Skip to content
OnticBeta
Tier 2 — Industry Standard

ISO/IEC 27001 — Information Security Management System (ISMS) — Oracle Source

Publisher

International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

Version

v1

Last verified

February 15, 2026

Frameworks

ISO 27001ISO 27002

Industries

Applies to all industries

ISO 27001 - Overview

ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) [cite:207][cite:213]. Originally published in 2005 and revised in 2013 and 2022, the current edition — ISO/IEC 27001:2022 — was published on 25 October 2022 and represents the definitive global benchmark for information security governance [cite:232][cite:237]. The standard is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is applicable to organisations of any size, type, or industry [cite:207]. ISO 27001 is certifiable: organisations can undergo independent third-party audits to demonstrate conformity, and certification is increasingly a contractual, regulatory, or market-access prerequisite across industries including technology, financial services, healthcare, government, and critical infrastructure [cite:212][cite:218]. The standard operates on a risk-based model — organisations select and implement controls based on their own risk assessments, not from a fixed checklist — and mandates a Plan-Do-Check-Act (PDCA) cycle of continual improvement [cite:237][cite:213].

ISO 27001 - What It Is

ISO/IEC 27001:2022 (full title: Information security, cybersecurity and privacy protection — Information security management systems — Requirements) defines the requirements for an ISMS within the context of the organisation's overall business risks [cite:210][cite:237]. It is structured in two parts:

Clauses 4–10 (Management System Requirements): Seven mandatory clauses that define what the ISMS must do — context, leadership, planning, support, operation, performance evaluation, and improvement [cite:213][cite:210]. These clauses follow the Harmonised Structure (HS) common to all ISO management system standards, enabling integration with ISO 9001 (quality), ISO 14001 (environment), ISO 22301 (business continuity), and ISO 42001 (AI management) [cite:237][cite:230].

Annex A (Reference Control Set): 93 information security controls organised into four themes — Organizational (37), People (8), Physical (14), and Technological (34) [cite:211][cite:237]. The 2022 revision restructured the previous 114 controls in 14 domains down to 93 in four themes, introduced 11 new controls, and merged 24 existing ones [cite:232][cite:237]. Annex A is a reference list, not a mandatory checklist: organisations select applicable controls via risk assessment and document justifications in a Statement of Applicability (SoA) [cite:237][cite:210].

The companion standard ISO/IEC 27002:2022 provides implementation guidance for each Annex A control, including purpose statements and attribute taxonomies (control type, cybersecurity concept, operational capability, security domain) [cite:232][cite:214].

Amendment 1:2024 (Climate Action): Published February 2024, this amendment adds requirements to consider whether climate change is a relevant issue (Clause 4.1) and whether interested parties have climate-related requirements (Clause 4.2) [cite:235][cite:240][cite:243].

ISO 27001 - Who It Applies To

ISO 27001 is voluntary — no law mandates certification — but it is effectively required in many contexts through contractual, regulatory, and market mechanisms [cite:212][cite:237].

Organisations That Typically Certify

  • Technology and SaaS providers — Customers (especially enterprise and government) routinely require ISO 27001 as a condition of procurement or continued business [cite:212]
  • Financial services — Banks, insurers, and payment processors use ISO 27001 to satisfy regulatory expectations (e.g., EBA ICT guidelines, MAS TRM, PRA SS1/21) and to complement SOC 2 and PCI DSS [cite:229][cite:234]
  • Healthcare — ISO 27001 maps to HIPAA Security Rule requirements and is often pursued alongside HITRUST certification [cite:231]
  • Government contractors — Many national governments and defence agencies require or strongly prefer ISO 27001-certified suppliers [cite:202]
  • Critical infrastructure operators — The EU NIS 2 Directive references ISO 27001 as a recognised framework for demonstrating cybersecurity risk management [cite:175][cite:237]
  • AI companies — ISO 27001 provides the governance backbone for AI data protection, model security, and compliance with the EU AI Act and GDPR [cite:236][cite:233]

Applicability Scope

Within a certifying organisation, the ISMS scope can cover the entire entity or a defined subset — specific business units, locations, systems, or services [cite:222][cite:213]. The scope must be documented, justified by context analysis (Clause 4.1–4.2), and available to interested parties [cite:222][cite:210].

Roles Subject to the Standard

ISO 27001 places obligations on top management (leadership, commitment, resource allocation, policy), risk owners, the information security function, internal auditors, and all personnel within the ISMS scope [cite:213][cite:215].

ISO 27001 - What It Requires - Management System (Clauses 4–10)

Clauses 4–10 are the mandatory requirements that every ISMS must satisfy to achieve certification [cite:213][cite:210].

Clause 4: Context of the Organisation

  • 4.1 Determine external and internal issues relevant to the ISMS purpose and strategic direction; determine whether climate change is a relevant issue (Amendment 1:2024) [cite:222][cite:235]
  • 4.2 Identify interested parties (customers, regulators, partners, employees) and their requirements, including climate-related requirements [cite:210][cite:235]
  • 4.3 Define and document the ISMS scope — boundaries, applicability, and interfaces [cite:222][cite:210]
  • 4.4 Establish, implement, maintain, and continually improve the ISMS [cite:213]

Clause 5: Leadership

  • 5.1 Top management must demonstrate leadership and commitment — integrating ISMS requirements into business processes, ensuring resources, communicating importance, directing and supporting contributors [cite:213][cite:215]
  • 5.2 Establish an information security policy appropriate to the organisation's purpose, providing a framework for setting objectives [cite:213]
  • 5.3 Assign and communicate roles, responsibilities, and authorities for the ISMS [cite:213]

Clause 6: Planning

  • 6.1 Address risks and opportunities: conduct an information security risk assessment process (identify, analyse, evaluate risks) and determine a risk treatment process [cite:210][cite:215]
  • 6.1.3 Produce a Statement of Applicability (SoA) — determining which Annex A controls are necessary and justifying inclusions and exclusions [cite:237][cite:210]
  • 6.2 Set measurable information security objectives consistent with the policy [cite:213]
  • 6.3 (New in 2022) Plan changes to the ISMS in a structured manner, considering purpose, consequences, impact on ISMS integrity, and resource availability [cite:237]

Clause 7: Support

  • Resources, competence, awareness, communication, and documented information [cite:213]
  • All documented information required by the standard must be controlled (creation, updating, availability, storage, retention, disposition) [cite:210]

Clause 8: Operation

  • Plan, implement, and control processes to meet ISMS requirements [cite:213]
  • Perform information security risk assessments at planned intervals or when significant changes occur [cite:210]
  • Implement the risk treatment plan and retain documented results [cite:210]

Clause 9: Performance Evaluation

  • 9.1 Monitor, measure, analyse, and evaluate ISMS effectiveness [cite:216]
  • 9.2 Conduct internal audits at planned intervals to verify conformity and effectiveness [cite:212][cite:216]
  • 9.3 Management reviews at planned intervals — inputs include audit results, interested party feedback, risk assessment results, and improvement opportunities [cite:213]

Clause 10: Improvement

  • 10.1 Continual improvement of the ISMS suitability, adequacy, and effectiveness [cite:219]
  • 10.2 React to nonconformities, take corrective actions, evaluate effectiveness of corrections, and make changes to the ISMS if necessary [cite:213][cite:219]

Required Documented Information

ISO 27001:2022 explicitly requires documented information for: ISMS scope, information security policy, risk assessment process and results, risk treatment process and results, Statement of Applicability, information security objectives, evidence of competence, operational planning results, monitoring and measurement results, internal audit programme and results, and management review results [cite:210].

ISO 27001 - What It Requires - Organisational Controls (Annex A.5)

37 controls governing policies, procedures, roles, and governance at the organisational level [cite:211][cite:220].

Key Controls

  • A.5.1 Policies for information security — Define, approve, publish, communicate, and review a set of information security policies [cite:211]
  • A.5.2 Information security roles and responsibilities — Define and allocate all information security responsibilities [cite:211]
  • A.5.3 Segregation of duties — Conflicting duties and areas of responsibility must be segregated to reduce unauthorised or unintentional modification/misuse [cite:211]
  • A.5.7 Threat intelligence — (New in 2022) Collect and analyse information about threats to produce threat intelligence [cite:237]
  • A.5.8 Information security in project management — Integrate information security into all projects [cite:211]
  • A.5.9 Inventory of information and other associated assets — Identify, document, and maintain an inventory of information assets and assign owners [cite:211]
  • A.5.10 Acceptable use of information and other associated assets — Rules for acceptable use must be identified, documented, and implemented [cite:211]
  • A.5.12 Classification of information — Classify information according to confidentiality, integrity, and availability needs [cite:211]
  • A.5.19 Information security in supplier relationships — Establish requirements for managing information security risks associated with third-party suppliers [cite:237]
  • A.5.23 Information security for use of cloud services — (New in 2022) Establish processes for acquisition, use, management, and exit from cloud services [cite:237]
  • A.5.24 Information security incident management planning and preparation — Plan and prepare for incident response [cite:211]
  • A.5.29 Information security during disruption — Maintain information security during disruptions to business processes [cite:211]
  • A.5.30 ICT readiness for business continuity — Plan, implement, maintain, and test ICT readiness to ensure business continuity objectives are met [cite:211]
  • A.5.36 Compliance with policies, rules and standards — Regularly review compliance with the organisation's information security policies [cite:211]

ISO 27001 - What It Requires - People Controls (Annex A.6)

8 controls addressing the human element of information security [cite:211][cite:214].

  • A.6.1 Screening — Background verification checks on all candidates before employment [cite:223]
  • A.6.2 Terms and conditions of employment — Employment contracts must state employees' and the organisation's information security responsibilities [cite:223]
  • A.6.3 Information security awareness, education and training — All personnel must receive appropriate awareness and training, with regular updates [cite:211]
  • A.6.4 Disciplinary process — A formal disciplinary process for personnel who commit information security breaches [cite:223]
  • A.6.5 Responsibilities after termination or change of employment — Define and enforce information security responsibilities that remain valid after employment change or termination [cite:223]
  • A.6.6 Confidentiality or non-disclosure agreements — Identify, document, and regularly review confidentiality requirements [cite:211]
  • A.6.7 Remote working — (Updated in 2022) Implement controls when personnel work remotely to protect information [cite:223]
  • A.6.8 Information security event reporting — Personnel must report observed or suspected information security events through appropriate channels [cite:211]

ISO 27001 - What It Requires - Physical Controls (Annex A.7)

14 controls protecting physical environments, assets, and infrastructure [cite:220][cite:217].

  • A.7.1 Physical security perimeters — Define and establish security perimeters to protect areas containing sensitive information [cite:220]
  • A.7.2 Physical entry controls — Secure areas must be protected by appropriate entry controls [cite:220]
  • A.7.3 Securing offices, rooms and facilities — Design and apply physical security for offices, rooms, and facilities [cite:220]
  • A.7.4 Physical security monitoring — (New in 2022) Continuously monitor premises for unauthorised physical access [cite:237][cite:220]
  • A.7.5 Protecting against physical and environmental threats — Design and implement protection against natural disasters, malicious attacks, and accidents [cite:220]
  • A.7.7 Clear desk and clear screen — Define and enforce clear desk/clear screen policies [cite:220]
  • A.7.9 Security of assets off-premises — Protect off-site assets including mobile devices and transported media [cite:220]
  • A.7.10 Storage media — Manage storage media through their lifecycle, including classification, handling, and secure disposal [cite:220]
  • A.7.14 Secure disposal or re-use of equipment — Verify that all storage media have been sanitised before disposal or re-use [cite:220]

ISO 27001 - What It Requires - Technological Controls (Annex A.8)

34 controls addressing technical measures for information security [cite:211][cite:237].

Key Controls

  • A.8.1 User endpoint devices — Protect information stored on, processed by, or accessible via user endpoint devices [cite:211]
  • A.8.2 Privileged access rights — Restrict and manage the allocation and use of privileged access rights [cite:211]
  • A.8.3 Information access restriction — Restrict access to information and system functions in accordance with access control policy [cite:211]
  • A.8.5 Secure authentication — Implement secure authentication technologies and procedures [cite:211]
  • A.8.7 Protection against malware — Implement and maintain protection against malware, combined with user awareness [cite:211]
  • A.8.8 Management of technical vulnerabilities — Obtain information about technical vulnerabilities, evaluate exposure, and take appropriate measures [cite:211]
  • A.8.9 Configuration management — (New in 2022) Establish, document, implement, monitor, and review configurations of hardware, software, services, and networks [cite:237]
  • A.8.11 Data masking — (New in 2022) Use data masking in accordance with the organisation's access control policy and business requirements, considering applicable legislation [cite:237]
  • A.8.12 Data leakage prevention — (New in 2022) Apply data leakage prevention measures to systems, networks, and endpoint devices processing, storing, or transmitting sensitive information [cite:237]
  • A.8.15 Logging — Produce, store, protect, and analyse logs that record activities, exceptions, faults, and other security-relevant events [cite:211]
  • A.8.16 Monitoring activities — (New in 2022) Monitor networks, systems, and applications for anomalous behaviour and take appropriate response actions [cite:237]
  • A.8.22 Segregation of networks — Segment networks into groups of information services, users, and information systems [cite:211]
  • A.8.23 Web filtering — (New in 2022) Manage access to external websites to reduce exposure to malicious content [cite:237]
  • A.8.24 Encryption — Define and implement rules for the effective use of cryptography, including key management [cite:211]
  • A.8.25 Secure development life cycle — Establish and apply rules for the secure development of software and systems [cite:211]
  • A.8.28 Secure coding — (New in 2022) Apply secure coding principles in software development [cite:237]

ISO 27001 - Governance Implications

ISO 27001 creates a governance architecture that extends well beyond IT security into enterprise risk management, executive accountability, supply chain oversight, and — increasingly — AI and emerging technology governance [cite:233][cite:236].

Enterprise Governance

  • Top management accountability: Clause 5.1 makes leadership commitment a certifiable requirement — not a recommendation. Management must set policy, allocate resources, conduct reviews, and drive continual improvement [cite:213][cite:215].
  • Risk-based decision-making: The entire ISMS is built on risk assessment and treatment (Clause 6.1). This forces governance bodies to articulate risk appetite, approve treatment plans, and accept residual risk — creating an auditable decision trail [cite:210][cite:215].
  • Integration with business processes: The Harmonised Structure ensures ISO 27001 can be integrated into broader management systems (quality, environment, business continuity, AI), avoiding governance silos [cite:237][cite:230].

AI and Emerging Technology Governance

ISO 27001 does not contain AI-specific requirements but provides the governance foundation for responsible AI deployment [cite:233][cite:236]:

  • Data governance: A.5.9 (asset inventory), A.5.10 (acceptable use), A.5.12 (classification), and A.8.11 (data masking) govern datasets used for AI training and inference [cite:233]
  • Access control and change management: A.8.2 (privileged access), A.8.3 (access restriction), and A.8.9 (configuration management) apply to AI model repositories, training pipelines, and production deployments [cite:233]
  • Incident response: A.5.24 (incident management) and A.6.8 (event reporting) cover AI-specific incidents such as model failures, adversarial attacks, or bias events [cite:233]
  • Supplier governance: A.5.19–5.22 (supplier relationships) and A.5.23 (cloud services) require security assessments of third-party AI vendors and cloud platforms hosting AI workloads [cite:236][cite:237]
  • Alignment with ISO 42001: ISO/IEC 42001:2023 (AI Management System) is designed to integrate with ISO 27001 via the Harmonised Structure, enabling organisations to extend their ISMS to cover AI-specific risks without duplicating governance infrastructure [cite:230][cite:236]

Ontic BOM Mapping

  • model — AI/ML models are information assets under A.5.9 (inventory) and A.5.12 (classification). Model development, testing, deployment, and monitoring must be governed under change management (A.8.9, A.8.32) and secure development (A.8.25). Risk assessments (Clause 6.1) must evaluate model-specific threats including drift, bias, and adversarial manipulation [cite:233][cite:236].
  • oracle — Authoritative data sources (training data, reference data, regulatory databases) are covered by data governance controls: A.5.10 (acceptable use), A.8.11 (data masking), A.8.12 (data leakage prevention), and Clause 6.1 risk assessment for data integrity and availability [cite:211][cite:233].
  • ontology — Classification schemes (A.5.12, A.5.13) and asset inventories (A.5.9) constitute the ISMS's internal ontology. Consistency of classification taxonomies across systems is essential for effective access control, risk assessment, and incident handling [cite:211].
  • system_prompt — For AI systems using prompt-based architectures, prompt configurations that influence security-relevant behaviour fall under A.8.9 (configuration management) and A.8.25 (secure development lifecycle). Prompt injection risks map to vulnerability management (A.8.8) and malware protection (A.8.7) [cite:233][cite:236].
  • gate — Certification itself is a market-access gate. Internally, access controls (A.8.2, A.8.3, A.8.5), change management (A.8.9, A.8.32), and management review (Clause 9.3) act as governance gates for system changes, access grants, and risk acceptance decisions [cite:213][cite:237].
  • security — ISO 27001 is fundamentally a security governance standard. Technological controls (A.8), physical controls (A.7), and the risk management process (Clause 6.1) directly map to the security component: encryption (A.8.24), vulnerability management (A.8.8), monitoring (A.8.16), logging (A.8.15), and incident response (A.5.24–A.5.28) [cite:211][cite:220].
  • signed_client — Authentication (A.8.5), user identity management (A.5.16), and non-repudiation controls support traceability of actions to specific persons and entities. Logging (A.8.15) provides the audit trail [cite:211].

E/A/D Axis Integration

E/A/D AxisISO 27001 Clauses / ControlsHallmarksEvidence
Ethical (E)A.5.3 (segregation of duties), A.6.1 (screening), A.5.10 (acceptable use), A.5.31 (legal/regulatory requirements), A.6.6 (confidentiality agreements)Integrity and ethical behaviour embedded in people controls; privacy and acceptable use policies govern data handling; screening reduces insider threatScreening records, acceptable use attestations, confidentiality agreements, privacy impact documentation [cite:211][cite:233]
Accountable (A)Clause 5.1 (leadership commitment), Clause 6.1 (risk assessment), Clause 9 (performance evaluation), A.5.1 (policies), A.5.9 (asset inventory), Clause 9.3 (management review)Top management accountability is certifiable; risk-based decision-making with documented risk treatment; asset inventory enables traceable ownershipManagement review minutes, risk treatment plans, SoA, asset registers, policy registers, audit programme records [cite:213][cite:215]
Defensible (D)Clause 9.2 (internal audit), Clause 10 (improvement), certification audit (external), A.8.15 (logging), A.5.24–5.28 (incident management)Third-party certification creates independent defensibility evidence; internal audit programme tests controls continuously; incident response creates response trailCertification certificates, internal audit reports, nonconformity registers, corrective action records, incident response logs, continual improvement records [cite:220][cite:237]

ISO 27001 - Enforcement Penalties

ISO 27001 is a voluntary standard — there are no statutory penalties for non-certification. However, the consequences of non-compliance and certification failure are significant and operate through market, contractual, and regulatory mechanisms [cite:221][cite:212].

Certification Consequences

OutcomeConsequence
Minor nonconformityAuditor documents finding; organisation must submit corrective action plan. Does not prevent certification but must be resolved by the next surveillance audit [cite:218][cite:221]
Major nonconformityPrevents initial certification or can trigger suspension of existing certification. Requires root cause analysis and remediation within a defined timeframe (typically 90 days) [cite:221][cite:218]
Certification suspensionOccurs upon unresolved major nonconformities; certificate is temporarily invalid. Continued non-resolution leads to withdrawal [cite:212]
Certification withdrawalPermanent loss of certification, requiring full re-audit as a new client [cite:232][cite:221]

Indirect Enforcement Mechanisms

  • Contractual requirements: Loss of certification can trigger breach-of-contract claims, termination of supplier agreements, and disqualification from procurement processes [cite:212][cite:221].
  • Regulatory linkage: Frameworks such as NIS 2 (EU), DORA (EU financial sector), and national cybersecurity regulations reference ISO 27001 as a means of demonstrating compliance. Loss of certification may trigger regulatory scrutiny or be treated as evidence of inadequate security management [cite:175][cite:237].
  • Customer and market trust: Failure to obtain or maintain certification in sectors where it is expected creates competitive disadvantage, weakened customer confidence, and potential loss of business [cite:212].
  • Insurance implications: Cyber insurance underwriters increasingly consider ISO 27001 certification status in risk assessment and policy terms [cite:237].
  • Data breach liability: While ISO 27001 non-compliance itself is not penalised, the absence of controls it mandates (e.g., encryption, access control, incident response) can be cited as evidence of negligence in data breach litigation or regulatory enforcement under GDPR, HIPAA, or equivalent laws [cite:212][cite:242].

Notable Enforcement Examples (Indirect)

ISO 27001 certification status has featured in regulatory enforcement contexts: GDPR enforcement actions have cited lack of "appropriate technical and organisational measures" (GDPR Article 32), where ISO 27001 controls represent the benchmark for such measures. Organisations with ISO 27001 certification have successfully demonstrated compliance as a mitigating factor in regulatory proceedings [cite:242].

ISO 27001 - Intersection With Other Frameworks

ISO 27001 is designed for integration and maps extensively to other security, privacy, and governance frameworks [cite:234][cite:231].

NIST Cybersecurity Framework (CSF) 2.0

NIST CSF's six core functions (Govern, Identify, Protect, Detect, Respond, Recover) map directly to ISO 27001 clauses and Annex A controls. NIST publishes a formal informative reference crosswalk between CSF 2.0 and ISO 27001:2022 [cite:231][cite:229]. The key structural difference: NIST CSF is a risk management framework (no certification), while ISO 27001 is a certifiable management system standard [cite:231][cite:237].

SOC 2

SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) overlap significantly with ISO 27001 Annex A controls [cite:234]. Key differences: SOC 2 produces an attestation report from a CPA firm (not a certification); it is U.S.-centric and market-driven. Organisations pursuing both can share evidence and audit artefacts across the two engagements [cite:234].

GDPR (EU General Data Protection Regulation)

GDPR Article 32 requires "appropriate technical and organisational measures" for data security — ISO 27001 is the most widely recognised framework for demonstrating this [cite:242][cite:237]. ISO 27001 does not cover all GDPR requirements (e.g., data subject rights, DPO appointment, DPIA), but ISO 27701 (Privacy Information Management System) extends ISO 27001 specifically for GDPR and privacy compliance [cite:242].

NIS 2 Directive (EU)

NIS 2 requires essential and important entities to implement cybersecurity risk management measures. ISO 27001 is explicitly referenced as a recognised standard for demonstrating compliance with NIS 2 Article 21 requirements [cite:175][cite:237].

ISO 42001 (AI Management System)

ISO/IEC 42001:2023 follows the same Harmonised Structure as ISO 27001, enabling integrated implementation. Organisations can extend their ISO 27001 ISMS to cover AI-specific risks (bias, transparency, safety, accountability) through ISO 42001 without rebuilding governance infrastructure [cite:230][cite:236].

HITRUST CSF

HITRUST incorporates ISO 27001 control requirements alongside HIPAA, NIST, PCI DSS, and others. ISO 27001 certification can accelerate HITRUST certification by providing overlapping evidence [cite:231][cite:234].

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) has significant control overlap with ISO 27001 Annex A, particularly in access control, encryption, logging, and vulnerability management. Organisations subject to both can rationalise controls and evidence across frameworks [cite:234].

FrameworkTypeKey Relationship to ISO 27001
NIST CSF 2.0Risk framework (voluntary)Formal crosswalk published by NIST; complementary risk approach [cite:231]
SOC 2Attestation (voluntary, market-driven)Significant control overlap; shared evidence base [cite:234]
GDPRRegulation (mandatory, EU)ISO 27001 demonstrates Article 32 measures; extend via ISO 27701 for privacy [cite:242]
NIS 2Directive (mandatory, EU)ISO 27001 recognised for Article 21 compliance [cite:175]
ISO 42001Standard (voluntary)Harmonised Structure; extends ISMS to AI governance [cite:230]
HITRUST CSFCertification framework (voluntary)Incorporates ISO 27001 requirements [cite:234]
PCI DSSStandard (mandatory for card data)Overlapping controls in access, encryption, logging [cite:234]
HIPAARegulation (mandatory, US healthcare)ISO 27001 maps to Security Rule safeguards [cite:231]
DORARegulation (mandatory, EU financial)ISO 27001 supports ICT risk management compliance [cite:175]

ISO 27001 - Recent Updates

ISO/IEC 27001:2022 Revision (Published October 2022)

The 2022 edition is the current version and introduced the following material changes [cite:232][cite:237]:

  • Annex A restructured: From 114 controls in 14 domains (2013) to 93 controls in 4 themes: Organisational (37), People (8), Physical (14), Technological (34) [cite:232][cite:211]
  • 11 new controls: Threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), secure coding (A.8.28) [cite:237]
  • Clause 6.3 added: Explicit requirement to plan changes to the ISMS in a structured manner [cite:237]
  • Clause 4.2 updated: Requirement to determine which interested-party requirements will be addressed through the ISMS [cite:237]

Mandatory Transition Deadline: 31 October 2025

The International Accreditation Forum (IAF) mandated that all ISO/IEC 27001:2013 certifications expire or be withdrawn by 31 October 2025 [cite:232][cite:237]. Organisations that did not complete transition by that date must undergo a full initial certification audit against the 2022 edition as a new client [cite:232]. As of February 2026, all valid ISO 27001 certifications are issued against the 2022 edition [cite:237].

Amendment 1:2024 (Climate Action)

Published February 2024, ISO/IEC 27001:2022/Amd 1:2024 introduces environmental considerations into the ISMS [cite:235][cite:240][cite:243]:

  • Clause 4.1 — Organisations must determine whether climate change is a relevant issue to their ISMS context
  • Clause 4.2 — Note added that interested parties can have requirements related to climate change

The amendment acknowledges that extreme weather events (floods, fires, storms, prolonged heat) can directly affect the confidentiality, integrity, and availability of information — and therefore fall within the scope of ISMS risk assessment [cite:235][cite:237]. Organisations must document their determination even if they conclude climate change is not relevant to their context [cite:237].

No New Edition Planned for 2026

As of early 2026, there is no new edition of ISO 27001 planned [cite:237]. The 2022 revision, together with the 2024 climate action amendment, defines the current requirements. ISO's typical revision cycle suggests a review no earlier than 2027

← Oracle LibraryChat with Goober →