹ †‡ ‹•‹‘ˆ‘”ƒ‘”‰ƒ‹œƒ–‹‘ǤŠ‡‡•–ƒ„Ž‹•Š‡–
ƒ†‹’Ž‡‡–ƒ–‹‘‘ˆƒ‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹•‹ϐŽ—‡ ‡†„›–Š‡
‘”‰ƒ‹œƒ–‹‘ǯ•‡‡†•ƒ†‘„Œ‡ –‹˜‡•ǡ•‡ —”‹–›”‡“—‹”‡‡–•ǡ–Š‡‘”‰ƒ‹œƒ–‹‘ƒŽ’”‘ ‡••‡•—•‡†ƒ†–Š‡

ON
•‹œ‡ƒ†•–”— –—”‡‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǤŽŽ‘ˆ–Š‡•‡‹ϐŽ—‡ ‹‰ˆƒ –‘”•ƒ”‡‡š’‡ –‡†–‘ Šƒ‰‡‘˜‡”–‹‡Ǥ
Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡’”‡•‡”˜‡•–Š‡ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ‹–‡‰”‹–›ƒ†ƒ˜ƒ‹Žƒ„‹Ž‹–›
‘ˆ‹ˆ‘”ƒ–‹‘„›ƒ’’Ž›‹‰ƒ”‹•ƒƒ‰‡‡–’”‘ ‡••ƒ†‰‹˜‡• ‘ϐ‹†‡ ‡–‘‹–‡”‡•–‡†’ƒ”–‹‡•–Šƒ–
”‹••ƒ”‡ƒ†‡“—ƒ–‡Ž›ƒƒ‰‡†Ǥ

SE
– ‹• ‹’‘”–ƒ– –Šƒ– –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ‹• ’ƒ”– ‘ˆ ƒ† ‹–‡‰”ƒ–‡† ™‹–Š –Š‡
‘”‰ƒ‹œƒ–‹‘ǯ•’”‘ ‡••‡•ƒ†‘˜‡”ƒŽŽƒƒ‰‡‡–•–”— –—”‡ƒ†–Šƒ–‹ˆ‘”ƒ–‹‘•‡ —”‹–›‹• ‘•‹†‡”‡†
‹–Š‡†‡•‹‰‘ˆ’”‘ ‡••‡•ǡ‹ˆ‘”ƒ–‹‘•›•–‡•ǡƒ† ‘–”‘Ž•Ǥ –‹•‡š’‡ –‡†–Šƒ–ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›
ƒƒ‰‡‡–•›•–‡‹’Ž‡‡–ƒ–‹‘™‹ŽŽ„‡• ƒŽ‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‡‡†•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ

O
Š‹•†‘ —‡– ƒ„‡—•‡†„›‹–‡”ƒŽƒ†‡š–‡”ƒŽ’ƒ”–‹‡•–‘ƒ••‡••–Š‡‘”‰ƒ‹œƒ–‹‘̵•ƒ„‹Ž‹–›–‘‡‡–
–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‘™‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–•Ǥ

RP
Š‡ ‘”†‡” ‹ ™Š‹ Š ”‡“—‹”‡‡–• ƒ”‡ ’”‡•‡–‡† ‹ –Š‹• †‘ —‡– †‘‡• ‘– ”‡ϐŽ‡ – –Š‡‹” ‹’‘”–ƒ ‡
‘”‹’Ž›–Š‡‘”†‡”‹™Š‹ Š–Š‡›ƒ”‡–‘„‡‹’Ž‡‡–‡†ǤŠ‡Ž‹•–‹–‡•ƒ”‡‡—‡”ƒ–‡†ˆ‘””‡ˆ‡”‡ ‡
’—”’‘•‡‘Ž›Ǥ
PU
Ȁ  ʹ͹ͲͲͲ †‡• ”‹„‡• –Š‡ ‘˜‡”˜‹‡™ ƒ† –Š‡ ˜‘ ƒ„—Žƒ”› ‘ˆ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡–
•›•–‡•ǡ ”‡ˆ‡”‡ ‹‰ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ˆƒ‹Ž› ‘ˆ •–ƒ†ƒ”†• ȋ‹ Ž—†‹‰
Ȁ ʹ͹ͲͲ͵[2]ǡ Ȁ ʹ͹ͲͲͶ[͵]ƒ† Ȁ ʹ͹ͲͲͷ[Ͷ]Ȍǡ™‹–Š”‡Žƒ–‡†–‡”•ƒ††‡ϐ‹‹–‹‘•Ǥ
G

0.2 Compatibility with other management system standards


N

Š‹•†‘ —‡–ƒ’’Ž‹‡•–Š‡Š‹‰ŠǦŽ‡˜‡Ž•–”— –—”‡ǡ‹†‡–‹ ƒŽ•—„Ǧ Žƒ—•‡–‹–Ž‡•ǡ‹†‡–‹ ƒŽ–‡š–ǡ ‘‘–‡”•ǡ


ƒ† ‘”‡†‡ϐ‹‹–‹‘•†‡ϐ‹‡†‹‡š‘ˆ Ȁ ‹”‡ –‹˜‡•ǡƒ”–ͳǡ‘•‘Ž‹†ƒ–‡† —’’Ž‡‡–ǡ
NI

ƒ†–Š‡”‡ˆ‘”‡ƒ‹–ƒ‹• ‘’ƒ–‹„‹Ž‹–›™‹–Š‘–Š‡”ƒƒ‰‡‡–•›•–‡•–ƒ†ƒ”†•–Šƒ–Šƒ˜‡ƒ†‘’–‡†–Š‡
‡šǤ
AI

Š‹• ‘‘ƒ’’”‘ƒ Š†‡ϐ‹‡†‹–Š‡‡š™‹ŽŽ„‡—•‡ˆ—Žˆ‘”–Š‘•‡‘”‰ƒ‹œƒ–‹‘•–Šƒ– Š‘‘•‡–‘


‘’‡”ƒ–‡ƒ•‹‰Ž‡ƒƒ‰‡‡–•›•–‡–Šƒ–‡‡–•–Š‡”‡“—‹”‡‡–•‘ˆ–™‘‘”‘”‡ƒƒ‰‡‡–•›•–‡
•–ƒ†ƒ”†•Ǥ
TR
R
FO

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

© ISO/IEC 2022 – All rights reserved v


FO
R
TR
AI
NIN
G
PU
RP
O SE
ON
LY
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
INTERNATIONAL STANDARD ISO/IEC 27001:2022(E)

Information security, cybersecurity and privacy


protection — Information security management systems

LY
— Requirements

ON
1 Scope
Š‹•†‘ —‡–•’‡ ‹ϐ‹‡•–Š‡”‡“—‹”‡‡–•ˆ‘”‡•–ƒ„Ž‹•Š‹‰ǡ‹’Ž‡‡–‹‰ǡƒ‹–ƒ‹‹‰ƒ† ‘–‹—ƒŽŽ›
‹’”‘˜‹‰ ƒ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ™‹–Š‹ –Š‡ ‘–‡š– ‘ˆ –Š‡ ‘”‰ƒ‹œƒ–‹‘Ǥ Š‹•
†‘ —‡–ƒŽ•‘‹ Ž—†‡•”‡“—‹”‡‡–•ˆ‘”–Š‡ƒ••‡••‡–ƒ†–”‡ƒ–‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••

SE
–ƒ‹Ž‘”‡†–‘–Š‡‡‡†•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǤŠ‡”‡“—‹”‡‡–••‡–‘—–‹–Š‹•†‘ —‡–ƒ”‡‰‡‡”‹ ƒ†ƒ”‡
‹–‡†‡†–‘„‡ƒ’’Ž‹ ƒ„Ž‡–‘ƒŽŽ‘”‰ƒ‹œƒ–‹‘•ǡ”‡‰ƒ”†Ž‡••‘ˆ–›’‡ǡ•‹œ‡‘”ƒ–—”‡Ǥš Ž—†‹‰ƒ›‘ˆ–Š‡
”‡“—‹”‡‡–••’‡ ‹ϐ‹‡†‹Žƒ—•‡•Ͷ to 10‹•‘–ƒ ‡’–ƒ„Ž‡™Š‡ƒ‘”‰ƒ‹œƒ–‹‘ Žƒ‹• ‘ˆ‘”‹–›–‘
this document.

O
2 Normative references

RP
Š‡ ˆ‘ŽŽ‘™‹‰ †‘ —‡–• ƒ”‡ ”‡ˆ‡””‡† –‘ ‹ –Š‡ –‡š– ‹ •— Š ƒ ™ƒ› –Šƒ– •‘‡ ‘” ƒŽŽ ‘ˆ –Š‡‹” ‘–‡–
‘•–‹–—–‡• ”‡“—‹”‡‡–• ‘ˆ –Š‹• †‘ —‡–Ǥ ‘” †ƒ–‡† ”‡ˆ‡”‡ ‡•ǡ ‘Ž› –Š‡ ‡†‹–‹‘ ‹–‡† ƒ’’Ž‹‡•Ǥ ‘”
—†ƒ–‡†”‡ˆ‡”‡ ‡•ǡ–Š‡Žƒ–‡•–‡†‹–‹‘‘ˆ–Š‡”‡ˆ‡”‡ ‡††‘ —‡–ȋ‹ Ž—†‹‰ƒ›ƒ‡†‡–•Ȍƒ’’Ž‹‡•Ǥ
PU
Ȁ  ʹ͹ͲͲͲǡ Information technology — Security techniques — Information security management
systems — Overview and vocabulary

͵ ‡”•ƒ††‡ϐ‹‹–‹‘•
G

‘”–Š‡’—”’‘•‡•‘ˆ–Š‹•†‘ —‡–ǡ–Š‡–‡”•ƒ††‡ϐ‹‹–‹‘•‰‹˜‡‹ Ȁ ʹ͹ͲͲͲƒ’’Ž›Ǥ


N

ƒ† ƒ‹–ƒ‹–‡”‹‘Ž‘‰›†ƒ–ƒ„ƒ•‡•ˆ‘”—•‡‹•–ƒ†ƒ”†‹œƒ–‹‘ƒ––Š‡ˆ‘ŽŽ‘™‹‰ƒ††”‡••‡•ǣ

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
Ȅ Ž‹‡„”‘™•‹‰’Žƒ–ˆ‘”ǣƒ˜ƒ‹Žƒ„Ž‡ƒ–[Link]
NI

Ȅ Ž‡ –”‘’‡†‹ƒǣƒ˜ƒ‹Žƒ„Ž‡ƒ–[Link] –”‘’‡†‹ƒ.org/


AI

4 Context of the organization


TR

4.1 Understanding the organization and its context


Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ‹••—‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ––‘‹–•’—”’‘•‡ƒ†–Šƒ–
ƒˆˆ‡ –‹–•ƒ„‹Ž‹–›–‘ƒ Š‹‡˜‡–Š‡‹–‡†‡†‘—– ‘‡ȋ•Ȍ‘ˆ‹–•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ
R

 ‡–‡”‹‹‰–Š‡•‡‹••—‡•”‡ˆ‡”•–‘‡•–ƒ„Ž‹•Š‹‰–Š‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ ‘–‡š–‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘


‘•‹†‡”‡†‹Žƒ—•‡ͷǤͶǤͳ‘ˆ ͵ͳͲͲͲǣʹͲͳͺ[5].
FO

4.2 Understanding the needs and expectations of interested parties


Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ǣ
ƒȌ ‹–‡”‡•–‡†’ƒ”–‹‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ––‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣ
„Ȍ –Š‡”‡Ž‡˜ƒ–”‡“—‹”‡‡–•‘ˆ–Š‡•‡‹–‡”‡•–‡†’ƒ”–‹‡•Ǣ
Ȍ ™Š‹ Š ‘ˆ –Š‡•‡ ”‡“—‹”‡‡–• ™‹ŽŽ „‡ ƒ††”‡••‡† –Š”‘—‰Š –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡–
•›•–‡Ǥ

© ISO/IEC 2022 – All rights reserved 1


ISO/IEC 27001:2022(E)

 Š‡”‡“—‹”‡‡–•‘ˆ‹–‡”‡•–‡†’ƒ”–‹‡• ƒ‹ Ž—†‡Ž‡‰ƒŽƒ†”‡‰—Žƒ–‘”›”‡“—‹”‡‡–•ƒ† ‘–”ƒ –—ƒŽ


‘„Ž‹‰ƒ–‹‘•Ǥ

4.3 Determining the scope of the information security management system

LY
Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ †‡–‡”‹‡ –Š‡ „‘—†ƒ”‹‡• ƒ† ƒ’’Ž‹ ƒ„‹Ž‹–› ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–›
ƒƒ‰‡‡–•›•–‡–‘‡•–ƒ„Ž‹•Š‹–•• ‘’‡Ǥ
Š‡†‡–‡”‹‹‰–Š‹•• ‘’‡ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘•‹†‡”ǣ

ON
ƒȌ –Š‡‡š–‡”ƒŽƒ†‹–‡”ƒŽ‹••—‡•”‡ˆ‡””‡†–‘‹ͶǤͳǢ
„Ȍ –Š‡”‡“—‹”‡‡–•”‡ˆ‡””‡†–‘‹ͶǤʹǢ
Ȍ ‹–‡”ˆƒ ‡•ƒ††‡’‡†‡ ‹‡•„‡–™‡‡ƒ –‹˜‹–‹‡•’‡”ˆ‘”‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘ǡƒ†–Š‘•‡–Šƒ–ƒ”‡
’‡”ˆ‘”‡†„›‘–Š‡”‘”‰ƒ‹œƒ–‹‘•Ǥ

SE
Š‡• ‘’‡•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•†‘ —‡–‡†‹ˆ‘”ƒ–‹‘Ǥ

4.4 Information security management system

O
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Šǡ‹’Ž‡‡–ǡƒ‹–ƒ‹ƒ† ‘–‹—ƒŽŽ›‹’”‘˜‡ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›

RP
ƒƒ‰‡‡– •›•–‡ǡ ‹ Ž—†‹‰ –Š‡ ’”‘ ‡••‡• ‡‡†‡† ƒ† –Š‡‹” ‹–‡”ƒ –‹‘•ǡ ‹ ƒ ‘”†ƒ ‡ ™‹–Š –Š‡
”‡“—‹”‡‡–•‘ˆ–Š‹•†‘ —‡–Ǥ

5 Leadership
PU
5.1 Leadership and commitment
‘’ ƒƒ‰‡‡– •ŠƒŽŽ †‡‘•–”ƒ–‡ Ž‡ƒ†‡”•Š‹’ ƒ† ‘‹–‡– ™‹–Š ”‡•’‡ – –‘ –Š‡ ‹ˆ‘”ƒ–‹‘
•‡ —”‹–›ƒƒ‰‡‡–•›•–‡„›ǣ
G

ƒȌ ‡•—”‹‰–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ƒ†–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ”‡‡•–ƒ„Ž‹•Š‡†


ƒ†ƒ”‡ ‘’ƒ–‹„Ž‡™‹–Š–Š‡•–”ƒ–‡‰‹ †‹”‡ –‹‘‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ
N

„Ȍ ‡•—”‹‰ –Š‡ ‹–‡‰”ƒ–‹‘ ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ”‡“—‹”‡‡–• ‹–‘ –Š‡
NI

‘”‰ƒ‹œƒ–‹‘ǯ•’”‘ ‡••‡•Ǣ
Ȍ ‡•—”‹‰–Šƒ––Š‡”‡•‘—” ‡•‡‡†‡†ˆ‘”–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ”‡ƒ˜ƒ‹Žƒ„Ž‡Ǣ
AI

†Ȍ ‘—‹ ƒ–‹‰–Š‡‹’‘”–ƒ ‡‘ˆ‡ˆˆ‡ –‹˜‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–ƒ†‘ˆ ‘ˆ‘”‹‰


–‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡”‡“—‹”‡‡–•Ǣ
TR

‡Ȍ ‡•—”‹‰–Šƒ––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ Š‹‡˜‡•‹–•‹–‡†‡†‘—– ‘‡ȋ•ȌǢ


ˆȌ †‹”‡ –‹‰ ƒ† •—’’‘”–‹‰ ’‡”•‘• –‘ ‘–”‹„—–‡ –‘ –Š‡ ‡ˆˆ‡ –‹˜‡‡•• ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–›
ƒƒ‰‡‡–•›•–‡Ǣ
R

‰Ȍ ’”‘‘–‹‰ ‘–‹—ƒŽ‹’”‘˜‡‡–Ǣƒ†


ŠȌ •—’’‘”–‹‰‘–Š‡””‡Ž‡˜ƒ–ƒƒ‰‡‡–”‘Ž‡•–‘†‡‘•–”ƒ–‡–Š‡‹”Ž‡ƒ†‡”•Š‹’ƒ•‹–ƒ’’Ž‹‡•–‘–Š‡‹”
FO

ƒ”‡ƒ•‘ˆ”‡•’‘•‹„‹Ž‹–›Ǥ
 ‡ˆ‡”‡ ‡–‘Dz„—•‹‡••dz‹–Š‹•†‘ —‡– ƒ„‡‹–‡”’”‡–‡†„”‘ƒ†Ž›–‘‡ƒ–Š‘•‡ƒ –‹˜‹–‹‡•–Šƒ–ƒ”‡
‘”‡–‘–Š‡’—”’‘•‡•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‡š‹•–‡ ‡Ǥ

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

2 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

5.2 Policy
‘’ƒƒ‰‡‡–•ŠƒŽŽ‡•–ƒ„Ž‹•Šƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›–Šƒ–ǣ
ƒȌ ‹•ƒ’’”‘’”‹ƒ–‡–‘–Š‡’—”’‘•‡‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ

LY
„Ȍ ‹ Ž—†‡•‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ȋ•‡‡6.2Ȍ‘”’”‘˜‹†‡•–Š‡ˆ”ƒ‡™‘”ˆ‘”•‡––‹‰‹ˆ‘”ƒ–‹‘
•‡ —”‹–›‘„Œ‡ –‹˜‡•Ǣ
Ȍ ‹ Ž—†‡•ƒ ‘‹–‡––‘•ƒ–‹•ˆ›ƒ’’Ž‹ ƒ„Ž‡”‡“—‹”‡‡–•”‡Žƒ–‡†–‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›Ǣ

ON
†Ȍ ‹ Ž—†‡•ƒ ‘‹–‡––‘ ‘–‹—ƒŽ‹’”‘˜‡‡–‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ
Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›•ŠƒŽŽǣ
‡Ȍ „‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•†‘ —‡–‡†‹ˆ‘”ƒ–‹‘Ǣ

SE
ˆȌ „‡ ‘—‹ ƒ–‡†™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ
‰Ȍ „‡ƒ˜ƒ‹Žƒ„Ž‡–‘‹–‡”‡•–‡†’ƒ”–‹‡•ǡƒ•ƒ’’”‘’”‹ƒ–‡Ǥ

O
5.3 Organizational roles, responsibilities and authorities

RP
‘’ƒƒ‰‡‡–•ŠƒŽŽ‡•—”‡–Šƒ––Š‡”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡•ˆ‘””‘Ž‡•”‡Ž‡˜ƒ––‘‹ˆ‘”ƒ–‹‘
•‡ —”‹–›ƒ”‡ƒ••‹‰‡†ƒ† ‘—‹ ƒ–‡†™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ
‘’ƒƒ‰‡‡–•ŠƒŽŽƒ••‹‰–Š‡”‡•’‘•‹„‹Ž‹–›ƒ†ƒ—–Š‘”‹–›ˆ‘”ǣ
PU
ƒȌ ‡•—”‹‰–Šƒ––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ‘ˆ‘”•–‘–Š‡”‡“—‹”‡‡–•‘ˆ–Š‹•
†‘ —‡–Ǣ
„Ȍ ”‡’‘”–‹‰‘–Š‡’‡”ˆ‘”ƒ ‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡–‘–‘’ƒƒ‰‡‡–Ǥ
 ‘’ ƒƒ‰‡‡– ƒ ƒŽ•‘ ƒ••‹‰ ”‡•’‘•‹„‹Ž‹–‹‡• ƒ† ƒ—–Š‘”‹–‹‡• ˆ‘” ”‡’‘”–‹‰ ’‡”ˆ‘”ƒ ‡ ‘ˆ –Š‡
G

‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ
N

6 Planning
NI

6.1 Actions to address risks and opportunities


AI

6.1.1 General

Š‡ ’Žƒ‹‰ ˆ‘” –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ǡ –Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ ‘•‹†‡”
TR

the issues referred to in ͶǤͳ ƒ† –Š‡ ”‡“—‹”‡‡–• ”‡ˆ‡””‡† –‘ ‹ ͶǤʹ ƒ† †‡–‡”‹‡ –Š‡ ”‹•• ƒ†
‘’’‘”–—‹–‹‡•–Šƒ–‡‡†–‘„‡ƒ††”‡••‡†–‘ǣ
ƒȌ ‡•—”‡–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ ƒƒ Š‹‡˜‡‹–•‹–‡†‡†‘—– ‘‡ȋ•ȌǢ
„Ȍ ’”‡˜‡–ǡ‘””‡†— ‡ǡ—†‡•‹”‡†‡ˆˆ‡ –•Ǣ
R

Ȍ ƒ Š‹‡˜‡ ‘–‹—ƒŽ‹’”‘˜‡‡–Ǥ
FO

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’Žƒǣ
†Ȍ ƒ –‹‘•–‘ƒ††”‡••–Š‡•‡”‹••ƒ†‘’’‘”–—‹–‹‡•Ǣƒ†
e) how to
ͳȌ ‹–‡‰”ƒ–‡ ƒ† ‹’Ž‡‡– –Š‡ ƒ –‹‘• ‹–‘ ‹–• ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡
’”‘ ‡••‡•Ǣƒ†
ʹȌ ‡˜ƒŽ—ƒ–‡–Š‡‡ˆˆ‡ –‹˜‡‡••‘ˆ–Š‡•‡ƒ –‹‘•Ǥ
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

© ISO/IEC 2022 – All rights reserved 3


ISO/IEC 27001:2022(E)

6.1.2 Information security risk assessment

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡ϐ‹‡ƒ†ƒ’’Ž›ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–’”‘ ‡••–Šƒ–ǣ


ƒȌ ‡•–ƒ„Ž‹•Š‡•ƒ†ƒ‹–ƒ‹•‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹• ”‹–‡”‹ƒ–Šƒ–‹ Ž—†‡ǣ

LY
ͳȌ –Š‡”‹•ƒ ‡’–ƒ ‡ ”‹–‡”‹ƒǢƒ†
ʹȌ ”‹–‡”‹ƒˆ‘”’‡”ˆ‘”‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–•Ǣ

ON
„Ȍ ‡•—”‡• –Šƒ– ”‡’‡ƒ–‡† ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡–• ’”‘†— ‡ ‘•‹•–‡–ǡ ˜ƒŽ‹† ƒ†
‘’ƒ”ƒ„Ž‡”‡•—Ž–•Ǣ
Ȍ ‹†‡–‹ϐ‹‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ
ͳȌ ƒ’’Ž› –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡– ’”‘ ‡•• –‘ ‹†‡–‹ˆ› ”‹•• ƒ••‘ ‹ƒ–‡† ™‹–Š

SE
–Š‡ Ž‘•• ‘ˆ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ ‹–‡‰”‹–› ƒ† ƒ˜ƒ‹Žƒ„‹Ž‹–› ˆ‘” ‹ˆ‘”ƒ–‹‘ ™‹–Š‹ –Š‡ • ‘’‡ ‘ˆ –Š‡
‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣƒ†
ʹȌ ‹†‡–‹ˆ›–Š‡”‹•‘™‡”•Ǣ

O
†Ȍ ƒƒŽ›•‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

ͳȌ ƒ••‡••–Š‡’‘–‡–‹ƒŽ ‘•‡“—‡ ‡•–Šƒ–™‘—Ž†”‡•—Ž–‹ˆ–Š‡”‹••‹†‡–‹ϐ‹‡†‹6.1.2 c) 1) were to


ƒ–‡”‹ƒŽ‹œ‡Ǣ
ʹȌ ƒ••‡••–Š‡”‡ƒŽ‹•–‹ Ž‹‡Ž‹Š‘‘†‘ˆ–Š‡‘ —””‡ ‡‘ˆ–Š‡”‹••‹†‡–‹ϐ‹‡†‹6.1.2 ȌͳȌǢƒ† RP
PU
͵Ȍ †‡–‡”‹‡–Š‡Ž‡˜‡Ž•‘ˆ”‹•Ǣ
‡Ȍ ‡˜ƒŽ—ƒ–‡•–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ǣ
ͳȌ ‘’ƒ”‡–Š‡”‡•—Ž–•‘ˆ”‹•ƒƒŽ›•‹•™‹–Š–Š‡”‹• ”‹–‡”‹ƒ‡•–ƒ„Ž‹•Š‡†‹6.1.2ƒȌǢƒ†
G

ʹȌ ’”‹‘”‹–‹œ‡–Š‡ƒƒŽ›•‡†”‹••ˆ‘””‹•–”‡ƒ–‡–Ǥ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ƒ„‘—––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•ƒ••‡••‡–
N

process.
NI

6.1.3 Information security risk treatment

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡ϐ‹‡ƒ†ƒ’’Ž›ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’”‘ ‡••–‘ǣ


AI

ƒȌ •‡Ž‡ – ƒ’’”‘’”‹ƒ–‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• –”‡ƒ–‡– ‘’–‹‘•ǡ –ƒ‹‰ ƒ ‘—– ‘ˆ –Š‡ ”‹•
ƒ••‡••‡–”‡•—Ž–•Ǣ
TR

„Ȍ †‡–‡”‹‡ ƒŽŽ ‘–”‘Ž• –Šƒ– ƒ”‡ ‡ ‡••ƒ”› –‘ ‹’Ž‡‡– –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• –”‡ƒ–‡–
‘’–‹‘ȋ•Ȍ Š‘•‡Ǣ
ͳ ”‰ƒ‹œƒ–‹‘• ƒ†‡•‹‰ ‘–”‘Ž•ƒ•”‡“—‹”‡†ǡ‘”‹†‡–‹ˆ›–Š‡ˆ”‘ƒ›•‘—” ‡Ǥ
R

Ȍ ‘’ƒ”‡ –Š‡ ‘–”‘Ž• †‡–‡”‹‡† ‹ ͸ǤͳǤ͵ „Ȍ ƒ„‘˜‡ ™‹–Š –Š‘•‡ ‹ ‡š  ƒ† ˜‡”‹ˆ› –Šƒ– ‘
‡ ‡••ƒ”› ‘–”‘Ž•Šƒ˜‡„‡‡‘‹––‡†Ǣ
FO

NOTE 2 ‡š  ‘–ƒ‹• ƒ Ž‹•– ‘ˆ ’‘••‹„Ž‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ‘–”‘Ž•Ǥ •‡”• ‘ˆ –Š‹• †‘ —‡– ƒ”‡
directed to ‡š–‘‡•—”‡–Šƒ–‘‡ ‡••ƒ”›‹ˆ‘”ƒ–‹‘•‡ —”‹–› ‘–”‘Ž•ƒ”‡‘˜‡”Ž‘‘‡†Ǥ

͵ Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–› ‘–”‘Ž•Ž‹•–‡†‹‡šƒ”‡‘–‡šŠƒ—•–‹˜‡ƒ†ƒ††‹–‹‘ƒŽ‹ˆ‘”ƒ–‹‘


•‡ —”‹–› ‘–”‘Ž• ƒ„‡‹ Ž—†‡†‹ˆ‡‡†‡†Ǥ

†Ȍ ’”‘†— ‡ƒ–ƒ–‡‡–‘ˆ’’Ž‹ ƒ„‹Ž‹–›–Šƒ– ‘–ƒ‹•ǣ


Ȅ –Š‡‡ ‡••ƒ”› ‘–”‘Ž•ȋ•‡‡͸ǤͳǤ͵„Ȍƒ† ȌȌǢ

4 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Ȅ Œ—•–‹ϐ‹ ƒ–‹‘ˆ‘”–Š‡‹”‹ Ž—•‹‘Ǣ


Ȅ ™Š‡–Š‡”–Š‡‡ ‡••ƒ”› ‘–”‘Ž•ƒ”‡‹’Ž‡‡–‡†‘”‘–Ǣƒ†
Ȅ –Š‡Œ—•–‹ϐ‹ ƒ–‹‘ˆ‘”‡š Ž—†‹‰ƒ›‘ˆ–Š‡‡š controls.

LY
‡Ȍ ˆ‘”—Žƒ–‡ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’ŽƒǢƒ†
ˆȌ ‘„–ƒ‹”‹•‘™‡”•ǯƒ’’”‘˜ƒŽ‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’Žƒƒ†ƒ ‡’–ƒ ‡‘ˆ–Š‡
”‡•‹†—ƒŽ‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••Ǥ

ON
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ƒ„‘—––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–
process.
Ͷ Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡– ƒ† –”‡ƒ–‡– ’”‘ ‡•• ‹ –Š‹• †‘ —‡– ƒŽ‹‰• ™‹–Š –Š‡
’”‹ ‹’Ž‡•ƒ†‰‡‡”‹ ‰—‹†‡Ž‹‡•’”‘˜‹†‡†‹ ͵ͳͲͲͲ[5].

SE
6.2 Information security objectives and planning to achieve them
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Š‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ƒ–”‡Ž‡˜ƒ–ˆ— –‹‘•ƒ†Ž‡˜‡Ž•Ǥ

O
Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡••ŠƒŽŽǣ

RP
ƒȌ „‡ ‘•‹•–‡–™‹–Š–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›Ǣ
„Ȍ „‡‡ƒ•—”ƒ„Ž‡ȋ‹ˆ’”ƒ –‹ ƒ„Ž‡ȌǢ
Ȍ –ƒ‡‹–‘ƒ ‘—–ƒ’’Ž‹ ƒ„Ž‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–•ǡƒ†”‡•—Ž–•ˆ”‘”‹•ƒ••‡••‡–
PU
ƒ†”‹•–”‡ƒ–‡–Ǣ
†Ȍ „‡‘‹–‘”‡†Ǣ
‡Ȍ „‡ ‘—‹ ƒ–‡†Ǣ
G

ˆȌ „‡—’†ƒ–‡†ƒ•ƒ’’”‘’”‹ƒ–‡Ǣ
‰Ȍ „‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•†‘ —‡–‡†‹ˆ‘”ƒ–‹‘Ǥ
N

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•Ǥ


NI

Š‡’Žƒ‹‰Š‘™–‘ƒ Š‹‡˜‡‹–•‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ǣ


ŠȌ ™Šƒ–™‹ŽŽ„‡†‘‡Ǣ
AI

‹Ȍ ™Šƒ–”‡•‘—” ‡•™‹ŽŽ„‡”‡“—‹”‡†Ǣ


TR

ŒȌ ™Š‘™‹ŽŽ„‡”‡•’‘•‹„Ž‡Ǣ
Ȍ ™Š‡‹–™‹ŽŽ„‡ ‘’Ž‡–‡†Ǣƒ†
ŽȌ Š‘™–Š‡”‡•—Ž–•™‹ŽŽ„‡‡˜ƒŽ—ƒ–‡†Ǥ
R

6.3 Planning of changes


FO

Š‡ –Š‡ ‘”‰ƒ‹œƒ–‹‘ †‡–‡”‹‡• –Š‡ ‡‡† ˆ‘” Šƒ‰‡• –‘ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡–
•›•–‡ǡ–Š‡ Šƒ‰‡••ŠƒŽŽ„‡ ƒ””‹‡†‘—–‹ƒ’Žƒ‡†ƒ‡”Ǥ
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

© ISO/IEC 2022 – All rights reserved 5


ISO/IEC 27001:2022(E)

7 Support

7.1 Resources

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ †‡–‡”‹‡ ƒ† ’”‘˜‹†‡ –Š‡ ”‡•‘—” ‡• ‡‡†‡† ˆ‘” –Š‡ ‡•–ƒ„Ž‹•Š‡–ǡ

LY
‹’Ž‡‡–ƒ–‹‘ǡ ƒ‹–‡ƒ ‡ ƒ† ‘–‹—ƒŽ ‹’”‘˜‡‡– ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡–
•›•–‡Ǥ

ON
7.2 Competence
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽǣ
ƒȌ †‡–‡”‹‡ –Š‡ ‡ ‡••ƒ”› ‘’‡–‡ ‡ ‘ˆ ’‡”•‘ȋ•Ȍ †‘‹‰ ™‘” —†‡” ‹–• ‘–”‘Ž –Šƒ– ƒˆˆ‡ –• ‹–•
‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‡”ˆ‘”ƒ ‡Ǣ

SE
„Ȍ ‡•—”‡ –Šƒ– –Š‡•‡ ’‡”•‘• ƒ”‡ ‘’‡–‡– ‘ –Š‡ „ƒ•‹• ‘ˆ ƒ’’”‘’”‹ƒ–‡ ‡†— ƒ–‹‘ǡ –”ƒ‹‹‰ǡ ‘”
‡š’‡”‹‡ ‡Ǣ
Ȍ ™Š‡”‡ƒ’’Ž‹ ƒ„Ž‡ǡ–ƒ‡ƒ –‹‘•–‘ƒ “—‹”‡–Š‡‡ ‡••ƒ”› ‘’‡–‡ ‡ǡƒ†‡˜ƒŽ—ƒ–‡–Š‡‡ˆˆ‡ –‹˜‡‡••

O
‘ˆ–Š‡ƒ –‹‘•–ƒ‡Ǣƒ†
†Ȍ ”‡–ƒ‹ƒ’’”‘’”‹ƒ–‡†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ƒ•‡˜‹†‡ ‡‘ˆ ‘’‡–‡ ‡Ǥ

RP
’’Ž‹ ƒ„Ž‡ƒ –‹‘• ƒ‹ Ž—†‡ǡˆ‘”‡šƒ’Ž‡ǣ–Š‡’”‘˜‹•‹‘‘ˆ–”ƒ‹‹‰–‘ǡ–Š‡‡–‘”‹‰‘ˆǡ‘”–Š‡”‡Ǧ
ƒ••‹‰‡–‘ˆ —””‡–‡’Ž‘›‡‡•Ǣ‘”–Š‡Š‹”‹‰‘” ‘–”ƒ –‹‰‘ˆ ‘’‡–‡–’‡”•‘•Ǥ
PU
7.3 Awareness
‡”•‘•†‘‹‰™‘”—†‡”–Š‡‘”‰ƒ‹œƒ–‹‘ǯ• ‘–”‘Ž•ŠƒŽŽ„‡ƒ™ƒ”‡‘ˆǣ
ƒȌ –Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›Ǣ
G

„Ȍ –Š‡‹” ‘–”‹„—–‹‘–‘–Š‡‡ˆˆ‡ –‹˜‡‡••‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ǡ‹ Ž—†‹‰


–Š‡„‡‡ϐ‹–•‘ˆ‹’”‘˜‡†‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‡”ˆ‘”ƒ ‡Ǣƒ†
N

Ȍ –Š‡ ‹’Ž‹ ƒ–‹‘• ‘ˆ ‘– ‘ˆ‘”‹‰ ™‹–Š –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡
”‡“—‹”‡‡–•Ǥ
NI

7.4 Communication
AI

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡–Š‡‡‡†ˆ‘”‹–‡”ƒŽƒ†‡š–‡”ƒŽ ‘—‹ ƒ–‹‘•”‡Ž‡˜ƒ––‘–Š‡


‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡‹ Ž—†‹‰ǣ
TR

ƒȌ ‘™Šƒ––‘ ‘—‹ ƒ–‡Ǣ


„Ȍ ™Š‡–‘ ‘—‹ ƒ–‡Ǣ
Ȍ ™‹–Š™Š‘–‘ ‘—‹ ƒ–‡Ǣ
R

†Ȍ Š‘™–‘ ‘—‹ ƒ–‡Ǥ


FO

7.5 Documented information

7.5.1 General

Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡•ŠƒŽŽ‹ Ž—†‡ǣ


ƒȌ †‘ —‡–‡†‹ˆ‘”ƒ–‹‘”‡“—‹”‡†„›–Š‹•†‘ —‡–Ǣƒ†

6 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

„Ȍ †‘ —‡–‡†‹ˆ‘”ƒ–‹‘†‡–‡”‹‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘ƒ•„‡‹‰‡ ‡••ƒ”›ˆ‘”–Š‡‡ˆˆ‡ –‹˜‡‡••


‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ
 Š‡ ‡š–‡– ‘ˆ †‘ —‡–‡† ‹ˆ‘”ƒ–‹‘ ˆ‘” ƒ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ƒ †‹ˆˆ‡”
ˆ”‘‘‡‘”‰ƒ‹œƒ–‹‘–‘ƒ‘–Š‡”†—‡–‘ǣ

LY
ͳȌ –Š‡•‹œ‡‘ˆ‘”‰ƒ‹œƒ–‹‘ƒ†‹–•–›’‡‘ˆƒ –‹˜‹–‹‡•ǡ’”‘ ‡••‡•ǡ’”‘†— –•ƒ†•‡”˜‹ ‡•Ǣ

ʹȌ –Š‡ ‘’Ž‡š‹–›‘ˆ’”‘ ‡••‡•ƒ†–Š‡‹”‹–‡”ƒ –‹‘•Ǣƒ†

ON
͵Ȍ –Š‡ ‘’‡–‡ ‡‘ˆ’‡”•‘•Ǥ

7.5.2 Creating and updating

Š‡ ”‡ƒ–‹‰ƒ†—’†ƒ–‹‰†‘ —‡–‡†‹ˆ‘”ƒ–‹‘–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•—”‡ƒ’’”‘’”‹ƒ–‡ǣ

SE
ƒȌ ‹†‡–‹ϐ‹ ƒ–‹‘ƒ††‡• ”‹’–‹‘ȋ‡Ǥ‰Ǥƒ–‹–Ž‡ǡ†ƒ–‡ǡƒ—–Š‘”ǡ‘””‡ˆ‡”‡ ‡—„‡”ȌǢ
„Ȍ ˆ‘”ƒ–ȋ‡Ǥ‰ǤŽƒ‰—ƒ‰‡ǡ•‘ˆ–™ƒ”‡˜‡”•‹‘ǡ‰”ƒ’Š‹ •Ȍƒ†‡†‹ƒȋ‡Ǥ‰Ǥ’ƒ’‡”ǡ‡Ž‡ –”‘‹ ȌǢƒ†
Ȍ ”‡˜‹‡™ƒ†ƒ’’”‘˜ƒŽˆ‘”•—‹–ƒ„‹Ž‹–›ƒ†ƒ†‡“—ƒ ›Ǥ

O
7.5.3 Control of documented information

†‘ —‡–•ŠƒŽŽ„‡ ‘–”‘ŽŽ‡†–‘‡•—”‡ǣ RP
‘ —‡–‡† ‹ˆ‘”ƒ–‹‘ ”‡“—‹”‡† „› –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ ƒ† „› –Š‹•

ƒȌ ‹–‹•ƒ˜ƒ‹Žƒ„Ž‡ƒ†•—‹–ƒ„Ž‡ˆ‘”—•‡ǡ™Š‡”‡ƒ†™Š‡‹–‹•‡‡†‡†Ǣƒ†
PU
„Ȍ ‹–‹•ƒ†‡“—ƒ–‡Ž›’”‘–‡ –‡†ȋ‡Ǥ‰Ǥˆ”‘Ž‘••‘ˆ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ‹’”‘’‡”—•‡ǡ‘”Ž‘••‘ˆ‹–‡‰”‹–›ȌǤ
‘”–Š‡ ‘–”‘Ž‘ˆ†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽƒ††”‡••–Š‡ˆ‘ŽŽ‘™‹‰ƒ –‹˜‹–‹‡•ǡƒ•
ƒ’’Ž‹ ƒ„Ž‡ǣ
G

Ȍ †‹•–”‹„—–‹‘ǡƒ ‡••ǡ”‡–”‹‡˜ƒŽƒ†—•‡Ǣ
N

†Ȍ •–‘”ƒ‰‡ƒ†’”‡•‡”˜ƒ–‹‘ǡ‹ Ž—†‹‰–Š‡’”‡•‡”˜ƒ–‹‘‘ˆŽ‡‰‹„‹Ž‹–›Ǣ


‡Ȍ ‘–”‘Ž‘ˆ Šƒ‰‡•ȋ‡Ǥ‰Ǥ˜‡”•‹‘ ‘–”‘ŽȌǢƒ†
NI

ˆȌ ”‡–‡–‹‘ƒ††‹•’‘•‹–‹‘Ǥ
‘ —‡–‡† ‹ˆ‘”ƒ–‹‘ ‘ˆ ‡š–‡”ƒŽ ‘”‹‰‹ǡ †‡–‡”‹‡† „› –Š‡ ‘”‰ƒ‹œƒ–‹‘ –‘ „‡ ‡ ‡••ƒ”› ˆ‘”
AI

–Š‡ ’Žƒ‹‰ ƒ† ‘’‡”ƒ–‹‘ ‘ˆ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ƒƒ‰‡‡– •›•–‡ǡ •ŠƒŽŽ „‡ ‹†‡–‹ϐ‹‡† ƒ•

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
ƒ’’”‘’”‹ƒ–‡ǡƒ† ‘–”‘ŽŽ‡†Ǥ
TR

  ‡•• ƒ‹’Ž›ƒ†‡ ‹•‹‘”‡‰ƒ”†‹‰–Š‡’‡”‹••‹‘–‘˜‹‡™–Š‡†‘ —‡–‡†‹ˆ‘”ƒ–‹‘‘Ž›ǡ‘”


–Š‡’‡”‹••‹‘ƒ†ƒ—–Š‘”‹–›–‘˜‹‡™ƒ† Šƒ‰‡–Š‡†‘ —‡–‡†‹ˆ‘”ƒ–‹‘ǡ‡– Ǥ

8 Operation
R

8.1 Operational planning and control


FO

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’Žƒǡ‹’Ž‡‡–ƒ† ‘–”‘Ž–Š‡’”‘ ‡••‡•‡‡†‡†–‘‡‡–”‡“—‹”‡‡–•ǡƒ†–‘


‹’Ž‡‡––Š‡ƒ –‹‘•†‡–‡”‹‡†‹Žƒ—•‡͸ǡ„›ǣ
Ȅ ‡•–ƒ„Ž‹•Š‹‰ ”‹–‡”‹ƒˆ‘”–Š‡’”‘ ‡••‡•Ǣ
Ȅ ‹’Ž‡‡–‹‰ ‘–”‘Ž‘ˆ–Š‡’”‘ ‡••‡•‹ƒ ‘”†ƒ ‡™‹–Š–Š‡ ”‹–‡”‹ƒǤ
‘ —‡–‡† ‹ˆ‘”ƒ–‹‘ •ŠƒŽŽ „‡ ƒ˜ƒ‹Žƒ„Ž‡ –‘ –Š‡ ‡š–‡– ‡ ‡••ƒ”› –‘ Šƒ˜‡ ‘ϐ‹†‡ ‡ –Šƒ– –Š‡
’”‘ ‡••‡•Šƒ˜‡„‡‡ ƒ””‹‡†‘—–ƒ•’Žƒ‡†Ǥ

© ISO/IEC 2022 – All rights reserved 7


ISO/IEC 27001:2022(E)

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘–”‘Ž’Žƒ‡† Šƒ‰‡•ƒ†”‡˜‹‡™–Š‡ ‘•‡“—‡ ‡•‘ˆ—‹–‡†‡† Šƒ‰‡•ǡ


–ƒ‹‰ƒ –‹‘–‘‹–‹‰ƒ–‡ƒ›ƒ†˜‡”•‡‡ˆˆ‡ –•ǡƒ•‡ ‡••ƒ”›Ǥ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•—”‡–Šƒ–‡š–‡”ƒŽŽ›’”‘˜‹†‡†’”‘ ‡••‡•ǡ’”‘†— –•‘”•‡”˜‹ ‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ–
–‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ”‡ ‘–”‘ŽŽ‡†Ǥ

LY
8.2 Information security risk assessment
Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ ’‡”ˆ‘” ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ”‹• ƒ••‡••‡–• ƒ– ’Žƒ‡† ‹–‡”˜ƒŽ• ‘” ™Š‡

ON
•‹‰‹ϐ‹ ƒ– Šƒ‰‡•ƒ”‡’”‘’‘•‡†‘”‘ —”ǡ–ƒ‹‰ƒ ‘—–‘ˆ–Š‡ ”‹–‡”‹ƒ‡•–ƒ„Ž‹•Š‡†‹6.1.2ƒȌǤ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘‘ˆ–Š‡”‡•—Ž–•‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•
ƒ••‡••‡–•Ǥ

8.3 Information security risk treatment

SE
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‹’Ž‡‡––Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•–”‡ƒ–‡–’ŽƒǤ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡–ƒ‹†‘ —‡–‡†‹ˆ‘”ƒ–‹‘‘ˆ–Š‡”‡•—Ž–•‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹•

O
–”‡ƒ–‡–Ǥ

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation


RP
PU
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‡–‡”‹‡ǣ
ƒȌ ™Šƒ–‡‡†•–‘„‡‘‹–‘”‡†ƒ†‡ƒ•—”‡†ǡ‹ Ž—†‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–›’”‘ ‡••‡•ƒ† ‘–”‘Ž•Ǣ
„Ȍ –Š‡ ‡–Š‘†• ˆ‘” ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹• ƒ† ‡˜ƒŽ—ƒ–‹‘ǡ ƒ• ƒ’’Ž‹ ƒ„Ž‡ǡ –‘ ‡•—”‡
˜ƒŽ‹† ”‡•—Ž–•Ǥ Š‡ ‡–Š‘†• •‡Ž‡ –‡† •Š‘—Ž† ’”‘†— ‡ ‘’ƒ”ƒ„Ž‡ ƒ† ”‡’”‘†— ‹„Ž‡ ”‡•—Ž–• –‘ „‡
G

‘•‹†‡”‡†˜ƒŽ‹†Ǣ
N

Ȍ ™Š‡–Š‡‘‹–‘”‹‰ƒ†‡ƒ•—”‹‰•ŠƒŽŽ„‡’‡”ˆ‘”‡†Ǣ
†Ȍ ™Š‘•ŠƒŽŽ‘‹–‘”ƒ†‡ƒ•—”‡Ǣ
NI

‡Ȍ ™Š‡–Š‡”‡•—Ž–•ˆ”‘‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–•ŠƒŽŽ„‡ƒƒŽ›•‡†ƒ†‡˜ƒŽ—ƒ–‡†Ǣ
ˆȌ ™Š‘•ŠƒŽŽƒƒŽ›•‡ƒ†‡˜ƒŽ—ƒ–‡–Š‡•‡”‡•—Ž–•Ǥ
AI

‘ —‡–‡†‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•‡˜‹†‡ ‡‘ˆ–Š‡”‡•—Ž–•Ǥ
TR

Š‡ ‘”‰ƒ‹œƒ–‹‘ •ŠƒŽŽ ‡˜ƒŽ—ƒ–‡ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡ —”‹–› ’‡”ˆ‘”ƒ ‡ ƒ† –Š‡ ‡ˆˆ‡ –‹˜‡‡•• ‘ˆ –Š‡
‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ
R
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

9.2 Internal audit


FO

9.2.1 General

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘†— –‹–‡”ƒŽƒ—†‹–•ƒ–’Žƒ‡†‹–‡”˜ƒŽ•–‘’”‘˜‹†‡‹ˆ‘”ƒ–‹‘‘™Š‡–Š‡”


–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ǣ
ƒȌ ‘ˆ‘”•–‘
ͳȌ –Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‘™”‡“—‹”‡‡–•ˆ‘”‹–•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣ

8 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

ʹȌ –Š‡”‡“—‹”‡‡–•‘ˆ–Š‹•†‘ —‡–Ǣ


„Ȍ ‹•‡ˆˆ‡ –‹˜‡Ž›‹’Ž‡‡–‡†ƒ†ƒ‹–ƒ‹‡†Ǥ

9.2.2 Internal audit programme

LY
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’Žƒǡ‡•–ƒ„Ž‹•Šǡ‹’Ž‡‡–ƒ†ƒ‹–ƒ‹ƒƒ—†‹–’”‘‰”ƒ‡ȋ•Ȍǡ‹ Ž—†‹‰–Š‡
ˆ”‡“—‡ ›ǡ‡–Š‘†•ǡ”‡•’‘•‹„‹Ž‹–‹‡•ǡ’Žƒ‹‰”‡“—‹”‡‡–•ƒ†”‡’‘”–‹‰Ǥ
Š‡‡•–ƒ„Ž‹•Š‹‰–Š‡‹–‡”ƒŽƒ—†‹–’”‘‰”ƒ‡ȋ•Ȍǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘•‹†‡”–Š‡‹’‘”–ƒ ‡‘ˆ

ON
–Š‡’”‘ ‡••‡• ‘ ‡”‡†ƒ†–Š‡”‡•—Ž–•‘ˆ’”‡˜‹‘—•ƒ—†‹–•Ǥ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽǣ
ƒȌ †‡ϐ‹‡–Š‡ƒ—†‹– ”‹–‡”‹ƒƒ†• ‘’‡ˆ‘”‡ƒ Šƒ—†‹–Ǣ

SE
„Ȍ •‡Ž‡ –ƒ—†‹–‘”•ƒ† ‘†— –ƒ—†‹–•–Šƒ–‡•—”‡‘„Œ‡ –‹˜‹–›ƒ†–Š‡‹’ƒ”–‹ƒŽ‹–›‘ˆ–Š‡ƒ—†‹–’”‘ ‡••Ǣ
Ȍ ‡•—”‡–Šƒ––Š‡”‡•—Ž–•‘ˆ–Š‡ƒ—†‹–•ƒ”‡”‡’‘”–‡†–‘”‡Ž‡˜ƒ–ƒƒ‰‡‡–Ǣ

O
‘ —‡–‡†‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•‡˜‹†‡ ‡‘ˆ–Š‡‹’Ž‡‡–ƒ–‹‘‘ˆ–Š‡ƒ—†‹–’”‘‰”ƒ‡ȋ•Ȍ
ƒ†–Š‡ƒ—†‹–”‡•—Ž–•Ǥ

9.3 Management review

9.3.1 General
RP
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

PU
‘’ƒƒ‰‡‡–•ŠƒŽŽ”‡˜‹‡™–Š‡‘”‰ƒ‹œƒ–‹‘̵•‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ƒ–’Žƒ‡†
‹–‡”˜ƒŽ•–‘‡•—”‡‹–• ‘–‹—‹‰•—‹–ƒ„‹Ž‹–›ǡƒ†‡“—ƒ ›ƒ†‡ˆˆ‡ –‹˜‡‡••Ǥ

9.3.2 Management review inputs


G

Š‡ƒƒ‰‡‡–”‡˜‹‡™•ŠƒŽŽ‹ Ž—†‡ ‘•‹†‡”ƒ–‹‘‘ˆǣ


ƒȌ –Š‡•–ƒ–—•‘ˆƒ –‹‘•ˆ”‘’”‡˜‹‘—•ƒƒ‰‡‡–”‡˜‹‡™•Ǣ
N

„Ȍ Šƒ‰‡•‹‡š–‡”ƒŽƒ†‹–‡”ƒŽ‹••—‡•–Šƒ–ƒ”‡”‡Ž‡˜ƒ––‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–


NI

•›•–‡Ǣ
Ȍ Šƒ‰‡• ‹ ‡‡†• ƒ† ‡š’‡ –ƒ–‹‘• ‘ˆ ‹–‡”‡•–‡† ’ƒ”–‹‡• –Šƒ– ƒ”‡ ”‡Ž‡˜ƒ– –‘ –Š‡ ‹ˆ‘”ƒ–‹‘
•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǣ
AI

†Ȍ ˆ‡‡†„ƒ ‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‡”ˆ‘”ƒ ‡ǡ‹ Ž—†‹‰–”‡†•‹ǣ


TR

ͳȌ ‘ ‘ˆ‘”‹–‹‡•ƒ† ‘””‡ –‹˜‡ƒ –‹‘•Ǣ


ʹȌ ‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–”‡•—Ž–•Ǣ
͵Ȍ ƒ—†‹–”‡•—Ž–•Ǣ
R

ͶȌ ˆ—Žϐ‹Ž‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡ —”‹–›‘„Œ‡ –‹˜‡•Ǣ


FO

‡Ȍ ˆ‡‡†„ƒ ˆ”‘‹–‡”‡•–‡†’ƒ”–‹‡•Ǣ


ˆȌ ”‡•—Ž–•‘ˆ”‹•ƒ••‡••‡–ƒ†•–ƒ–—•‘ˆ”‹•–”‡ƒ–‡–’ŽƒǢ
‰Ȍ ‘’’‘”–—‹–‹‡•ˆ‘” ‘–‹—ƒŽ‹’”‘˜‡‡–Ǥ

9.3.3 Management review results

Š‡ ”‡•—Ž–• ‘ˆ –Š‡ ƒƒ‰‡‡– ”‡˜‹‡™ •ŠƒŽŽ ‹ Ž—†‡ †‡ ‹•‹‘• ”‡Žƒ–‡† –‘ ‘–‹—ƒŽ ‹’”‘˜‡‡–
‘’’‘”–—‹–‹‡•ƒ†ƒ›‡‡†•ˆ‘” Šƒ‰‡•–‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ

© ISO/IEC 2022 – All rights reserved 9


ISO/IEC 27001:2022(E)

‘ —‡–‡†‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•‡˜‹†‡ ‡‘ˆ–Š‡”‡•—Ž–•‘ˆƒƒ‰‡‡–”‡˜‹‡™•Ǥ

10 Improvement

LY
10.1 Continual improvement
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ ‘–‹—ƒŽŽ›‹’”‘˜‡–Š‡•—‹–ƒ„‹Ž‹–›ǡƒ†‡“—ƒ ›ƒ†‡ˆˆ‡ –‹˜‡‡••‘ˆ–Š‡‹ˆ‘”ƒ–‹‘
•‡ —”‹–›ƒƒ‰‡‡–•›•–‡Ǥ

ON
10.2 Nonconformity and corrective action
Š‡ƒ‘ ‘ˆ‘”‹–›‘ —”•ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽǣ
ƒȌ ”‡ƒ ––‘–Š‡‘ ‘ˆ‘”‹–›ǡƒ†ƒ•ƒ’’Ž‹ ƒ„Ž‡ǣ

SE
ͳȌ –ƒ‡ƒ –‹‘–‘ ‘–”‘Žƒ† ‘””‡ –‹–Ǣ
ʹȌ †‡ƒŽ™‹–Š–Š‡ ‘•‡“—‡ ‡•Ǣ

O
„Ȍ ‡˜ƒŽ—ƒ–‡–Š‡‡‡†ˆ‘”ƒ –‹‘–‘‡Ž‹‹ƒ–‡–Š‡ ƒ—•‡•‘ˆ‘ ‘ˆ‘”‹–›ǡ‹‘”†‡”–Šƒ–‹–†‘‡•‘–”‡ —”
‘”‘ —”‡Ž•‡™Š‡”‡ǡ„›ǣ
ͳȌ ”‡˜‹‡™‹‰–Š‡‘ ‘ˆ‘”‹–›Ǣ
ʹȌ †‡–‡”‹‹‰–Š‡ ƒ—•‡•‘ˆ–Š‡‘ ‘ˆ‘”‹–›Ǣƒ†
RP
PU
͵Ȍ †‡–‡”‹‹‰‹ˆ•‹‹Žƒ”‘ ‘ˆ‘”‹–‹‡•‡š‹•–ǡ‘” ‘—Ž†’‘–‡–‹ƒŽŽ›‘ —”Ǣ
Ȍ ‹’Ž‡‡–ƒ›ƒ –‹‘‡‡†‡†Ǣ
†Ȍ ”‡˜‹‡™–Š‡‡ˆˆ‡ –‹˜‡‡••‘ˆƒ› ‘””‡ –‹˜‡ƒ –‹‘–ƒ‡Ǣƒ†
G

‡Ȍ ƒ‡ Šƒ‰‡•–‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒƒ‰‡‡–•›•–‡ǡ‹ˆ‡ ‡••ƒ”›Ǥ


‘””‡ –‹˜‡ƒ –‹‘••ŠƒŽŽ„‡ƒ’’”‘’”‹ƒ–‡–‘–Š‡‡ˆˆ‡ –•‘ˆ–Š‡‘ ‘ˆ‘”‹–‹‡•‡ ‘—–‡”‡†Ǥ
N

‘ —‡–‡†‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ƒ˜ƒ‹Žƒ„Ž‡ƒ•‡˜‹†‡ ‡‘ˆǣ
NI

ˆȌ –Š‡ƒ–—”‡‘ˆ–Š‡‘ ‘ˆ‘”‹–‹‡•ƒ†ƒ›•—„•‡“—‡–ƒ –‹‘•–ƒ‡ǡ


‰Ȍ –Š‡”‡•—Ž–•‘ˆƒ› ‘””‡ –‹˜‡ƒ –‹‘Ǥ
AI
TR
R
FO

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

10 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Annex A
ȋ‘”ƒ–‹˜‡Ȍ

Information security controls reference

LY
ON
Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–› ‘–”‘Ž•Ž‹•–‡†‹ƒ„Ž‡Ǥͳƒ”‡†‹”‡ –Ž›†‡”‹˜‡†ˆ”‘ƒ†ƒŽ‹‰‡†™‹–Š–Š‘•‡
listed in ISO/IEC 27002:2022[1]ǡŽƒ—•‡•ͷ–‘ͺǡƒ†•ŠƒŽŽ„‡—•‡†‹ ‘–‡š–™‹–Š͸ǤͳǤ͵.

Table A.1 — Information security controls

SE
5 Organizational controls
5.1 ‘Ž‹ ‹‡•ˆ‘”‹ˆ‘”ƒ–‹‘•‡ —- Control
”‹–›
ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ƒ†–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ‹‡••ŠƒŽŽ„‡†‡-
ϐ‹‡†ǡƒ’’”‘˜‡†„›ƒƒ‰‡‡–ǡ’—„Ž‹•Š‡†ǡ ‘—‹ ƒ–‡†–‘ƒ†

O
ƒ ‘™Ž‡†‰‡†„›”‡Ž‡˜ƒ–’‡”•‘‡Žƒ†”‡Ž‡˜ƒ–‹–‡”‡•–‡†’ƒ”–‹‡•ǡ
ƒ†”‡˜‹‡™‡†ƒ–’Žƒ‡†‹–‡”˜ƒŽ•ƒ†‹ˆ•‹‰‹ϐ‹ ƒ– Šƒ‰‡•‘ —”Ǥ
ˆ‘”ƒ–‹‘•‡ —”‹–›”‘Ž‡•ƒ† Control

RP
5.2
responsibilities
ˆ‘”ƒ–‹‘•‡ —”‹–›”‘Ž‡•ƒ†”‡•’‘•‹„‹Ž‹–‹‡••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†
ƒŽŽ‘ ƒ–‡†ƒ ‘”†‹‰–‘–Š‡‘”‰ƒ‹œƒ–‹‘‡‡†•Ǥ
ͷǤ͵ ‡‰”‡‰ƒ–‹‘‘ˆ†—–‹‡• Control
PU
‘ϐŽ‹ –‹‰†—–‹‡•ƒ† ‘ϐŽ‹ –‹‰ƒ”‡ƒ•‘ˆ”‡•’‘•‹„‹Ž‹–›•ŠƒŽŽ„‡•‡‰-
”‡‰ƒ–‡†Ǥ
ͷǤͶ ƒƒ‰‡‡–”‡•’‘•‹„‹Ž‹–‹‡• Control
ƒƒ‰‡‡–•ŠƒŽŽ”‡“—‹”‡ƒŽŽ’‡”•‘‡Ž–‘ƒ’’Ž›‹ˆ‘”ƒ–‹‘•‡ —”‹–›
‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‡•–ƒ„Ž‹•Š‡†‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ǡ–‘’-
G

‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ‹‡•ƒ†’”‘ ‡†—”‡•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ


5.5 ‘–ƒ –™‹–Šƒ—–Š‘”‹–‹‡• Control
N
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Šƒ†ƒ‹–ƒ‹ ‘–ƒ –™‹–Š”‡Ž‡˜ƒ–


ƒ—–Š‘”‹–‹‡•Ǥ
NI

5.6 ‘–ƒ –™‹–Š•’‡ ‹ƒŽ‹–‡”‡•– Control


groups
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Šƒ†ƒ‹–ƒ‹ ‘–ƒ –™‹–Š•’‡ ‹ƒŽ
‹–‡”‡•–‰”‘—’•‘”‘–Š‡”•’‡ ‹ƒŽ‹•–•‡ —”‹–›ˆ‘”—•ƒ†’”‘ˆ‡••‹‘ƒŽ
AI

ƒ••‘ ‹ƒ–‹‘•Ǥ
5.7 Š”‡ƒ–‹–‡ŽŽ‹‰‡ ‡ Control
TR

ˆ‘”ƒ–‹‘”‡Žƒ–‹‰–‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›–Š”‡ƒ–••ŠƒŽŽ„‡ ‘ŽŽ‡ –‡†


ƒ†ƒƒŽ›•‡†–‘’”‘†— ‡–Š”‡ƒ–‹–‡ŽŽ‹‰‡ ‡Ǥ
ͷǤͺ ˆ‘”ƒ–‹‘•‡ —”‹–›‹’”‘Œ‡ – Control
ƒƒ‰‡‡–
ˆ‘”ƒ–‹‘•‡ —”‹–›•ŠƒŽŽ„‡‹–‡‰”ƒ–‡†‹–‘’”‘Œ‡ –ƒƒ‰‡‡–Ǥ
R

ͷǤͻ ˜‡–‘”›‘ˆ‹ˆ‘”ƒ–‹‘ƒ† Control


‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–•
‹˜‡–‘”›‘ˆ‹ˆ‘”ƒ–‹‘ƒ†‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–•ǡ‹ Ž—†‹‰
FO

‘™‡”•ǡ•ŠƒŽŽ„‡†‡˜‡Ž‘’‡†ƒ†ƒ‹–ƒ‹‡†Ǥ
5.10  ‡’–ƒ„Ž‡—•‡‘ˆ‹ˆ‘”ƒ–‹‘ Control
ƒ†‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–•
—Ž‡•ˆ‘”–Š‡ƒ ‡’–ƒ„Ž‡—•‡ƒ†’”‘ ‡†—”‡•ˆ‘”Šƒ†Ž‹‰‹ˆ‘”ƒ–‹‘ƒ†
‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–••ŠƒŽŽ„‡‹†‡–‹ϐ‹‡†ǡ†‘ —‡–‡†ƒ†‹’Ž‡‡–‡†Ǥ
5.11 ‡–—”‘ˆƒ••‡–• Control
‡”•‘‡Žƒ†‘–Š‡”‹–‡”‡•–‡†’ƒ”–‹‡•ƒ•ƒ’’”‘’”‹ƒ–‡•ŠƒŽŽ”‡–—”ƒŽŽ
–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•ƒ••‡–•‹–Š‡‹”’‘••‡••‹‘—’‘ Šƒ‰‡‘”–‡”‹ƒ–‹‘
‘ˆ–Š‡‹”‡’Ž‘›‡–ǡ ‘–”ƒ –‘”ƒ‰”‡‡‡–Ǥ

© ISO/IEC 2022 – All rights reserved 11


ISO/IEC 27001:2022(E)

Table A.1 (continued)


5.12 Žƒ••‹ϐ‹ ƒ–‹‘‘ˆ‹ˆ‘”ƒ–‹‘ Control
ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ Žƒ••‹ϐ‹‡†ƒ ‘”†‹‰–‘–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›
‡‡†•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘„ƒ•‡†‘ ‘ϐ‹†‡–‹ƒŽ‹–›ǡ‹–‡‰”‹–›ǡƒ˜ƒ‹Žƒ„‹Ž‹–›

LY
ƒ†”‡Ž‡˜ƒ–‹–‡”‡•–‡†’ƒ”–›”‡“—‹”‡‡–•Ǥ
ͷǤͳ͵ ƒ„‡ŽŽ‹‰‘ˆ‹ˆ‘”ƒ–‹‘ Control
ƒ’’”‘’”‹ƒ–‡•‡–‘ˆ’”‘ ‡†—”‡•ˆ‘”‹ˆ‘”ƒ–‹‘Žƒ„‡ŽŽ‹‰•ŠƒŽŽ„‡
†‡˜‡Ž‘’‡†ƒ†‹’Ž‡‡–‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‹ˆ‘”ƒ–‹‘ Žƒ•-

ON
•‹ϐ‹ ƒ–‹‘• Š‡‡ƒ†‘’–‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ
ͷǤͳͶ ˆ‘”ƒ–‹‘–”ƒ•ˆ‡” Control
ˆ‘”ƒ–‹‘–”ƒ•ˆ‡””—Ž‡•ǡ’”‘ ‡†—”‡•ǡ‘”ƒ‰”‡‡‡–••ŠƒŽŽ„‡‹’Žƒ ‡
ˆ‘”ƒŽŽ–›’‡•‘ˆ–”ƒ•ˆ‡”ˆƒ ‹Ž‹–‹‡•™‹–Š‹–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†„‡–™‡‡
–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†‘–Š‡”’ƒ”–‹‡•Ǥ

SE
5.15 Access control Control
—Ž‡•–‘ ‘–”‘Ž’Š›•‹ ƒŽƒ†Ž‘‰‹ ƒŽƒ ‡••–‘‹ˆ‘”ƒ–‹‘ƒ†‘–Š‡”
ƒ••‘ ‹ƒ–‡†ƒ••‡–••ŠƒŽŽ„‡‡•–ƒ„Ž‹•Š‡†ƒ†‹’Ž‡‡–‡†„ƒ•‡†‘„—•‹-
‡••ƒ†‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–•Ǥ

O
5.16 †‡–‹–›ƒƒ‰‡‡– Control

RP
Š‡ˆ—ŽŽŽ‹ˆ‡ › Ž‡‘ˆ‹†‡–‹–‹‡••ŠƒŽŽ„‡ƒƒ‰‡†Ǥ
5.17 —–Š‡–‹ ƒ–‹‘‹ˆ‘”ƒ–‹‘ Control
ŽŽ‘ ƒ–‹‘ƒ†ƒƒ‰‡‡–‘ˆƒ—–Š‡–‹ ƒ–‹‘‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡
‘–”‘ŽŽ‡†„›ƒƒƒ‰‡‡–’”‘ ‡••ǡ‹ Ž—†‹‰ƒ†˜‹•‹‰’‡”•‘‡Ž‘
PU
ƒ’’”‘’”‹ƒ–‡Šƒ†Ž‹‰‘ˆƒ—–Š‡–‹ ƒ–‹‘‹ˆ‘”ƒ–‹‘Ǥ
ͷǤͳͺ Access rights Control
 ‡••”‹‰Š–•–‘‹ˆ‘”ƒ–‹‘ƒ†‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–••ŠƒŽŽ„‡
’”‘˜‹•‹‘‡†ǡ”‡˜‹‡™‡†ǡ‘†‹ϐ‹‡†ƒ†”‡‘˜‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡
‘”‰ƒ‹œƒ–‹‘ǯ•–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ›‘ƒ†”—Ž‡•ˆ‘”ƒ ‡•• ‘–”‘ŽǤ
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

ͷǤͳͻ ˆ‘”ƒ–‹‘•‡ —”‹–›‹•—’’Ž‹‡” Control


”‡Žƒ–‹‘•Š‹’•
”‘ ‡••‡•ƒ†’”‘ ‡†—”‡••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†‹’Ž‡‡–‡†–‘ƒƒ‰‡
N

–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ƒ••‘ ‹ƒ–‡†™‹–Š–Š‡—•‡‘ˆ•—’’Ž‹‡”ǯ•


products or services.
NI

5.20 ††”‡••‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–› Control


™‹–Š‹•—’’Ž‹‡”ƒ‰”‡‡‡–•
‡Ž‡˜ƒ–‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–••ŠƒŽŽ„‡‡•–ƒ„Ž‹•Š‡†ƒ†
ƒ‰”‡‡†™‹–Š‡ƒ Š•—’’Ž‹‡”„ƒ•‡†‘–Š‡–›’‡‘ˆ•—’’Ž‹‡””‡Žƒ–‹‘•Š‹’Ǥ
AI

5.21 ƒƒ‰‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–› Control


‹–Š‡‹ˆ‘”ƒ–‹‘ƒ† ‘—-
”‘ ‡••‡•ƒ†’”‘ ‡†—”‡••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†‹’Ž‡‡–‡†–‘ƒƒ‰‡
‹ ƒ–‹‘–‡ Š‘Ž‘‰›ȋ Ȍ•—’’Ž›
TR

–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›”‹••ƒ••‘ ‹ƒ–‡†™‹–Š–Š‡ ’”‘†— –•ƒ†


Šƒ‹
•‡”˜‹ ‡••—’’Ž› Šƒ‹Ǥ
5.22 ‘‹–‘”‹‰ǡ”‡˜‹‡™ƒ† Šƒ‰‡ Control
ƒƒ‰‡‡–‘ˆ•—’’Ž‹‡”•‡”˜‹ ‡•
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ”‡‰—Žƒ”Ž›‘‹–‘”ǡ”‡˜‹‡™ǡ‡˜ƒŽ—ƒ–‡ƒ†ƒƒ‰‡
Šƒ‰‡‹•—’’Ž‹‡”‹ˆ‘”ƒ–‹‘•‡ —”‹–›’”ƒ –‹ ‡•ƒ†•‡”˜‹ ‡†‡Ž‹˜‡”›Ǥ
R

ͷǤʹ͵ ˆ‘”ƒ–‹‘•‡ —”‹–›ˆ‘”—•‡‘ˆ Control


cloud services
”‘ ‡••‡•ˆ‘”ƒ “—‹•‹–‹‘ǡ—•‡ǡƒƒ‰‡‡–ƒ†‡š‹–ˆ”‘ Ž‘—†•‡”˜‹ ‡•
FO

•ŠƒŽŽ„‡‡•–ƒ„Ž‹•Š‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘


•‡ —”‹–›”‡“—‹”‡‡–•Ǥ
ͷǤʹͶ ˆ‘”ƒ–‹‘•‡ —”‹–›‹ ‹†‡– Control
ƒƒ‰‡‡–’Žƒ‹‰ƒ†’”‡’ƒ-
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’Žƒƒ†’”‡’ƒ”‡ˆ‘”ƒƒ‰‹‰‹ˆ‘”ƒ–‹‘•‡ —-
”ƒ–‹‘
”‹–›‹ ‹†‡–•„›†‡ϐ‹‹‰ǡ‡•–ƒ„Ž‹•Š‹‰ƒ† ‘—‹ ƒ–‹‰‹ˆ‘”ƒ–‹‘
•‡ —”‹–›‹ ‹†‡–ƒƒ‰‡‡–’”‘ ‡••‡•ǡ”‘Ž‡•ƒ†”‡•’‘•‹„‹Ž‹–‹‡•Ǥ

12 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Table A.1 (continued)


5.25 ••‡••‡–ƒ††‡ ‹•‹‘‘‹- Control
ˆ‘”ƒ–‹‘•‡ —”‹–›‡˜‡–•
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽƒ••‡••‹ˆ‘”ƒ–‹‘•‡ —”‹–›‡˜‡–•ƒ††‡ ‹†‡‹ˆ
–Š‡›ƒ”‡–‘„‡ ƒ–‡‰‘”‹œ‡†ƒ•‹ˆ‘”ƒ–‹‘•‡ —”‹–›‹ ‹†‡–•Ǥ

LY
5.26 ‡•’‘•‡–‘‹ˆ‘”ƒ–‹‘•‡ —”‹–› Control
incidents
ˆ‘”ƒ–‹‘•‡ —”‹–›‹ ‹†‡–••ŠƒŽŽ„‡”‡•’‘†‡†–‘‹ƒ ‘”†ƒ ‡™‹–Š
the documented procedures.

ON
5.27 ‡ƒ”‹‰ˆ”‘‹ˆ‘”ƒ–‹‘•‡- Control
—”‹–›‹ ‹†‡–•
‘™Ž‡†‰‡‰ƒ‹‡†ˆ”‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›‹ ‹†‡–••ŠƒŽŽ„‡—•‡†–‘
•–”‡‰–Š‡ƒ†‹’”‘˜‡–Š‡‹ˆ‘”ƒ–‹‘•‡ —”‹–› ‘–”‘Ž•Ǥ
ͷǤʹͺ Collection of evidence Control
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‡•–ƒ„Ž‹•Šƒ†‹’Ž‡‡–’”‘ ‡†—”‡•ˆ‘”–Š‡‹†‡-

SE
–‹ϐ‹ ƒ–‹‘ǡ ‘ŽŽ‡ –‹‘ǡƒ “—‹•‹–‹‘ƒ†’”‡•‡”˜ƒ–‹‘‘ˆ‡˜‹†‡ ‡”‡Žƒ–‡†
–‘‹ˆ‘”ƒ–‹‘•‡ —”‹–›‡˜‡–•Ǥ
ͷǤʹͻ ˆ‘”ƒ–‹‘ •‡ —”‹–› †—”‹‰ Control
disruption
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’ŽƒŠ‘™–‘ƒ‹–ƒ‹‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒ–ƒ

O
ƒ’’”‘’”‹ƒ–‡Ž‡˜‡Ž†—”‹‰†‹•”—’–‹‘Ǥ
ͷǤ͵Ͳ ”‡ƒ†‹‡••ˆ‘”„—•‹‡•• ‘- Control

ͷǤ͵ͳ
–‹—‹–›

RP
”‡ƒ†‹‡•••ŠƒŽŽ„‡’Žƒ‡†ǡ‹’Ž‡‡–‡†ǡƒ‹–ƒ‹‡†ƒ†–‡•–‡†
„ƒ•‡†‘„—•‹‡•• ‘–‹—‹–›‘„Œ‡ –‹˜‡•ƒ†  ‘–‹—‹–›”‡“—‹”‡‡–•Ǥ
‡‰ƒŽǡ•–ƒ–—–‘”›ǡ”‡‰—Žƒ–‘”›ƒ† Control
‘–”ƒ –—ƒŽ”‡“—‹”‡‡–•
PU
‡‰ƒŽǡ•–ƒ–—–‘”›ǡ”‡‰—Žƒ–‘”›ƒ† ‘–”ƒ –—ƒŽ”‡“—‹”‡‡–•”‡Ž‡˜ƒ––‘
‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒ†–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•ƒ’’”‘ƒ Š–‘‡‡––Š‡•‡
”‡“—‹”‡‡–••ŠƒŽŽ„‡‹†‡–‹ϐ‹‡†ǡ†‘ —‡–‡†ƒ†‡’–—’–‘†ƒ–‡Ǥ
ͷǤ͵ʹ –‡ŽŽ‡ –—ƒŽ’”‘’‡”–›”‹‰Š–• Control
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‹’Ž‡‡–ƒ’’”‘’”‹ƒ–‡’”‘ ‡†—”‡•–‘’”‘–‡ –
G

‹–‡ŽŽ‡ –—ƒŽ’”‘’‡”–›”‹‰Š–•Ǥ
ͷǤ͵͵ ”‘–‡ –‹‘‘ˆ”‡ ‘”†• Control
N

‡ ‘”†••ŠƒŽŽ„‡’”‘–‡ –‡†ˆ”‘Ž‘••ǡ†‡•–”— –‹‘ǡˆƒŽ•‹ϐ‹ ƒ–‹‘ǡ—ƒ—-

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
–Š‘”‹œ‡†ƒ ‡••ƒ†—ƒ—–Š‘”‹œ‡†”‡Ž‡ƒ•‡Ǥ
NI

ͷǤ͵Ͷ ”‹˜ƒ ›ƒ†’”‘–‡ –‹‘‘ˆ’‡”•‘- Control


ƒŽ‹†‡–‹ϐ‹ƒ„Ž‡‹ˆ‘”ƒ–‹‘ȋ Ȍ
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ‹†‡–‹ˆ›ƒ†‡‡––Š‡”‡“—‹”‡‡–•”‡‰ƒ”†‹‰
–Š‡’”‡•‡”˜ƒ–‹‘‘ˆ’”‹˜ƒ ›ƒ†’”‘–‡ –‹‘‘ˆ ƒ ‘”†‹‰–‘ƒ’’Ž‹ ƒ„Ž‡
AI

Žƒ™•ƒ†”‡‰—Žƒ–‹‘•ƒ† ‘–”ƒ –—ƒŽ”‡“—‹”‡‡–•Ǥ


ͷǤ͵ͷ †‡’‡†‡–”‡˜‹‡™‘ˆ‹ˆ‘”ƒ- Control
–‹‘•‡ —”‹–›
TR

Š‡‘”‰ƒ‹œƒ–‹‘ǯ•ƒ’’”‘ƒ Š–‘ƒƒ‰‹‰‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒ†


‹–•‹’Ž‡‡–ƒ–‹‘‹ Ž—†‹‰’‡‘’Ž‡ǡ’”‘ ‡••‡•ƒ†–‡ Š‘Ž‘‰‹‡••ŠƒŽŽ
„‡”‡˜‹‡™‡†‹†‡’‡†‡–Ž›ƒ–’Žƒ‡†‹–‡”˜ƒŽ•ǡ‘”™Š‡•‹‰‹ϐ‹ ƒ–
Šƒ‰‡•‘ —”Ǥ
ͷǤ͵͸ ‘’Ž‹ƒ ‡™‹–Š’‘Ž‹ ‹‡•ǡ”—Ž‡• Control
ƒ†•–ƒ†ƒ”†•ˆ‘”‹ˆ‘”ƒ–‹‘
R

‘’Ž‹ƒ ‡™‹–Š–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ǡ–‘’-


•‡ —”‹–›
‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ‹‡•ǡ”—Ž‡•ƒ†•–ƒ†ƒ”†••ŠƒŽŽ„‡”‡‰—Žƒ”Ž›”‡˜‹‡™‡†Ǥ
FO

ͷǤ͵͹ ‘ —‡–‡†‘’‡”ƒ–‹‰’”‘ ‡- Control


dures
’‡”ƒ–‹‰’”‘ ‡†—”‡•ˆ‘”‹ˆ‘”ƒ–‹‘’”‘ ‡••‹‰ˆƒ ‹Ž‹–‹‡••ŠƒŽŽ„‡
†‘ —‡–‡†ƒ†ƒ†‡ƒ˜ƒ‹Žƒ„Ž‡–‘’‡”•‘‡Ž™Š‘‡‡†–Š‡Ǥ

© ISO/IEC 2022 – All rights reserved 13


ISO/IEC 27001:2022(E)

Table A.1 (continued)


6 People controls
6.1 Screening Control
ƒ ‰”‘—†˜‡”‹ϐ‹ ƒ–‹‘ Š‡ •‘ƒŽŽ ƒ†‹†ƒ–‡•–‘„‡ ‘‡’‡”•‘‡Ž

LY
•ŠƒŽŽ„‡ ƒ””‹‡†‘—–’”‹‘”–‘Œ‘‹‹‰–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†‘ƒ‘‰‘‹‰
„ƒ•‹•–ƒ‹‰‹–‘ ‘•‹†‡”ƒ–‹‘ƒ’’Ž‹ ƒ„Ž‡Žƒ™•ǡ”‡‰—Žƒ–‹‘•ƒ†‡–Š‹ •
ƒ†„‡’”‘’‘”–‹‘ƒŽ–‘–Š‡„—•‹‡••”‡“—‹”‡‡–•ǡ–Š‡ Žƒ••‹ϐ‹ ƒ–‹‘‘ˆ
–Š‡‹ˆ‘”ƒ–‹‘–‘„‡ƒ ‡••‡†ƒ†–Š‡’‡” ‡‹˜‡†”‹••Ǥ

ON
6.2 ‡”• ƒ† ‘†‹–‹‘• ‘ˆ ‡- Control
’Ž‘›‡–
Š‡‡’Ž‘›‡– ‘–”ƒ –—ƒŽƒ‰”‡‡‡–••ŠƒŽŽ•–ƒ–‡–Š‡’‡”•‘‡Žǯ•ƒ†
–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•”‡•’‘•‹„‹Ž‹–‹‡•ˆ‘”‹ˆ‘”ƒ–‹‘•‡ —”‹–›Ǥ
͸Ǥ͵ ˆ‘”ƒ–‹‘•‡ —”‹–›ƒ™ƒ”‡‡••ǡ Control
‡†— ƒ–‹‘ƒ†–”ƒ‹‹‰
‡”•‘‡Ž‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ƒ†”‡Ž‡˜ƒ–‹–‡”‡•–‡†’ƒ”–‹‡••ŠƒŽŽ”‡ ‡‹˜‡

SE
ƒ’’”‘’”‹ƒ–‡‹ˆ‘”ƒ–‹‘•‡ —”‹–›ƒ™ƒ”‡‡••ǡ‡†— ƒ–‹‘ƒ†–”ƒ‹‹‰
ƒ†”‡‰—Žƒ”—’†ƒ–‡•‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘̵•‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›ǡ
–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ‹‡•ƒ†’”‘ ‡†—”‡•ǡƒ•”‡Ž‡˜ƒ–ˆ‘”–Š‡‹”Œ‘„ˆ— –‹‘Ǥ
͸ǤͶ ‹• ‹’Ž‹ƒ”›’”‘ ‡•• Control

O
†‹• ‹’Ž‹ƒ”›’”‘ ‡•••ŠƒŽŽ„‡ˆ‘”ƒŽ‹œ‡†ƒ† ‘—‹ ƒ–‡†–‘–ƒ‡
ƒ –‹‘•ƒ‰ƒ‹•–’‡”•‘‡Žƒ†‘–Š‡””‡Ž‡˜ƒ–‹–‡”‡•–‡†’ƒ”–‹‡•™Š‘

6.5
‘” Šƒ‰‡‘ˆ‡’Ž‘›‡– RP
Šƒ˜‡ ‘‹––‡†ƒ‹ˆ‘”ƒ–‹‘•‡ —”‹–›’‘Ž‹ ›˜‹‘Žƒ–‹‘Ǥ
‡•’‘•‹„‹Ž‹–‹‡•ƒˆ–‡”–‡”‹ƒ–‹‘ Control
ˆ‘”ƒ–‹‘•‡ —”‹–›”‡•’‘•‹„‹Ž‹–‹‡•ƒ††—–‹‡•–Šƒ–”‡ƒ‹˜ƒŽ‹†ƒˆ–‡”
–‡”‹ƒ–‹‘‘” Šƒ‰‡‘ˆ‡’Ž‘›‡–•ŠƒŽŽ„‡†‡ϐ‹‡†ǡ‡ˆ‘” ‡†ƒ†
PU
‘—‹ ƒ–‡†–‘”‡Ž‡˜ƒ–’‡”•‘‡Žƒ†‘–Š‡”‹–‡”‡•–‡†’ƒ”–‹‡•Ǥ
6.6 ‘ϐ‹†‡–‹ƒŽ‹–›‘”‘Ǧ†‹• Ž‘•—”‡ Control
ƒ‰”‡‡‡–•
‘ϐ‹†‡–‹ƒŽ‹–›‘”‘Ǧ†‹• Ž‘•—”‡ƒ‰”‡‡‡–•”‡ϐŽ‡ –‹‰–Š‡‘”‰ƒ-
‹œƒ–‹‘ǯ•‡‡†•ˆ‘”–Š‡’”‘–‡ –‹‘‘ˆ‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡‹†‡–‹ϐ‹‡†ǡ
†‘ —‡–‡†ǡ”‡‰—Žƒ”Ž›”‡˜‹‡™‡†ƒ†•‹‰‡†„›’‡”•‘‡Žƒ†‘–Š‡”
G

”‡Ž‡˜ƒ–‹–‡”‡•–‡†’ƒ”–‹‡•Ǥ
6.7 ‡‘–‡™‘”‹‰ Control
N

‡ —”‹–›‡ƒ•—”‡••ŠƒŽŽ„‡‹’Ž‡‡–‡†™Š‡’‡”•‘‡Žƒ”‡™‘”‹‰
”‡‘–‡Ž›–‘’”‘–‡ –‹ˆ‘”ƒ–‹‘ƒ ‡••‡†ǡ’”‘ ‡••‡†‘”•–‘”‡†‘—–•‹†‡
NI

–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•’”‡‹•‡•Ǥ
͸Ǥͺ ˆ‘”ƒ–‹‘•‡ —”‹–›‡˜‡–”‡- Control
porting
AI

Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ’”‘˜‹†‡ƒ‡ Šƒ‹•ˆ‘”’‡”•‘‡Ž–‘”‡’‘”–
‘„•‡”˜‡†‘”•—•’‡ –‡†‹ˆ‘”ƒ–‹‘•‡ —”‹–›‡˜‡–•–Š”‘—‰Šƒ’’”‘’”‹ƒ–‡
Šƒ‡Ž•‹ƒ–‹‡Ž›ƒ‡”Ǥ
TR

7 Physical controls
7.1 Š›•‹ ƒŽ•‡ —”‹–›’‡”‹‡–‡”• Control
‡ —”‹–›’‡”‹‡–‡”••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†—•‡†–‘’”‘–‡ –ƒ”‡ƒ•–Šƒ–
‘–ƒ‹‹ˆ‘”ƒ–‹‘ƒ†‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–•Ǥ
Š›•‹ ƒŽ‡–”›
R

7.2 Control
‡ —”‡ƒ”‡ƒ••ŠƒŽŽ„‡’”‘–‡ –‡†„›ƒ’’”‘’”‹ƒ–‡‡–”› ‘–”‘Ž•ƒ†
ƒ ‡••’‘‹–•Ǥ
FO

͹Ǥ͵ ‡ —”‹‰‘ˆϐ‹ ‡•ǡ”‘‘•ƒ†ˆƒ- Control


cilities
Š›•‹ ƒŽ•‡ —”‹–›ˆ‘”‘ˆϐ‹ ‡•ǡ”‘‘•ƒ†ˆƒ ‹Ž‹–‹‡••ŠƒŽŽ„‡†‡•‹‰‡†ƒ†
implemented.
͹ǤͶ Š›•‹ ƒŽ•‡ —”‹–›‘‹–‘”‹‰ Control
”‡‹•‡••ŠƒŽŽ„‡ ‘–‹—‘—•Ž›‘‹–‘”‡†ˆ‘”—ƒ—–Š‘”‹œ‡†’Š›•‹ ƒŽ
ƒ ‡••Ǥ

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

14 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Table A.1 (continued)


7.5 ”‘–‡ –‹‰ƒ‰ƒ‹•–’Š›•‹ ƒŽƒ† Control
‡˜‹”‘‡–ƒŽ–Š”‡ƒ–•
”‘–‡ –‹‘ƒ‰ƒ‹•–’Š›•‹ ƒŽƒ†‡˜‹”‘‡–ƒŽ–Š”‡ƒ–•ǡ•— Šƒ•ƒ–—”ƒŽ
†‹•ƒ•–‡”•ƒ†‘–Š‡”‹–‡–‹‘ƒŽ‘”—‹–‡–‹‘ƒŽ’Š›•‹ ƒŽ–Š”‡ƒ–•–‘

LY
‹ˆ”ƒ•–”— –—”‡•ŠƒŽŽ„‡†‡•‹‰‡†ƒ†‹’Ž‡‡–‡†Ǥ
7.6 ‘”‹‰‹•‡ —”‡ƒ”‡ƒ• Control
‡ —”‹–›‡ƒ•—”‡•ˆ‘”™‘”‹‰‹•‡ —”‡ƒ”‡ƒ••ŠƒŽŽ„‡†‡•‹‰‡†ƒ†
implemented.

ON
7.7 Ž‡ƒ”†‡•ƒ† Ž‡ƒ”• ”‡‡ Control
Ž‡ƒ”†‡•”—Ž‡•ˆ‘”’ƒ’‡”•ƒ†”‡‘˜ƒ„Ž‡•–‘”ƒ‰‡‡†‹ƒƒ† Ž‡ƒ”
• ”‡‡”—Ž‡•ˆ‘”‹ˆ‘”ƒ–‹‘’”‘ ‡••‹‰ˆƒ ‹Ž‹–‹‡••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
ƒ’’”‘’”‹ƒ–‡Ž›‡ˆ‘” ‡†Ǥ
͹Ǥͺ “—‹’‡–•‹–‹‰ƒ†’”‘–‡ –‹‘ Control

SE
“—‹’‡–•ŠƒŽŽ„‡•‹–‡†•‡ —”‡Ž›ƒ†’”‘–‡ –‡†Ǥ
͹Ǥͻ ‡ —”‹–›‘ˆƒ••‡–•‘ˆˆǦ’”‡‹•‡• Control
ˆˆǦ•‹–‡ƒ••‡–••ŠƒŽŽ„‡’”‘–‡ –‡†Ǥ

O
7.10 –‘”ƒ‰‡‡†‹ƒ Control
–‘”ƒ‰‡‡†‹ƒ•ŠƒŽŽ„‡ƒƒ‰‡†–Š”‘—‰Š–Š‡‹”Ž‹ˆ‡ › Ž‡‘ˆƒ “—‹•‹–‹‘ǡ

7.11 Supporting utilities Control


RP
—•‡ǡ–”ƒ•’‘”–ƒ–‹‘ƒ††‹•’‘•ƒŽ‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•
Žƒ••‹ϐ‹ ƒ–‹‘• Š‡‡ƒ†Šƒ†Ž‹‰”‡“—‹”‡‡–•Ǥ
PU
ˆ‘”ƒ–‹‘’”‘ ‡••‹‰ˆƒ ‹Ž‹–‹‡••ŠƒŽŽ„‡’”‘–‡ –‡†ˆ”‘’‘™‡”ˆƒ‹Ž—”‡•
ƒ†‘–Š‡”†‹•”—’–‹‘• ƒ—•‡†„›ˆƒ‹Ž—”‡•‹•—’’‘”–‹‰—–‹Ž‹–‹‡•Ǥ
7.12 ƒ„Ž‹‰•‡ —”‹–› Control
ƒ„Ž‡• ƒ””›‹‰’‘™‡”ǡ†ƒ–ƒ‘”•—’’‘”–‹‰‹ˆ‘”ƒ–‹‘•‡”˜‹ ‡••ŠƒŽŽ
„‡’”‘–‡ –‡†ˆ”‘‹–‡” ‡’–‹‘ǡ‹–‡”ˆ‡”‡ ‡‘”†ƒƒ‰‡Ǥ
G

͹Ǥͳ͵ “—‹’‡–ƒ‹–‡ƒ ‡ Control


“—‹’‡–•ŠƒŽŽ„‡ƒ‹–ƒ‹‡† ‘””‡ –Ž›–‘‡•—”‡ƒ˜ƒ‹Žƒ„‹Ž‹–›ǡ‹–‡‰”‹–›
N

ƒ† ‘ϐ‹†‡–‹ƒŽ‹–›‘ˆ‹ˆ‘”ƒ–‹‘Ǥ
͹ǤͳͶ ‡ —”‡ †‹•’‘•ƒŽ ‘” ”‡Ǧ—•‡ ‘ˆ Control
NI

‡“—‹’‡–
–‡•‘ˆ‡“—‹’‡– ‘–ƒ‹‹‰•–‘”ƒ‰‡‡†‹ƒ•ŠƒŽŽ„‡˜‡”‹ϐ‹‡†–‘‡-
•—”‡–Šƒ–ƒ›•‡•‹–‹˜‡†ƒ–ƒƒ†Ž‹ ‡•‡†•‘ˆ–™ƒ”‡Šƒ•„‡‡”‡‘˜‡†
‘”•‡ —”‡Ž›‘˜‡”™”‹––‡’”‹‘”–‘†‹•’‘•ƒŽ‘””‡Ǧ—•‡Ǥ
AI

8 Technological controls
ͺǤͳ User end point devices Control
TR

ˆ‘”ƒ–‹‘•–‘”‡†‘ǡ’”‘ ‡••‡†„›‘”ƒ ‡••‹„Ž‡˜‹ƒ—•‡”‡†’‘‹–


†‡˜‹ ‡••ŠƒŽŽ„‡’”‘–‡ –‡†Ǥ
ͺǤʹ ”‹˜‹Ž‡‰‡†ƒ ‡••”‹‰Š–• Control
Š‡ƒŽŽ‘ ƒ–‹‘ƒ†—•‡‘ˆ’”‹˜‹Ž‡‰‡†ƒ ‡••”‹‰Š–••ŠƒŽŽ„‡”‡•–”‹ –‡†
ƒ†ƒƒ‰‡†Ǥ
R

ͺǤ͵ ˆ‘”ƒ–‹‘ƒ ‡••”‡•–”‹ –‹‘ Control


FO

 ‡••–‘‹ˆ‘”ƒ–‹‘ƒ†‘–Š‡”ƒ••‘ ‹ƒ–‡†ƒ••‡–••ŠƒŽŽ„‡”‡•–”‹ –‡†‹


ƒ ‘”†ƒ ‡™‹–Š–Š‡‡•–ƒ„Ž‹•Š‡†–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ›‘ƒ ‡•• ‘–”‘ŽǤ
ͺǤͶ Access to source code Control
‡ƒ†ƒ†™”‹–‡ƒ ‡••–‘•‘—” ‡ ‘†‡ǡ†‡˜‡Ž‘’‡––‘‘Ž•ƒ†•‘ˆ–™ƒ”‡
Ž‹„”ƒ”‹‡••ŠƒŽŽ„‡ƒ’’”‘’”‹ƒ–‡Ž›ƒƒ‰‡†Ǥ

© ISO/IEC 2022 – All rights reserved 15


ISO/IEC 27001:2022(E)

Table A.1 (continued)


ͺǤͷ ‡ —”‡ƒ—–Š‡–‹ ƒ–‹‘ Control
‡ —”‡ƒ—–Š‡–‹ ƒ–‹‘–‡ Š‘Ž‘‰‹‡•ƒ†’”‘ ‡†—”‡••ŠƒŽŽ„‡‹’Ž‡‡–‡†
„ƒ•‡†‘‹ˆ‘”ƒ–‹‘ƒ ‡••”‡•–”‹ –‹‘•ƒ†–Š‡–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ›

LY
‘ƒ ‡•• ‘–”‘ŽǤ
ͺǤ͸ ƒ’ƒ ‹–›ƒƒ‰‡‡– Control
Š‡—•‡‘ˆ”‡•‘—” ‡••ŠƒŽŽ„‡‘‹–‘”‡†ƒ†ƒ†Œ—•–‡†‹Ž‹‡™‹–Š —””‡–
ƒ†‡š’‡ –‡† ƒ’ƒ ‹–›”‡“—‹”‡‡–•Ǥ

ON
ͺǤ͹ ”‘–‡ –‹‘ƒ‰ƒ‹•–ƒŽ™ƒ”‡ Control
”‘–‡ –‹‘ƒ‰ƒ‹•–ƒŽ™ƒ”‡•ŠƒŽŽ„‡‹’Ž‡‡–‡†ƒ†•—’’‘”–‡†„›
ƒ’’”‘’”‹ƒ–‡—•‡”ƒ™ƒ”‡‡••Ǥ
ͺǤͺ ƒƒ‰‡‡–‘ˆ–‡ Š‹ ƒŽ˜—Ž- Control
‡”ƒ„‹Ž‹–‹‡•

SE
ˆ‘”ƒ–‹‘ƒ„‘—––‡ Š‹ ƒŽ˜—Ž‡”ƒ„‹Ž‹–‹‡•‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•‹
—•‡•ŠƒŽŽ„‡‘„–ƒ‹‡†ǡ–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‡š’‘•—”‡–‘•— Š˜—Ž‡”ƒ„‹Ž‹–‹‡•
•ŠƒŽŽ„‡‡˜ƒŽ—ƒ–‡†ƒ†ƒ’’”‘’”‹ƒ–‡‡ƒ•—”‡••ŠƒŽŽ„‡–ƒ‡Ǥ
ͺǤͻ ‘ϐ‹‰—”ƒ–‹‘ƒƒ‰‡‡– Control

O
‘ϐ‹‰—”ƒ–‹‘•ǡ‹ Ž—†‹‰•‡ —”‹–› ‘ϐ‹‰—”ƒ–‹‘•ǡ‘ˆŠƒ”†™ƒ”‡ǡ•‘ˆ–™ƒ”‡ǡ
•‡”˜‹ ‡•ƒ†‡–™‘”••ŠƒŽŽ„‡‡•–ƒ„Ž‹•Š‡†ǡ†‘ —‡–‡†ǡ‹’Ž‡‡–‡†ǡ

RP
‘‹–‘”‡†ƒ†”‡˜‹‡™‡†Ǥ
ͺǤͳͲ ˆ‘”ƒ–‹‘†‡Ž‡–‹‘ Control
ˆ‘”ƒ–‹‘•–‘”‡†‹‹ˆ‘”ƒ–‹‘•›•–‡•ǡ†‡˜‹ ‡•‘”‹ƒ›‘–Š‡”
•–‘”ƒ‰‡‡†‹ƒ•ŠƒŽŽ„‡†‡Ž‡–‡†™Š‡‘Ž‘‰‡””‡“—‹”‡†Ǥ
PU
ͺǤͳͳ ƒ–ƒƒ•‹‰ Control
ƒ–ƒƒ•‹‰•ŠƒŽŽ„‡—•‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•
–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ›‘ƒ ‡•• ‘–”‘Žƒ†‘–Š‡””‡Žƒ–‡†–‘’‹ Ǧ•’‡ ‹ϐ‹ 
’‘Ž‹ ‹‡•ǡƒ†„—•‹‡••”‡“—‹”‡‡–•ǡ–ƒ‹‰ƒ’’Ž‹ ƒ„Ž‡Ž‡‰‹•Žƒ–‹‘‹–‘
‘•‹†‡”ƒ–‹‘Ǥ
G

ͺǤͳʹ ƒ–ƒŽ‡ƒƒ‰‡’”‡˜‡–‹‘ Control


ƒ–ƒŽ‡ƒƒ‰‡’”‡˜‡–‹‘‡ƒ•—”‡••ŠƒŽŽ„‡ƒ’’Ž‹‡†–‘•›•–‡•ǡ‡–-
N

™‘”•ƒ†ƒ›‘–Š‡”†‡˜‹ ‡•–Šƒ–’”‘ ‡••ǡ•–‘”‡‘”–”ƒ•‹–•‡•‹–‹˜‡

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
‹ˆ‘”ƒ–‹‘Ǥ
NI

ͺǤͳ͵ ˆ‘”ƒ–‹‘„ƒ —’ Control


ƒ —’ ‘’‹‡•‘ˆ‹ˆ‘”ƒ–‹‘ǡ•‘ˆ–™ƒ”‡ƒ†•›•–‡••ŠƒŽŽ„‡ƒ‹–ƒ‹‡†
ƒ†”‡‰—Žƒ”Ž›–‡•–‡†‹ƒ ‘”†ƒ ‡™‹–Š–Š‡ƒ‰”‡‡†–‘’‹ Ǧ•’‡ ‹ϐ‹ ’‘Ž‹ ›
AI

‘„ƒ —’Ǥ
ͺǤͳͶ ‡†—†ƒ ›‘ˆ‹ˆ‘”ƒ–‹‘’”‘- Control
‡••‹‰ˆƒ ‹Ž‹–‹‡•
TR

ˆ‘”ƒ–‹‘’”‘ ‡••‹‰ˆƒ ‹Ž‹–‹‡••ŠƒŽŽ„‡‹’Ž‡‡–‡†™‹–Š”‡†—†ƒ ›


•—ˆϐ‹ ‹‡––‘‡‡–ƒ˜ƒ‹Žƒ„‹Ž‹–›”‡“—‹”‡‡–•Ǥ
ͺǤͳͷ Logging Control
‘‰•–Šƒ–”‡ ‘”†ƒ –‹˜‹–‹‡•ǡ‡š ‡’–‹‘•ǡˆƒ—Ž–•ƒ†‘–Š‡””‡Ž‡˜ƒ–‡˜‡–•
•ŠƒŽŽ„‡’”‘†— ‡†ǡ•–‘”‡†ǡ’”‘–‡ –‡†ƒ†ƒƒŽ›•‡†Ǥ
R

ͺǤͳ͸ ‘‹–‘”‹‰ƒ –‹˜‹–‹‡• Control


‡–™‘”•ǡ•›•–‡•ƒ†ƒ’’Ž‹ ƒ–‹‘••ŠƒŽŽ„‡‘‹–‘”‡†ˆ‘”ƒ‘ƒŽ‘—•
FO

„‡Šƒ˜‹‘—”ƒ†ƒ’’”‘’”‹ƒ–‡ƒ –‹‘•–ƒ‡–‘‡˜ƒŽ—ƒ–‡’‘–‡–‹ƒŽ‹ˆ‘”-
ƒ–‹‘•‡ —”‹–›‹ ‹†‡–•Ǥ
ͺǤͳ͹ Ž‘ •› Š”‘‹œƒ–‹‘ Control
Š‡ Ž‘ •‘ˆ‹ˆ‘”ƒ–‹‘’”‘ ‡••‹‰•›•–‡•—•‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘
•ŠƒŽŽ„‡•› Š”‘‹œ‡†–‘ƒ’’”‘˜‡†–‹‡•‘—” ‡•Ǥ

16 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Table A.1 (continued)


ͺǤͳͺ •‡‘ˆ’”‹˜‹Ž‡‰‡†—–‹Ž‹–›’”‘‰”ƒ• Control
Š‡—•‡‘ˆ—–‹Ž‹–›’”‘‰”ƒ•–Šƒ– ƒ„‡ ƒ’ƒ„Ž‡‘ˆ‘˜‡””‹†‹‰•›•–‡
ƒ†ƒ’’Ž‹ ƒ–‹‘ ‘–”‘Ž••ŠƒŽŽ„‡”‡•–”‹ –‡†ƒ†–‹‰Š–Ž› ‘–”‘ŽŽ‡†Ǥ

LY
ͺǤͳͻ •–ƒŽŽƒ–‹‘‘ˆ•‘ˆ–™ƒ”‡‘‘’- Control
‡”ƒ–‹‘ƒŽ•›•–‡•
”‘ ‡†—”‡•ƒ†‡ƒ•—”‡••ŠƒŽŽ„‡‹’Ž‡‡–‡†–‘•‡ —”‡Ž›ƒƒ‰‡
•‘ˆ–™ƒ”‡‹•–ƒŽŽƒ–‹‘‘‘’‡”ƒ–‹‘ƒŽ•›•–‡•Ǥ

ON
ͺǤʹͲ ‡–™‘”••‡ —”‹–› Control
‡–™‘”•ƒ†‡–™‘”†‡˜‹ ‡••ŠƒŽŽ„‡•‡ —”‡†ǡƒƒ‰‡†ƒ† ‘–”‘ŽŽ‡†
–‘’”‘–‡ –‹ˆ‘”ƒ–‹‘‹•›•–‡•ƒ†ƒ’’Ž‹ ƒ–‹‘•Ǥ
ͺǤʹͳ ‡ —”‹–›‘ˆ‡–™‘”•‡”˜‹ ‡• Control
‡ —”‹–›‡ Šƒ‹••ǡ•‡”˜‹ ‡Ž‡˜‡Ž•ƒ†•‡”˜‹ ‡”‡“—‹”‡‡–•‘ˆ‡–™‘”

SE
•‡”˜‹ ‡••ŠƒŽŽ„‡‹†‡–‹ϐ‹‡†ǡ‹’Ž‡‡–‡†ƒ†‘‹–‘”‡†Ǥ
ͺǤʹʹ ‡‰”‡‰ƒ–‹‘‘ˆ‡–™‘”• Control
”‘—’•‘ˆ‹ˆ‘”ƒ–‹‘•‡”˜‹ ‡•ǡ—•‡”•ƒ†‹ˆ‘”ƒ–‹‘•›•–‡••ŠƒŽŽ
„‡•‡‰”‡‰ƒ–‡†‹–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‡–™‘”•Ǥ

O
ͺǤʹ͵ ‡„ϐ‹Ž–‡”‹‰ Control
 ‡••–‘‡š–‡”ƒŽ™‡„•‹–‡••ŠƒŽŽ„‡ƒƒ‰‡†–‘”‡†— ‡‡š’‘•—”‡–‘

ͺǤʹͶ •‡‘ˆ ”›’–‘‰”ƒ’Š› Control RP


ƒŽ‹ ‹‘—• ‘–‡–Ǥ

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
—Ž‡•ˆ‘”–Š‡‡ˆˆ‡ –‹˜‡—•‡‘ˆ ”›’–‘‰”ƒ’Š›ǡ‹ Ž—†‹‰ ”›’–‘‰”ƒ’Š‹ ‡›
PU
ƒƒ‰‡‡–ǡ•ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†‹’Ž‡‡–‡†Ǥ
ͺǤʹͷ ‡ —”‡†‡˜‡Ž‘’‡–Ž‹ˆ‡ › Ž‡ Control
—Ž‡•ˆ‘”–Š‡•‡ —”‡†‡˜‡Ž‘’‡–‘ˆ•‘ˆ–™ƒ”‡ƒ†•›•–‡••ŠƒŽŽ„‡
‡•–ƒ„Ž‹•Š‡†ƒ†ƒ’’Ž‹‡†Ǥ
ͺǤʹ͸ ’’Ž‹ ƒ–‹‘•‡ —”‹–›”‡“—‹”‡- Control
G

ments
ˆ‘”ƒ–‹‘•‡ —”‹–›”‡“—‹”‡‡–••ŠƒŽŽ„‡‹†‡–‹ϐ‹‡†ǡ•’‡ ‹ϐ‹‡†ƒ†
ƒ’’”‘˜‡†™Š‡†‡˜‡Ž‘’‹‰‘”ƒ “—‹”‹‰ƒ’’Ž‹ ƒ–‹‘•Ǥ
N

ͺǤʹ͹ ‡ —”‡•›•–‡ƒ” Š‹–‡ –—”‡ƒ† Control


engineering principles
”‹ ‹’Ž‡•ˆ‘”‡‰‹‡‡”‹‰•‡ —”‡•›•–‡••ŠƒŽŽ„‡‡•–ƒ„Ž‹•Š‡†ǡ†‘ —-
NI

‡–‡†ǡƒ‹–ƒ‹‡†ƒ†ƒ’’Ž‹‡†–‘ƒ›‹ˆ‘”ƒ–‹‘•›•–‡†‡˜‡Ž‘’‡–
ƒ –‹˜‹–‹‡•Ǥ
ͺǤʹͺ
AI

Secure coding Control


‡ —”‡ ‘†‹‰’”‹ ‹’Ž‡••ŠƒŽŽ„‡ƒ’’Ž‹‡†–‘•‘ˆ–™ƒ”‡†‡˜‡Ž‘’‡–Ǥ
ͺǤʹͻ ‡ —”‹–›–‡•–‹‰‹†‡˜‡Ž‘’‡– Control
TR

ƒ†ƒ ‡’–ƒ ‡
‡ —”‹–›–‡•–‹‰’”‘ ‡••‡••ŠƒŽŽ„‡†‡ϐ‹‡†ƒ†‹’Ž‡‡–‡†‹–Š‡
†‡˜‡Ž‘’‡–Ž‹ˆ‡ › Ž‡Ǥ
ͺǤ͵Ͳ Outsourced development Control
Š‡‘”‰ƒ‹œƒ–‹‘•ŠƒŽŽ†‹”‡ –ǡ‘‹–‘”ƒ†”‡˜‹‡™–Š‡ƒ –‹˜‹–‹‡•”‡Žƒ–‡†
R

–‘‘—–•‘—” ‡†•›•–‡†‡˜‡Ž‘’‡–Ǥ
ͺǤ͵ͳ ‡’ƒ”ƒ–‹‘‘ˆ†‡˜‡Ž‘’‡–ǡ–‡•– Control
FO

ƒ†’”‘†— –‹‘‡˜‹”‘‡–•
‡˜‡Ž‘’‡–ǡ–‡•–‹‰ƒ†’”‘†— –‹‘‡˜‹”‘‡–••ŠƒŽŽ„‡•‡’ƒ”ƒ–‡†
ƒ†•‡ —”‡†Ǥ
ͺǤ͵ʹ Šƒ‰‡ƒƒ‰‡‡– Control
Šƒ‰‡•–‘‹ˆ‘”ƒ–‹‘’”‘ ‡••‹‰ˆƒ ‹Ž‹–‹‡•ƒ†‹ˆ‘”ƒ–‹‘•›•–‡•
•ŠƒŽŽ„‡•—„Œ‡ ––‘ Šƒ‰‡ƒƒ‰‡‡–’”‘ ‡†—”‡•Ǥ
ͺǤ͵͵ ‡•–‹ˆ‘”ƒ–‹‘ Control
‡•–‹ˆ‘”ƒ–‹‘•ŠƒŽŽ„‡ƒ’’”‘’”‹ƒ–‡Ž›•‡Ž‡ –‡†ǡ’”‘–‡ –‡†ƒ†ƒƒ‰‡†Ǥ

© ISO/IEC 2022 – All rights reserved 17


ISO/IEC 27001:2022(E)

Table A.1 (continued)


ͺǤ͵Ͷ ”‘–‡ –‹‘‘ˆ‹ˆ‘”ƒ–‹‘•›•- Control
–‡•†—”‹‰ƒ—†‹––‡•–‹‰
—†‹––‡•–•ƒ†‘–Š‡”ƒ••—”ƒ ‡ƒ –‹˜‹–‹‡•‹˜‘Ž˜‹‰ƒ••‡••‡–‘ˆ‘’-
‡”ƒ–‹‘ƒŽ•›•–‡••ŠƒŽŽ„‡’Žƒ‡†ƒ†ƒ‰”‡‡†„‡–™‡‡–Š‡–‡•–‡”ƒ†

LY
ƒ’’”‘’”‹ƒ–‡ƒƒ‰‡‡–Ǥ

ON
SE

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---
O
RP
PU
N G
NI
AI
TR
R
FO

18 © ISO/IEC 2022 – All rights reserved


ISO/IEC 27001:2022(E)

Bibliography

ȏͳȐ Ȁ  ʹ͹ͲͲʹǣʹͲʹʹǡ Information security, cybersecurity and privacy protection — Information

LY
security controls
ȏʹȐ Ȁ ʹ͹ͲͲ͵ǡInformation technology — Security techniques — Information security management
systems — Guidance

ON
ȏ͵Ȑ Ȁ ʹ͹ͲͲͶǡInformation technology — Security techniques — Information security management
— Monitoring, measurement, analysis and evaluation
ȏͶȐ Ȁ  ʹ͹ͲͲͷǡ Information security, cybersecurity and privacy protection — Guidance on
managing information security risks

SE
ȏͷȐ ͵ͳͲͲͲǣʹͲͳͺǡRisk management — Guidelines

O
RP
PU
N G
NI
AI
TR
R
FO

--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

© ISO/IEC 2022 – All rights reserved 19


ISO/IEC 27001:2022(E)

LY
ON
OSE
RP
PU
G
--``,,,,,``````,,,,,`,`,`,`,,`,-`-`,,`,,`,`,,`---

N
NI
AI
TR
R
FO

౧Ͳ͵ǤͳͲͲǤ͹ͲǢ͵ͷǤͲ͵Ͳ
”‹ ‡„ƒ•‡†‘ͳͻ’ƒ‰‡•

© ISO/IEC 2022 – All rights reserved

You might also like