ISO
IT Security Management Framework
Understanding the ISO/IEC 27001:2022 Cybersecurity Model and ISMS Implementation
The ISO/IEC 27001 standard provides a globally recognized framework for implementing an Information Security Management System (ISMS). Whether you're new to cybersecurity or working toward ISO 27001 compliance, understanding this framework is essential for aligning technical safeguards with business priorities.
Unlike hierarchical models, the ISO framework treats all security domains as interconnected components of a holistic strategy; ensuring no single area is prioritized over others and creating balanced, comprehensive protection.
What Is the ISO Cybersecurity Model?
ISO/IEC 27001, first published in 2005 and most recently revised in 2022, offers a comprehensive framework for information security management. The 2022 revision streamlined the approach while maintaining robust coverage; reducing controls from 114 to 93 and consolidating 14 categories into just 4 domains.
93
Total Security Controls
4
Control Categories
37
Organizational Controls
2022
Latest Revision
The 4-Domain Structure (ISO 27001:2022)
🏢 Domain 5 — 37 Controls
Organizational Controls
Governance foundation: policies, procedures, risk management, and organizational structure. Embeds security into how the organization operates and makes decisions.
👥 Domain 6 — 8 Controls
People Controls
Human resources security: awareness training, background checks, secure termination, and access management for employees and contractors.
🏭 Domain 7 — 14 Controls
Physical Controls
Physical and environmental security: facility protection, equipment security, secure disposal of assets, and environmental continuity controls.
💻 Domain 8 — 34 Controls
Technological Controls
Technical security: network, system and application security, cryptography, and technical access controls. Consolidates communications, operations, and systems development.
ISO/IEC 27002:2022
Information Security Controls - Complete Structure
ISO/IEC 27002:2022
93 Security Controls
Organizational (37)
People (8)
Physical (14)
Technological (34)
🏢 Organizational Controls
37 Controls (5.1 – 5.37)
5.1
Policies for information security
5.2
Information security roles and responsibilities
5.3
Segregation of duties
5.4
Management responsibilities
5.5
Contact with authorities
5.6
Contact with special interest groups
5.7
Threat intelligence
5.8
Information security in project management
5.9
Inventory of information and other associated assets
5.10
Acceptable use of information and other associated assets
5.11
Return of assets
5.12
Classification of information
5.13
Labelling of information
5.14
Information transfer
5.15
Access control
5.16
Identity management
5.17
Authentication information
5.18
Access rights
5.19
Information security in supplier relationships
5.20
Addressing information security within supplier agreements
5.21
Managing information security in the ICT supply chain
5.22
Monitoring, review and change management of supplier services
5.23
Information security for use of cloud services
5.24
Information security incident management planning and preparation
5.25
Assessment and decision on information security events
5.26
Response to information security incidents
5.27
Learning from information security incidents
5.28
Collection of evidence
5.29
Information security during disruption
5.30
ICT readiness for business continuity
5.31
Legal, statutory, regulatory and contractual requirements
5.32
Intellectual property rights
5.33
Protection of records
5.34
Privacy and protection of personally identifiable information
5.35
Independent review of information security
5.36
Compliance with policies and standards for information security
5.37
Documented operating procedures
👥 People Controls
8 Controls (6.1 – 6.8)
6.1
Screening
6.2
Terms and conditions of employment
6.3
Information security awareness, education and training
6.4
Disciplinary process
6.5
Information security responsibilities after termination or change of employment
6.6
Confidentiality or non-disclosure agreements
6.7
Remote working
6.8
Information security event reporting
🏭 Physical Controls
14 Controls (7.1 – 7.14)
7.1
Physical security perimeters
7.2
Physical entry
7.3
Protection against environmental threats
7.4
Working in secure areas
7.5
Secure disposal or reuse of equipment
7.6
Protection of equipment and assets off-premises
7.7
Secure disposal or reuse of storage media
7.8
Unattended user equipment
7.9
Clear desk and clear screen policy
7.10
Storage media
7.11
Supporting utilities
7.12
Cabling security
7.13
Equipment maintenance
7.14
Secure disposal or reuse of equipment
💻 Technological Controls
34 Controls (8.1 – 8.34)
8.1
User endpoint devices
8.2
Privileged access rights
8.3
Information access restriction
8.4
Access to source code
8.5
Secure authentication
8.6
Capacity management
8.7
Protection against malware
8.8
Management of technical vulnerabilities
8.9
Configuration management
8.10
Information deletion
8.11
Data masking
8.12
Data leakage prevention
8.13
Information backup
8.14
Redundancy of information processing facilities
8.15
Logging
8.16
Monitoring activities
8.17
Clock synchronisation
8.18
Use of privileged utility programs
8.19
Installation of software on operational systems
8.20
Networks security management
8.21
Security of network services
8.22
Segregation of networks
8.23
Web filtering
8.24
Use of cryptography
8.25
Secure system development life cycle
8.26
Application security requirements
8.27
Secure system architecture and engineering principles
8.28
Secure coding
8.29
Security testing in development and acceptance
8.30
Outsourced development
8.31
Separation of development, testing and operational environments
8.32
Change management
8.33
Test information
8.34
Protection of information systems during audit testing
Key Statistics
93
Total Security Controls
4
Control Categories
37
Organizational
8
People
14
Physical
34
Technological
Contents
Control Objectives vs. Controls
ISO 27001 defines control objectives as high-level goals. ISO 27002 defines the actual controls; technical or procedural steps that fulfill those objectives. Controls are flexible guidelines, not rigid rules, maintaining vendor neutrality across diverse environments.
| Domain | Clause / Objective | Example Control |
|---|---|---|
| Organizational | 5.1 — Establish a consistent security policy | Develop and approve an information security policy document |
| Organizational | 5.23 — Safeguard use of cloud services | Assess security risks before adopting cloud services |
| People | 6.1 — Minimize risks through responsible hiring | Conduct background checks before employment |
| People | 6.6 — Maintain confidentiality | Require signed NDAs for employees and contractors |
| Physical | 7.2 — Prevent unauthorized access to facilities | Use ID badge systems and surveillance |
| Physical | 7.7 — Prevent data leaks from retired equipment | Shred hard drives before disposal |
| Technological | 8.2 — Control privileged access | Implement RBAC and monitor admin activities |
| Technological | 8.23 — Manage web access | Deploy web filtering to block risky domains |
Mapping ISO to the CIA Triad
Organizations must tailor the ISO framework to their specific needs. The key lies in understanding how different industries prioritize Confidentiality, Integrity, and Availability based on their operations and business impact.
- Google: Confidentiality + Availability: Protecting user data while ensuring services remain accessible 24/7. Integrity receives less emphasis as Google doesn't verify user-generated content.
- Amazon: Availability-First: Every second of downtime means lost sales. The largest investments go to redundant systems and failover mechanisms.
- Healthcare: Integrity + Confidentiality: Patient data accuracy and privacy are paramount; availability is critical but secondary to correctness.
- Financial Services: All three equally: Regulatory requirements mandate all CIA elements at high priority.
Statement of Applicability (SOA)
The SOA document bridges the full ISO framework and your organization's reality. It identifies which controls apply to your environment, maps them to CIA priorities, justifies resource allocation, and creates a tailored security roadmap. It is mandatory for ISO 27001 certification.
Applying the ISO Model to Data States
Data exists in three states, and ISO controls address security across all of them through team collaboration:
🔄 State 1
Data in Transit
Managed by network security teams. Secured with TLS, VPNs, and firewall rules. ISO 8.20–8.22 cover network controls.
💾 State 2
Data at Rest
Protected by infrastructure teams. Encryption, access restrictions, and backups. ISO 8.13 (backup) and 8.24 (cryptography).
⚙️ State 3
Data in Use
Secured by application and endpoint teams. Monitored through DLP tools and endpoint protection. ISO 8.11 (data masking).
🏛️ Framework
ISMS Governance
Upper management sets policy; IT teams implement with encryption, PKI, DLP, and monitoring. ISO 5.8 covers project management integration.
Best Practices for ISO 27001 Implementation
Key Recommendations
- Start with a risk assessment to identify your organization's specific threats and vulnerabilities
- Define your ISMS scope clearly before attempting to implement controls
- Complete a Statement of Applicability (SOA); it is mandatory for certification
- Map controls to your CIA priorities, allocating resources based on business impact
- Treat ISO 27001 as a continuous improvement cycle, not a one-time project
- Involve all departments; security is not only an IT responsibility
- Conduct internal audits regularly and use findings to drive improvements
- Document everything; evidence of implementation is as important as the controls themselves
🔐 Hey everyone!
I wrote this blog to make the ISO/IEC 27001:2022 framework more approachable, especially for those who are navigating the shift from policy to real-world implementation.
Whether you’re a cybersecurity student, practitioner, or someone aligning your business with compliance standards, I’d love to hear your perspective.
➡️What part of the ISO framework do you find most challenging to implement?
➡️How does your organization balance technical controls with people and physical safeguards?
Let’s exchange ideas, drop your thoughts, questions, or experiences in the comments below!👇