ISO/IEC 27001:2022 - Security Controls
Categories
1. Organizational Controls (37 Controls)
Focus: Governance, risk management, and organizational processes for managing security.
Key Areas:
- Risk management: Identifying and assessing risks to information security.
- Information security policies: Establishing and maintaining clear policies to guide security
efforts.
- Supplier and third-party security: Ensuring external vendors meet security requirements.
- Incident management: Creating processes to handle information security incidents.
- Business continuity: Ensuring the continuity of critical information processes in case of
disruption.
Departments Concerned:
- Risk & Compliance – Overseeing risk assessments and ensuring adherence to policies.
- Legal & Governance – Managing contracts and legal requirements for security.
- Internal Audit – Auditing and ensuring the effectiveness of controls.
- Human Resources (HR) – Employee responsibilities, training, and security awareness.
2. People Controls (8 Controls)
Focus: Protecting the organization from human error, insider threats, and ensuring
employees understand their security roles.
Key Areas:
- Employee screening: Conducting background checks before hiring to minimize the risk of
insider threats.
- Confidentiality agreements: Ensuring employees understand the importance of
information protection.
- Security awareness training: Educating staff about security risks and how to mitigate
them.
- Disciplinary processes: Defining consequences for breaches of security policies.
Departments Concerned:
- Human Resources (HR) – Conducting background checks and security training for staff.
- Compliance & Legal – Ensuring proper documentation and confidentiality agreements are
in place.
�- Operations & Customer Service – Ensuring security procedures are followed on the
ground.
3. Physical Controls (14 Controls)
Focus: Securing physical access to information, devices, and systems to prevent
unauthorized physical access and environmental threats.
Key Areas:
- Physical entry controls: Controlling who can access secure areas like data centers.
- Visitor management: Ensuring visitors are monitored and their access is controlled.
- Workplace security: Protecting offices, workstations, and other areas where sensitive
information is processed.
- Device security: Ensuring that equipment is protected from theft or damage.
- Secure disposal of media: Safely disposing of physical storage media to prevent data
leakage.
Departments Concerned:
- Facilities Management & Security – Overseeing physical security measures such as access
control systems.
- IT Operations – Securing physical devices and servers.
- Compliance – Ensuring physical security measures comply with regulations.
4. Technological Controls (34 Controls)
Focus: Implementing technical measures to protect information from cyber threats and
ensuring secure operation of information systems.
Key Areas:
- Access control: Ensuring that only authorized users can access sensitive systems and data.
- Cryptography: Encrypting data both in transit and at rest to ensure confidentiality and
integrity.
- Network security: Protecting against unauthorized access, cyberattacks, and data
breaches.
- System acquisition and maintenance: Ensuring systems are securely configured and
updated to defend against vulnerabilities.
- Incident monitoring and logging: Continuously monitoring systems for potential security
threats and maintaining logs for forensic purposes.
- Secure software development: Ensuring that software developed in-house follows security
best practices.
Departments Concerned:
- IT Security / Cybersecurity – Handling firewalls, encryption, and monitoring systems.
- Software Development – Implementing secure coding practices and ensuring applications
�are free of vulnerabilities.
- Operations & Infrastructure – Managing secure IT infrastructure and hardware.
- Risk & Compliance – Ensuring technology aligns with security policies and regulations.
