ISO/IEC 27001:2022
Information security management systems standard. Specifies requirements for establishing, implementing, maintaining and continually improving an ISMS.
AC (13) AT (5) AU (16) CA (7) CM (13) CP (10) IA (8) IR (8) MA (7) MP (8) PE (19) PL (6) PM (21) PS (7) PT (8) RA (7) SA (13) SC (9) SI (8) SR (7)
AC Access Control
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | A.5.1A.5.15 |
| AC-02 | Account Management | A.5.15A.5.18 |
| AC-03 | Access Enforcement | A.5.15A.8.3A.8.4 |
| AC-04 | Information Flow Enforcement | A.5.14A.8.12A.8.20A.8.23A.8.3 |
| AC-05 | Separation Of Duties | A.5.3 |
| AC-06 | Least Privilege | A.5.15A.5.18A.8.18A.8.2A.8.3 |
| AC-11 | Session Lock | A.7.7 |
| AC-16 | Automated Labeling | A.5.13 |
| AC-17 | Remote Access | A.5.15A.6.7A.7.9 |
| AC-19 | Access Control For Portable And Mobile Devices | A.8.1 |
| AC-20 | Use Of External Information Systems | A.5.10A.5.14A.5.23 |
| AC-24 | Access Control Decisions | A.5.15 |
| AC-25 | Reference Monitor | A.5.18 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 7.5A.5.1A.8.15 |
| AU-02 | Auditable Events | 7.5A.8.15 |
| AU-03 | Content Of Audit Records | 7.5A.5.28A.8.15 |
| AU-04 | Audit Storage Capacity | 7.5A.8.15A.8.6 |
| AU-05 | Response To Audit Processing Failures | 7.5A.8.15 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 7.59.2A.5.28A.5.36A.8.15A.8.16A.8.34 |
| AU-07 | Audit Reduction And Report Generation | 7.5A.8.15 |
| AU-08 | Time Stamps | 7.5A.8.15A.8.17 |
| AU-09 | Protection Of Audit Information | 7.5A.8.15 |
| AU-10 | Non-Repudiation | 7.5A.8.15 |
| AU-11 | Audit Record Retention | 7.5A.5.28A.5.33A.8.15 |
| AU-12 | Audit Record Generation | 7.5A.8.15 |
| AU-13 | Monitoring for Information Disclosure | 7.5 |
| AU-14 | Session Audit | 7.5 |
| AU-15 | Alternate Audit Logging Capability | 7.5 |
| AU-16 | Cross-Organizational Audit Logging | 7.5 |
CA Security Assessment and Authorization
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | A.5.1 |
| CA-02 | Security Assessments | 8.19.2A.5.35A.5.36A.8.29A.8.34 |
| CA-03 | Information System Connections | A.5.14 |
| CA-05 | Plan Of Action And Milestones | 10.26.1.38.3 |
| CA-07 | Continuous Monitoring | 10.19.19.29.3A.5.22A.5.35A.8.16 |
| CA-08 | Penetration Testing | A.8.34 |
| CA-09 | Internal System Connections | A.8.20 |
CM Configuration Management
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | A.5.1A.5.37A.8.9 |
| CM-02 | Baseline Configuration | A.8.9 |
| CM-03 | Configuration Change Control | 6.3A.8.32A.8.9 |
| CM-04 | Monitoring Configuration Changes | 6.3A.5.36A.8.31A.8.32A.8.9 |
| CM-05 | Access Restrictions For Change | A.8.19A.8.32A.8.4A.8.9 |
| CM-06 | Configuration Settings | A.8.9 |
| CM-07 | Least Functionality | A.8.1A.8.18A.8.19A.8.9 |
| CM-08 | Information System Component Inventory | A.5.9A.8.9 |
| CM-09 | Configuration Management Plan | A.8.9 |
| CM-10 | Software Usage Restrictions | A.8.9 |
| CM-11 | User-Installed Software | A.8.18A.8.19A.8.9 |
| CM-12 | Information Location | A.5.9 |
| CM-14 | Signed Components | A.8.19A.8.9 |
CP Contingency Planning
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | A.5.1A.5.29 |
| CP-02 | Contingency Plan | A.5.29A.5.30A.8.6 |
| CP-03 | Contingency Training | A.5.29 |
| CP-04 | Contingency Plan Testing And Exercises | A.5.29 |
| CP-06 | Alternate Storage Site | A.5.29A.8.13A.8.14 |
| CP-07 | Alternate Processing Site | A.5.29A.5.30A.8.14 |
| CP-08 | Telecommunications Services | A.5.30A.8.14 |
| CP-09 | Information System Backup | A.5.29A.5.30A.8.13 |
| CP-10 | Information System Recovery And Reconstitution | A.5.29A.5.30 |
| CP-13 | Alternative Security Mechanisms | A.5.30 |
IA Identification and Authentication
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | A.5.1A.5.16 |
| IA-02 | User Identification And Authentication | A.5.16A.8.5 |
| IA-04 | Identifier Management | A.5.16 |
| IA-05 | Authenticator Management | A.5.16A.5.17A.8.5 |
| IA-06 | Authenticator Feedback | A.5.17 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | A.5.16A.8.5 |
| IA-11 | Re-authentication | A.8.5 |
| IA-12 | Identity Proofing | A.5.16 |
IR Incident Response
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | A.5.1A.5.24 |
| IR-02 | Incident Response Training | A.5.24 |
| IR-03 | Incident Response Testing And Exercises | A.5.24A.5.27 |
| IR-04 | Incident Handling | A.5.25A.5.26A.5.27A.5.28A.8.16 |
| IR-05 | Incident Monitoring | A.5.25 |
| IR-06 | Incident Reporting | A.5.25A.5.26A.5.27A.5.5A.6.8 |
| IR-07 | Incident Response Assistance | 7.4A.5.26A.6.8 |
| IR-08 | Incident Response Plan | A.5.24 |
MA Maintenance
MP Media Protection
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | A.5.1A.7.10 |
| MP-02 | Media Access | A.7.10 |
| MP-03 | Media Labeling | A.5.13A.7.10 |
| MP-04 | Media Storage | A.7.10A.7.7 |
| MP-05 | Media Transport | A.7.10A.7.9 |
| MP-06 | Media Sanitization And Disposal | A.7.10A.7.14A.8.10 |
| MP-07 | Media Use | A.7.10A.7.14 |
| MP-08 | Media Downgrading | A.7.10 |
PE Physical and Environmental Protection
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | A.5.1A.7.8 |
| PE-02 | Physical Access Authorizations | A.7.2A.7.6 |
| PE-03 | Physical Access Control | A.7.1A.7.2A.7.3A.7.6 |
| PE-04 | Access Control For Transmission Medium | A.7.1A.7.12 |
| PE-05 | Access Control For Display Medium | A.7.3 |
| PE-06 | Monitoring Physical Access | A.7.2A.7.4 |
| PE-07 | Visitor Control | A.7.6 |
| PE-08 | Access Records | A.7.2A.7.4 |
| PE-09 | Power Equipment And Power Cabling | A.7.11A.7.12A.7.5 |
| PE-10 | Emergency Shutoff | A.7.11A.7.5 |
| PE-11 | Emergency Power | A.7.11A.7.5 |
| PE-12 | Emergency Lighting | A.7.11A.7.5 |
| PE-13 | Fire Protection | A.7.5 |
| PE-14 | Temperature And Humidity Controls | A.7.5A.7.8 |
| PE-15 | Water Damage Protection | A.7.5 |
| PE-17 | Alternate Work Site | A.6.7 |
| PE-18 | Location Of Information System Components | A.7.8 |
| PE-19 | Information Leakage | A.8.12 |
| PE-23 | Facility Location | A.7.5A.7.8 |
PL Planning
PM Program Management
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| PM-01 | Information Security Program Plan | 10.14.34.45.15.26.27.47.58.19.3A.5.1A.5.31 |
| PM-02 | Information Security Program Leadership Role | 4.45.15.3A.5.2A.5.4 |
| PM-03 | Information Security and Privacy Resources | 4.46.27.1 |
| PM-04 | Plan of Action and Milestones Process | 10.26.1.38.3 |
| PM-05 | System Inventory | A.5.9 |
| PM-06 | Measures of Performance | 10.14.46.29.19.3A.5.35A.5.36 |
| PM-07 | Enterprise Architecture | 4.3A.5.8 |
| PM-08 | Critical Infrastructure Plan | 4.14.2 |
| PM-09 | Risk Management Strategy | 6.16.1.3 |
| PM-10 | Authorization Process | 4.3A.5.2 |
| PM-11 | Mission and Business Process Definition | 4.14.2 |
| PM-13 | Security and Privacy Workforce | 5.17.27.3A.5.4A.6.3 |
| PM-14 | Testing, Training, and Monitoring | 9.1 |
| PM-15 | Security and Privacy Groups and Associations | A.5.5A.5.6 |
| PM-16 | Threat Awareness Program | 7.2A.5.6A.5.7 |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | A.5.34 |
| PM-26 | Complaint Management | A.5.34 |
| PM-27 | Privacy Reporting | A.5.34 |
| PM-28 | Risk Framing | 6.1 |
| PM-29 | Risk Management Program Leadership Roles | 5.1A.5.4 |
| PM-32 | Purposing | 4.1A.7.14 |
PS Personnel Security
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 5.3A.5.1A.5.2A.5.4 |
| PS-03 | Personnel Screening | A.6.1 |
| PS-04 | Personnel Termination | A.5.11A.6.5 |
| PS-05 | Personnel Transfer | A.6.5 |
| PS-06 | Access Agreements | A.6.2A.6.6 |
| PS-08 | Personnel Sanctions | A.6.4 |
| PS-09 | Position Descriptions | 5.3A.5.2A.6.2 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| PT-01 | Policy and Procedures | A.5.1A.5.34 |
| PT-02 | Authority to Process Personally Identifiable Information | A.5.34 |
| PT-03 | Personally Identifiable Information Processing Purposes | A.5.34 |
| PT-04 | Consent | A.5.34 |
| PT-05 | Privacy Notice | A.5.34 |
| PT-06 | System of Records Notice | A.5.34A.8.11 |
| PT-07 | Specific Categories of Personally Identifiable Information | A.5.34A.8.11 |
| PT-08 | Computer Matching Requirements | A.5.34 |
RA Risk Assessment
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | 6.1A.5.1 |
| RA-02 | Security Categorization | 6.1A.5.12A.5.13 |
| RA-03 | Risk Assessment | 4.16.16.1.38.28.3A.5.7 |
| RA-05 | Vulnerability Scanning | 8.2A.5.7A.8.8 |
| RA-07 | Risk Response | 10.26.16.1.38.3 |
| RA-09 | Criticality Analysis | 8.2 |
| RA-10 | Threat Hunting | A.5.7 |
SA System and Services Acquisition
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | A.5.1 |
| SA-02 | Allocation Of Resources | 7.1 |
| SA-03 | Life Cycle Support | 7.1A.5.8A.8.25 |
| SA-04 | Acquisitions | A.5.19A.5.20A.5.31A.5.8A.8.26A.8.29A.8.30 |
| SA-05 | Information System Documentation | A.5.37 |
| SA-08 | Security Engineering Principles | A.8.25A.8.26A.8.27 |
| SA-09 | External Information System Services | A.5.19A.5.20A.5.22A.5.23A.8.21A.8.30 |
| SA-10 | Developer Configuration Management | 6.3A.8.25A.8.30A.8.32A.8.4 |
| SA-11 | Developer Security Testing | A.8.25A.8.28A.8.29A.8.30A.8.31A.8.33 |
| SA-15 | Development Process, Standards, and Tools | A.8.25A.8.28A.8.33 |
| SA-16 | Developer-Provided Training | A.8.28 |
| SA-17 | Developer Security and Privacy Architecture and Design | A.8.25A.8.27A.8.28 |
| SA-22 | Unsupported System Components | A.8.19 |
SC System and Communications Protection
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | A.5.1 |
| SC-05 | Denial Of Service Protection | A.8.6 |
| SC-06 | Resource Priority | A.8.6 |
| SC-07 | Boundary Protection | A.5.14A.5.23A.8.12A.8.20A.8.21A.8.22A.8.23A.8.27 |
| SC-08 | Transmission Integrity | A.5.14A.8.20A.8.21 |
| SC-12 | Cryptographic Key Establishment And Management | A.5.14A.8.24 |
| SC-13 | Use Of Cryptography | A.8.24 |
| SC-28 | Protection of Information at Rest | A.7.9A.8.1A.8.24 |
| SC-32 | System Partitioning | A.8.22A.8.27A.8.31 |
SI System and Information Integrity
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | A.5.1 |
| SI-02 | Flaw Remediation | A.8.8 |
| SI-03 | Malicious Code Protection | A.8.23A.8.7 |
| SI-04 | Information System Monitoring Tools And Techniques | 9.1A.8.12A.8.16 |
| SI-05 | Security Alerts And Advisories | A.5.7A.8.8 |
| SI-08 | Spam Protection | A.8.7 |
| SI-12 | Information Output Handling And Retention | A.5.33A.8.10 |
| SI-19 | De-identification | A.8.11 |
SR Supply Chain Risk Management
| Control | Name | ISO 27001:2022 References |
|---|---|---|
| SR-01 | Policy and Procedures | 4.2A.5.1A.5.19A.5.21 |
| SR-02 | Supply Chain Risk Management Plan | 4.2A.5.19A.5.21 |
| SR-03 | Supply Chain Controls and Processes | 4.2A.5.19A.5.20A.5.21 |
| SR-05 | Acquisition Strategies, Tools, and Methods | A.5.21 |
| SR-06 | Supplier Assessments and Reviews | A.5.21A.5.22 |
| SR-11 | Component Authenticity | A.5.21 |
| SR-12 | Component Disposal | A.8.10 |