Introduction

1. Scope

2. Normative references

access control

attack

audit

audit scope

authentication

authenticity

availability

base measure

competence

confidentiality

conformity

consequence

continual
improvement

control

control objective

correction

corrective action

derived measure

documented
information

Informative sections effectiveness

event

external context

governance of
information security

governing body

indicator

information need

information
processing facilities

information security

information security
continuity

information security
event

information security
incident

information security
incident
management

information security
management
professional

information sharing
community
5.1 Policies for information
security information system
5.2 Information security roles
and responsibilities integrity
5.3 Segregation of duties
5.4 Management interested party
responsibilities (stakeholder)
5.5 Contact with authorities 3. Terms and Definitions
5.6 Contact with special internal context
interest groups
5.7 Threat intelligence
level of risk
5.8 Information security in
project management
likelihood
5.9 Inventory of information
and other associated assets
5.10 Acceptable use of ISO/IEC 27001
management system
information and other
associated assets
ISO/IEC 27006
measure
5.11 Return of assets
5.12 Classification of
information ISO/IEC 27009
5.1 Standards specifying measurement
requirements
5.13 Labelling of information
ISO/IEC 27701
measurement
5.14 Information transfer
function
5.15 Access control
ISO/IEC 27002
5.16 Identity management
measurement
5.17 Authentication method
information ISO/IEC 27003
5.18 Access rights
monitoring
5.19 Information security in supplier ISO/IEC 27004
relationships
nonconformity
5.20 Addressing information security within supplier ISO/IEC 27005
agreements
5. Organizational Controls
5.21 Managing information security in the ICT non-repudiation
ISO/IEC 27007
supply chain
5.22 Monitoring, review and change management of 5.2 Standards describing objective
supplier services ISO/IEC TS 27008 general guidelines
5.23 Information security for use of cloud ISO/IEC 27000:2018
services organization
ISO/IEC 27013
5.24 Information security incident management planning and
preparation outsource
ISO/IEC 27014
5.25 Assessment and decision on information security
events performance
ISO/IEC TR 27016
5.26 Response to information security
incidents 5. ISMS Family of Standards
policy
5.27 Learning from information security ISO/IEC 27021
incidents
5.28 Collection of evidence
process
ISO/IEC 27010
5.29 Information security during
disruption reliability
Introduction ISO/IEC 27011
5.30 ICT readiness for business
continuity requirement
1. Scope ISO/IEC 27017
5.31 Legal, statutory, regulatory and contractual
Informative sections requirements
2. Normative references 5.3 Standards describing residual risk
5.32 Intellectual property ISO/IEC 27018 sector-specific guidelines
rights
3.1 Terms and definitions
5.33 Protection of records
review
3.2 Abbreviated terms 3. Terms, definitions and abbreviated terms ISO/IEC 27019
5.34 Privacy and protection of
PII review object
4.1 Clauses ISO 27799
5.35 Independent review of information
Governance and Ecosystem security review objective
Protection 5.36 Compliance with policies, rules and standards for
information security
Defence Security Domains risk
5.37 Documented operating
Resilience procedures

Preventive 6.1 Screening

risk acceptance
Detective 6.2 Terms and conditions of
Control Type employment risk analysis
Corrective
6.3 Information security awareness, education and
Confidentiality training risk assessment
Integrity 6.4 Disciplinary process
Information Security Property
Availability 6.5 Responsibilities after termination or change of risk communication
6. People Controls
employment
Identify and consultation
Protect 6.6 Confidentiality or non-disclosure
agreements
Detect risk criteria
Cybersecurity Concepts 6.7 Remote working
Respond
6.8 Information security event
Recover 4.2 Themes and attributes reporting risk evaluation
Application security 7.1 Physical security
Asset management 4. Structure of this document perimeters risk identification
ISO/IEC 27002:2022 7.2 Physical entry
Continuity
7.3 Securing offices, rooms and risk management
Data protection facilities
Governance 7.4 Physical security risk management
monitoring

Aron Lange
Human resource security process
Identity and access management 7.5 Protecting against physical and environmental
threats
Information security event management
Operational Capabilities risk owner
7.6 Working in secure areas
Legal and compliance
7.7 Clear desk and clear
Physical security screen risk treatment
7. Physical Controls
Secure configuration 7.8 Equipment siting and
Security assurance
protection security
Supplier relationships security
7.9 Security of assets off- implementation
premises
standard
System and network security
7.10 Storage media
Threat and vulnerability management
7.11 Supporting utilities threat
Attribute table
7.12 Cabling security
Control title
7.13 Equipment maintenance top management
Control
7.14 Secure disposal or re-use of
4.3 Control layout equipment
Purpose trusted information
Guidance 8.1 User endpoint devices communication entity
Other information 8.2 Privileged access rights

A.1 General 8.3 Information access vulnerability

A.2 Organisational views
Annex B Correspondence of ISO/IEC 27002:2022 with ISO/IEC 27002:2013
restriction
Annex A Using Attributes
8.4 Access to source code 4.1 General
8.5 Secure authentication
4.2.1 Overview and principles
8.6 Capacity management
4.2.2 Information
8.7 Protection against
4.2.3 Information security
malware 4.2 What is an ISMS?
4.2.4 Management
8.8 Management of technical
vulnerabilities 4.2.5 Management system
8.9 Configuration
4.3 Process approach
management
8.10 Information deletion
4.4 Why an ISMS is important
8.11 Data masking 0 Introduction
4. Information security management systems 4.5.1 Overview
8.12 Data leakage prevention
1. Scope 4.5.2 Identifying information security requirements
8.13 Information backup
Informative sections 4.5.3 Assessing information security risks
8.14 Redundancy of information processing 2. Normative references
facilities 4.5 Establishing, monitoring, maintaining 4.5.4 Treating information security risks
and improving an ISMS
8.15 Logging 4.5.5 Selecting and implementing controls
3. Terms and definitions
8.16 Monitoring activities 4.5.6 Monitor, maintain and improve the effectiveness of the ISMS
8.17 Clock synchronization 4.5.7 Continual improvement
4.1 Understanding the organization and its context
8.18 Use of privileged utility
programs 4.6 ISMS critical success factors
8. Technological Controls 4.2 Understanding the needs and
8.19 Installation of software on operational A.5 Organizational Controls expectations of interested parties
systems 4. Context of the organization
4.7 Benefits of the ISMS family of standards
8.20 Networks security 4.3 Determining the scope of the ISMS
A.6 People Controls
8.21 Security of network
services 4.4 Information security management system
A.7 Physical Controls Annex A
8.22 Segregation of networks
5.1 Leadership and commitment
8.23 Web filtering
A.8 Technological Controls
8.24 Use of cryptography 5. Leadership 5.2 Policy
8.25 Secure development Plan
10.1 Nonconformity and
lifecycle corrective action 5.3 Organizational roles, responsibilities and authorities
10. Improvement
ISO/IEC 27001:2013
8.26 Application security
requirements Act 6.1.1 General
10.2 Continual improvement
8.27 Secure system architecture and engineering 6.1 Actions to address risks 6.1.2 Information security risk assessment
principles 9.1 Monitoring, measurement, analysis and evaluation and opportunities
6.1.3 Information security risk treatment
8.28 Secure coding 6. Planning
9.2 Internal audit 9. Performance evaluation 6.2 Information security
8.29 Security testing in development and objectives and planning to
acceptance Check
achieve them
9.3 Management review
8.30 Outsourced development
8.31 Separation of development, test and production 7.1 Resources
environments
7.2 Competence
8.32 Change management
8.33 Test information
7.3 Awareness
8.34 Protection of information systems during 7. Support
audit testing
7.4 Communication

7.5.1 General
7.5.2 Creating and updating
7.5 Documented information
7.5.3 Control of documented information
Do 7.1 General considerations
8.1 Operational planning and
control 7.2 Basic criteria
7.3 Scope and boundaries 7 Context establishment
Annex A An information
8.2 Information security risk 7.4 Organization for information security risk management
security measurement model 8. Operation
assessment
8.1 General description of information security risk assessment
B.1 General
8.3 Information security risk 8.2 Risk identification
B.2 Resource allocation treatment
8.3 Risk analysis 8 Information security risk assessment
B.3 Policy review
8.4 Risk evaluation
B.4 Management commitment
9.1 General description of risk treatment Introduction
B.5 Risk exposure
9.2 Risk modification
B.6 Audit programme 1 Scope
Introduction 9.3 Risk retention
B.7 Improvement actions Introduction 9 Information security risk treatment Informative sections
9.4 Risk avoidance 2 Normative references
B.8 Security incident cost
1 Scope
1. Scope 9.5 Risk sharing
B.9 Learning from information
Informative sections
security incidents Informative sections 3 Terms and definitions
2 Normative references 10 Information security risk acceptance
2. Normative references
B.10 Corrective action
implementation 11 Information security risk communication and consultation
3 Terms and definitions 4 Structure of this document
B.11 ISMS training or ISMS 3. Terms and definitions
awareness 12.1 Monitoring and review of risk factors
5 Background
B.12 Information security 4 Structure and overview 12.2 Risk management monitoring, review and improvement 12 Information security risk monitoring and review
training 4.1 Understanding the organization and its context
ISO/IEC 27005:2018
B.13 Information security 5.1 The need for measurement A.1 Study of the organization
awareness compliance 4.2 Understanding the needs and
expectations of interested parties A.2 List of the constraints
B.14 ISMS awareness 5.2 Fulfilling the ISO/IEC 27001 requirements 4. Context of the organization affecting the organization
Annex A Defining the scope and boundaries of the information security risk management process
campaigns effectiveness 5 Rationale 4.3 Determining the scope of the ISMS A.3 List of the constraints
B.15 Social engineering 5.3 Validity of results affecting the scope
preparedness
Introduction 4.4 Information security management system B.1 Examples of asset
B.16 Password quality – 5.4 Benefits identification
manual
1 Scope 5.1 Leadership and commitment B.2 Asset valuation
Annex B Identification and valuation of assets and impact assessment
B.17 Password quality – 6.1 General
Informative sections B.3 Impact assessment
automated
2 Normative references 5. Leadership 5.2 Policy
B.18 Review of user access 6.2 What to monitor Annex C Examples of typical threats
rights
5.3 Organizational roles, responsibilities and authorities
Annex B Measurement 6 Characteristics 6.3 What to measure 3 Terms and definitions D.1 Examples of vulnerabilities
B.19 Physical entry controls ISO/IEC 27004:2016
construct examples
system evaluation D.2 Methods for assessment Annex D Vulnerabilities and methods for vulnerability assessment
6.1.1 General
6.4 When to monitor, measure, analyse and evaluate of technical vulnerabilities
B.20 Physical entry controls 4 Principles of auditing
effectiveness 6.1.2 Information security risk E.1 High-level information
6.1 Actions to address risks
6.5 Who will monitor, measure, analyse and evaluate 5.1 General assessment security risk assessment
B.21 Management of periodic and opportunities
maintenance E.2 Detailed information Annex E Information security risk assessment approaches
5.2 Establishing audit
7.1 General programme objectives 6.1.3 Information security risk security risk assessment 6 Overview of the information security risk management process
B.22 Change management
6. Planning treatment
B.23 Protection against 5.3 Determining and Annex F Constraints for risk modification
malicious code 7 Types of measures 7.2 Performance measures evaluating audit programme
risks and opportunities 6.2 Information security
B.24 Anti-malware objectives and planning to
7.3 Effectiveness measures 5.4.1 Roles and achieve them
B.25 Total availability responsibilities of the
individual(s) managing audit Annex A Policy Framework ISO/IEC 27003:2017
B.26 Firewall rules 8.1 General 7.1 Resources
programme
B.27 Log files review
5.4.2 Competence of
8.2 Identify information needs 7.2 Competence
B.28 Device configuration individual(s) managing audit
5.4 Establishing audit programme
B.29 Pentest and vulnerability 8.3 Create and maintain programme
assessment 5.4.3 Establishing extent of the 7.3 Awareness
measures
audit programme 7. Support
B.30 Vulnerability landscape
5.4.4 Determining audit 7.4 Communication
B.31 Security in third party 8.4 Establish procedures
programme resources
agreements – A
8 Processes 5.5.1 General 7.5.1 General
8.5 Monitor and measure
B.32 Security in third party
5 Managing an audit 5.5.2 Defining the objectives,
agreements – B
programme scope and criteria for an 7.5 Documented information 7.5.2 Creating and updating
8.6 Analyse results
B.33 Information security individual audit
incident management
5.5.3 Selecting and 7.5.3 Control of documented information
effectiveness 8.7 Evaluate information security performance and ISMS effectiveness
determining audit methods
B.34 Security incidents trend
5.5.4 Selecting audit team 8.1 Operational planning and
8.8 Review and improve monitoring, measurement, analysis and evaluation processes 5.5 Implementing audit control
B.35 Security event reporting members
programme
B.36 ISMS review process 5.5.5 Assigning responsibility
8.9 Retain and communicate documented information 8.2 Information security risk
for an individual audit to the 8. Operation
B.37 Vulnerability coverage assessment
audit team leader
C.1 ‘Training effectiveness’ –
5.5.6 Managing audit
effectiveness measurement 8.3 Information security risk
Annex C An example of free- programme results
construct treatment
text form measurement
5.5.7 Managing and
construction
maintaining audit programme
records 9.1 Monitoring, measurement,
A.1 Overview analysis and evaluation
5.6 Monitoring audit
A.2.1 Audit objectives, scope, programme
criteria and audit evidence 9. Performance evaluation 9.2 Internal audit
5.7 Reviewing and improving
A.2.2 Strategy for auditing an audit programme
ISMS A.2 General 9.3 Management review
6.1 General
A.2.3 Audit and documented
information 6.2.1 General 10.1 Nonconformity and
corrective action
A.3.1 Rationale 6.2.2 Establishing contact with 10. Improvement
6.2 Initiating audit auditee
A.3.2 Example of implicit 10.2 Continual improvement
requirement for documented Annex A Guidance for ISMS 6.2.3 Determining feasibility of
information auditing practice ISO/IEC 27007 audit
A.3 Guidance on ISO/IEC 27001 requirements for documented information
A.3.3 Example where there is 6.3.1 Performing review of
no explicit or implicit documented information
requirement for documented
information 6.3.2 Audit planning

A.4 The Statement of Applicability 6.3 Preparing audit activities 6.3.3 Assigning work to audit
team
A.5 Other documented information
6.3.4 Preparing documented
A.6 Notes information for audit

A.7 Guidance for auditing an ISMS 6.4.1 General

6. Conducting an audit
6.4 Conducting audit activities
6.5 Preparing and distributing
audit report
6.6 Completing audit
6.7 Conducting audit follow-
up
7.1 General
7.2 Determining auditor
competence
7 Competence and evaluation
of auditors
7.3 Establishing auditor
evaluation criteria
7.4 Selecting appropriate
auditor evaluation method
7.5 Conducting auditor
evaluation
7.6 Maintaining and improving
auditor competence
6.4.2 Assigning roles and
responsibilities of guides and
observers
6.4.3 Conducting opening
meeting
6.4.4 Communicating during
audit
6.4.5 Audit information
availability and access
6.4.6 Reviewing document
information while conducting
audit
6.4.7 Collecting and verifying
information
6.4.8 Generating audit findings
6.4.9 Determining audit
conclusions
6.4.10 Conducting closing
meeting
6.5.1 Preparing audit report
6.5.2 Distributing audit report
7.2.1 General
7.2.2 Personal behaviour
7.2.3.1 General
7.2.3.2 Generic knowledge
and skills of management
system auditors
7.2.3.3 Discipline and sector
specific competence of
7.2.3 Knowledge and skills
auditors
7.2.3.4 Generic competence
of audit team leader
7.2.3.5 Knowledge and skills
for auditing multiple
disciplines
7.2.4 Achieving auditor
competence
7.2.5 Achieving audit team
leader competence