ISO 27001:2022

by Ahana Shah
What is ISO 27001:2022?
International Standard
Establish, implement, maintain, and improve an ISMS.

Primary Objective
Helps organizations to protect their info assets
systematically and cost-effectively.

CIA Triad
Set of policies and procedures that aims to preserve the 3
characteristics of info assets- confidentiality, integrity and
availability.

Broad Applicability
Adaptable for any organization size or industry.
Information Security Management
System- what is it?
• A structured framework of policies, processes, and controls → helps an organization manage and protect its
information assets.
• Whole-organization, risk-based approach to information security → addresses people, processes and technology.
Follows the PLAN→DO→CHECK→ACT cycle, i.e,

1. Define policies, assess risks, create controls.

2. Implement controls and train staff.

3. Monitor and audit the ISMS.

4. Improve based on findings.

10 Clauses outlined in the ISO 27001:2022
Scope
Defining the boundaries and applicability of the ISMS.

Normative References
Identifying essential standards for compliance.

Terms and Definitions

Terminology given in the ISO 27000 is applied.

Context of the Organisation

Understanding the organization's internal and external factors affecting its ability to achieve the
intended outcome.
Leadership
Commitment of the top management to the ISMS, assignment of roles and responsibilities.

Planning
Actions to address the risks and opportunities, risk assessment and treatment, creation of the
Statement of Applicability by determining which controls from Annex A will be implemented.
Support
Resources needed for the process, awareness programmes, timely communication and documentation.

Operation
Putting the selected controls in action.

Performance Evaluation
Monitor, measure, and analyze performance and effectiveness of the ISMS.

Improvement
Evolution of the ISMS and its continuous improvement.
The Annex A Controls

A Control is a measure that modifies or maintains a risk; for example- an info sec policy maintains risk, while complying with that policy
modifies the risk.

Organizational People
Policies, roles, and access controls (37 controls). Background checks, training, confidentiality (8 controls).

Physical Technological
Secure areas, entry controls, equipment (14 controls). Network, encryption, vulnerability management (34 controls).
Mandatory Documents
ISO 27001:2022 requires creation of certain mandatory documents at each phase of the project -

1 ISMS Scope Statement 2 Gap Assessment Report 3 Risk Assessment Report

Boundaries and Applicability of the ISMS. Highlight gaps and gives recommendations. Consists of a process for risk management,
includes criteria for evaluating risks and a plan for
addressing them.

4 Risk Treatment Plan 5 Statement of Applicability 6 Information Security Policy

Mitigation plan based on the likelihood and impact Lists the controls selected from Annex A and the Management statement→ creation of statements
of the risks identified. reasons for selecting or excluding them. to be followed based upon the risks identified, so
as to avoid them in the future.

7 Information Security Objectives 8 Control Implementation Record 9 Internal Audit Report

Specific and measurable goals for improving Details each control that has been implemented, Summarize findings, non-conformities and
information security. responsible parties and dates of implementation. recommendations.

10 Corrective Action Report 11 Management Review Meeting Minutes

12 Continual Improvement Plan
Details of the non-conformities, actions taken. Review of the ISMS performance→ document the Document outlining changes made to the ISMS.
outcomes of review, decisions made and further
actions to be taken.
Importance of the ISO 27001:2022
Stronger Security Competitive Edge
Reduce breaches and enhance data protection. Build trust and attract more customers.

Ensured Compliance Enhanced Trust

Meet legal and contractual obligations. Gain confidence from stakeholders.
Use Case 1: SaaS Provider
A Software-as-a-Service (SaaS) provider typically handles customer data, cloud infrastructure, application
hosting, and third-party integrations, making data security and availability critical.

Area Application of ISO 27001:2022

Risk Assessment Identify risks such as unauthorized access, data

leakage, and DDoS attacks on hosted applications.

Access Control (A.5 & A.8) Use Role-Based Access Control (RBAC), implement MFA,
and manage user access controls.

Supplier Relationships (A.5.22) Vet third-party APIs (e.g., Stripe, AWS) through a Service
Level Agreement and security assessments.

Encryption (A.8.24 - A.8.25) Encrypt customer data in transit (TLS 1.3) and at rest
(AES-256).

Incident Management (A.5.25) Maintain an incident response plan to handle data

breaches or system compromises.

Business Continuity (A.5.30) Implement a disaster recovery plan to ensure the

business can pick up soon after a disaster.

Audit Logging and Monitoring (A.8.16 - A.8.23) Use tools like Wazuh to detect anomalies and logging
suspicious activity.

Cloud Security (A.8.27) Apply CSPM tools (Cloud Security Posture Management)
to monitor any cloud misconfigurations.
Use Case 2: E-learning Provider
An e-learning platform handles user registration, payment information, course content (IP), and
personal progress data — all of which are sensitive and regulated.

Area Application of ISO 27001:2022

Information Classification (A.5.12) Classify data into personal data (student info),
confidential (course IP), public (marketing
material).

Access Management (A.8.2) Ensure only authorized users (e.g., students,

instructors, admins) have appropriate platform
access.

Content Integrity (A.8.31) Apply hashing or digital watermarking to avoid

IP theft or unauthorized sharing of course
videos.
User Awareness (A.6.3) Train employees and vendors on handling
learner data securely and reporting phishing
attempts.
Backup and Restore (A.8.13) Regularly backup course data and learner
progress logs; test recovery procedures
monthly.
Website/Application Security (A.8.28) Use OWASP Top 10 as a baseline for web
platform security.
Thank You.