The document outlines ISO 27001:2022 standards, focusing on the importance of information security management systems (ISMS) to protect valuable organizational information throughout its lifecycle. It details various types of information, potential security risks, and the overarching objectives of an ISMS, which include confidentiality, integrity, and availability of information. Additionally, the document covers implementation steps, planning for information security, and the roles of leadership in fostering an effective security culture within organizations.

1. ISO 27001 :2022
Standards/Clauses

2. Concepts and Philosophy
of ISMS Framework

3. Information
Information
is an asset which, like other business assets, has
value to an organisation and consequently needs
to be suitably protected.

4. Types of Information
Internal
● Information that you would not want your
competitors to know
Customer/client
● Information that they would not wish you
to divulge
Shared
● Information that may be shared with
other trading partners/persons

5. Types of Information
● Company financial data (business performance)
● Company business plan & strategies
● Employee data
● Credit card and bank account numbers
● Passwords
● Designs, patents, technical research
● Bids for contracts, market research, competitive
analysis
● Intelligence (on criminals, hostile nations, etc)
● Security information (risk assessment, network
diagram, facilities plans)

6. Information Lifecycle
● Create
● Store
● Distribute (to authorized persons)
● Modify (by authorized persons)
● Archive
● Delete (electronic) or Dispose (paper, disk, etc)
Information may need protection through its
entire lifecycle including deletion or disposal

7. Information Security
Information Security means preservation of
confidentiality, integrity and availability of
information; other properties, such as authenticity,
accountability, non-repudiation, and reliability may
also be managed.

8. Information Security - a Definition
Information security is preservation of;
Confidentiality – ensuring that information is available
only to those with authorised access
Integrity – safeguarding the accuracy and completeness of
information and information processing methods & facilities
Availability – ensuring authorised users have access to
information when required
In some organizations integrity and/or availability may
be more important than confidentiality

9. Information Security – Why?
In today’s fast-paced, global business
environment, access to information is critical to
an organisation’s success.
Timely, accurate and complete information is a
necessary business asset to an organisation,
and like any other business asset, information
needs to be understood and appropriately
secured.

10. Information Security Risks
Some categories of risk :
● Loss
● Corruption
● Theft
● Unauthorized disclosure
● Accidental disclosure
● Unauthorized modification
● Unavailability or denial of service
● Lack of integrity
 Intrusion and subversion of system resources

11. Non – IT Information Security Risks
● Paper documents:
○ on desks,
○ in waste bins,
○ left on photocopiers
● Whiteboards and flipcharts
● Telephone conversations overheard
● Conversations on public transport
● Social engineering

12. Information Security - Aim
Information Security aims to :
● To minimize business damage by preventing and minimizing the impact of
security incidents
● Reduce the likelihood of a security incident occurring
● Prevent information security incident from occurring
● Detect an incident occurring, or its effect
● Respond to an event to minimize business damage
● Ensure Business Continuity
● Ensure preservation of confidentiality, integrity and availability of information; in
addition, other properties such as authenticity, accountability, non-repudiation
and reliability can also be involved

13. Business Effects of Information Security
 Maintain stakeholder confidence in the
organization
 Preserve business position
 Ensure business continuity

14. Why Are We Here?
Information security management:
the key to confidence and trust for business
Customer
Requirement
s
Business
Requirement
s
Government Laws and
Regulations

15. Interested Parties
 IT department
 Line managers
 Senior managers
 Company Boards
 Government
 Business and Trading Partners
 Customers

16. Managers Must Understand
Poor information security outcomes are
commonly the result of poor
management and not poor technical
controls

17. Information Security is Not all
about Technology
Business Service 3
Business Service 3
Business Service 1
Business Service 1
Business Service 2
Business Service 2
IT Dependent
IT Dependent IT Independent
IT Independent
80%
80% 20%
20%
50%
50% 50%
50%
20%
20% 80%
80% Business Service 3
Business Service 3
Business Service 1
Business Service 1
Business Service 2
Business Service 2
IT Dependent
IT Dependent IT Independent
IT Independent
80%
80% 20%
20%
50%
50% 50%
50%
20%
20% 80%
80%

18. Information Security Management System
Information Security Management System
(ISMS) is :
● That part of the overall management system,
based on a business risk approach, to
establish, implement, operate, monitor, review,
maintain and improve information security
● A management process
● Not a technological process

19. What is an ISMS
An ISMS is a set of processes designed to
produce
predictable information security outcomes (well
managed security risks)
Implementation must cover
● Requirements and policies
● Planning implementation
● Implementation and operations
● Monitoring and reviewing
● Improving the management system

20. Information Security Framework
(Source: Government of Western Australia: Department of Industry and Technology. (2002).
Pamphlet - Managing Risks in the Internet Economy - An Executive’s Guide. p.5).

21. Statement of Applicability
Definition
Documented statement describing the control objectives and controls that are
relevant and applicable to the organisation’s ISMS.
Contents of Statement of Applicability
● Control objectives and controls selected
● Reasons for selection
● Control objectives and controls currently implemented
● Exclusion of any control objectives and controls to be listed in Annex
A and the justification for their exclusion
The statement of applicability provides a summary of decisions concerning risk
treatment. Justifying exclusions provides a cross-check that no controls have
been inadvertently omitted.

22. Statement of Applicability
Why a control has not been fully implemented
● Risk – not justified by risk exposure
● Budget – financial constraints
● Environment – influence on safeguards, climate, space etc
● Technology – some measures are not technically feasible
● Culture – sociological constraints
● Time – some requirements cannot be implemented now.
● N/A – not applicable
● Others – ?

23. PRESENTATION OUTLINE

24. ISO 27001 certification applies to?
IT Industries
FInance Sector
Healthcare Sector
Government Sector
Telecom Industries

25. Why ISO 27001, Purpose of clauses ?
Why ISO?
● International Best Practises
● Identity of risk & appropriate mitigation
● Customer satisfaction on confidentiality of data
● Performance
● Regulatory compliance requirements
● Safeguarded information assets
● Competency of employees & management process
Purpose of clauses?
- To protect CIA of information/Assets
- To identify and effectively manage their information security risks

26. Audit Stages
■ Plan – Identify the problems and collect useful
information to evaluate security risk.
■ Do – Implement the planned security policies and
procedures.
■ Check – Monitor the effectiveness of ISMS policies
Evaluate tangible outcomes
■ Act – Continual Improvement

27. Organizations of all types and sizes:

28. What is information Security?

38. THE HISTORY OF ISO 27001
BS 7799:1995
First published by BSI and
written by UK Gov
Department for Trade and
Industry
ISO 17799:2000
Information technology -
Code of practice for
information security
management
ISO 27017:2015
Information technology -
Security techniques - Code
of practice for information
security controls based on
ISO/IEC 27002 for cloud
services
ISO 27001:2013
Information technology - Security
techniques - Information security
management systems -
Requirements
1995
ISO 27001:2022
Information security, cybersecurity and
privacy protection — Information
security management system –
Requirements
ISO 27001:2005
Information technology - Security
techniques - Information security
management systems -
Requirements
ISO 27018:2019
Information technology - Security
techniques - Code of practice for
protection of personally identifiable
information (PII) in public clouds
acting as PII processors
ISO 27701:2019
Security techniques -
Extension to ISO/IEC 27001
and ISO/IEC 27002 for
privacy information
management -
Requirements and
guidelines
ISO 27002:2022
Updated controls - Information
security, cybersecurity and
privacy protection -
Information security controls
2025
Transition Period
(3 Years)

40. LANDSCAPE CHANGES
What are the main
threats affecting the
security of a business
and its data?
Pre-2013 • 2022
• High Value Data Theft
• Ransomware
• Organised Criminal Gangs
• State Sponsored
• Sophisticated
Phishing
• APTs
• Cryptojacking
• Hactivism
• Script Kiddies
• DoS/DDoS
• Web Defacement
• SQL Injections
• Malware and
Spyware

41. ISO 27001:2022 CLAUSES 4-10

42. ISO 27001:2022 CHANGES
Access Control
Communication Security
Organisation of
Information
Security
Cryptographic Controls
System Acquisition, development
and Maintenance Supplier Relationships
Information Security
Incident
Management
Physical Security
HR Security Asset Management
Operational Security
Information Security Policies
Security Aspects of Business
Continuity
Compliance

43. ISO 27001:2022 CHANGES

44. ISO 27001:2022 NEW CONTROLS
• 5.7 Threat Intelligence
• 5.23 Information Security for use of Cloud Services
• 5.30 ICT Readiness for Business Continuity
• 7.4 Physical Security Monitoring
• 8.9 Configuration Management
• 8.10 Information Deletion
• 8.11 Data Masking
• 8.12 Data Leakage Prevention
• 8.16 Monitoring Activities
• 8.23 Web Filtering
• 8.28 Secure Coding
Organisational Controls
Physical Controls
Technical Controls

45. ISO 27001:2022 NEW CONTROLS

46. ISO 27001:2022 NEW CONTROLS

68. Steps to Implementation

69. 4
Context of
Organization
4.1. Organization & context
- Identifications of internal & external issues in organization to identify
the risk & mitigate
4.2. Understand needs & expectation of interested parties
4.3. Determining scope, Documented scope

71. Internal Issue Associated Risks Controls Responsibilities
Lack of employee
awareness on ISMS
Data breaches due to
mishandling of
sensitive information
Regular training
programs and
awareness campaigns
Information Security
Officer (ISO), HR
Department
Insufficient access
controls
Unauthorized access to
critical information
systems
Implementation of
role-based access
control (RBAC),
periodic access reviews
IT Security Team
Outdated security
policies and
procedures
Vulnerabilities in
handling and
protecting information
assets
Regular policy reviews
and updates
ISMS Manager
Lack of incident
response plan
Delayed mitigation of
security incidents
Development and
testing of an incident
response plan
Incident Response
Team
Inefficient internal
communication
Delayed identification
of and response to
security threats
Establishment of clear
communication
channels and
escalation processes
Senior Management

72. External Issue Associated Risks Controls Responsibilities
Changing legal and
regulatory
requirements
Non-compliance
penalties, reputational
damage
Regular review of
applicable laws and
regulations,
compliance audits
Compliance Officer,
Legal Team
Evolving cyber threat
landscape
Data breaches,
unauthorized access,
operational
disruptions
Continuous
monitoring, threat
intelligence,
penetration testing
Information Security
Team
Third-party service
providers and
vendors
Weaknesses in third-
party systems leading
to data breaches
Vendor risk
assessments, strict
contracts, regular
performance
monitoring
Procurement and
Vendor Management
Team
Global economic
conditions
Reduced budgets for
security, increased
costs of technology
Budget planning,
prioritization of
critical security
investments
Management and
Finance Department
Natural disasters and
environmental factors
Data center outages,
loss of physical assets
Disaster recovery
plans, offsite
backups, business
continuity planning
IT Department, Risk
Management Team
Technological
advancements and
innovations
Obsolescence of
current systems,
unaddressed
vulnerabilities
Regular technology
upgrades, adoption of
emerging security
technologies
IT and Innovation
Teams

74. Interested Party
Needs and
Expectations
Associated
Risks
Controls Responsibilities
Employees
Secure access
to information
and systems
Unauthorized
access, data
breaches
Access
controls, user
training,
incident
response plans
HR Department,
IT Security
Team
Customers
Protection of
personal and
business data
Data theft,
reputational
damage
Data
encryption,
secure data
storage, regular
audits
Customer
Support, IT
Security Team
Regulatory
Authorities
Compliance
with legal and
regulatory
frameworks
Non-
compliance
penalties,
legal action
Regular
compliance
reviews, legal
assessments
Compliance
Officer, Legal
Team
Suppliers and Vendors
Secure
communication
and data
sharing
Data leakage,
supply chain
vulnerabilities
Vendor risk
management,
secure
communication
channels
Procurement
Team

77. 5
Leadership
5.1 Leadership & commitment:
How they can demonstrate leadership to achieve ISMS, By:
a) ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organisation
b) ensuring the integration of the information security management system requirements
into the organisation’s processes;
c) ensuring that the resources needed for the information security management system
are available
d) communicating the importance of effective information security management and of
conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended
outcome
f) continual improvement in the process of implementing ISMS
5.2 Policy
- establishment and maintenance of an information security policy
5.3 Organization’s Roles, responsibilities & Authorities

78. 6
Planning
6.1 Actions to address risks and opportunities
- Build your information security management system (ISMS)
- Implement your risk management policy
- Implement your risk management process
- Manage your risk via a risk register
- Effectively and regularly report to the Management Review Team
6.2 Information security objectives and planning to achieve them
- The organisation shall establish information security objectives at
relevant functions and levels
- The organization shall retain documented information on the
information security objectives. When planning how to achieve its
information security objectives.
6.3 Planning of changes

79. Clause 6.1.1: Actions to Address Risks and Opportunities
Requirement:
Organizations must determine:
1. Risks and opportunities related to internal/external issues (Clause
4.1) and interested parties' expectations (Clause 4.2).
2. Actions needed to:
o Achieve intended ISMS outcomes.
o Prevent or mitigate undesired effects.
o Foster continual improvement.

80. Means of Implementation:
Identify Risks and Opportunities:
o Use tools like SWOT analysis, PESTLE analysis, or a risk register.
o Example: A threat actor exploiting weak credentials (risk).
Employee training to improve password hygiene (opportunity).
Document Actions:
o Develop an action plan to address risks and opportunities.
o Example: Implement multi-factor authentication (MFA) to mitigate
credential-related risks.a

81. Integrate Actions into ISMS:
o Incorporate actions into policies, processes, and
controls.
o Example: Establish a formal process for periodic review
of access controls.
Monitor Effectiveness:
o Use key performance indicators (KPIs) to evaluate
implemented actions.

82. Clause 6.1.1: Actions to Address Risks and Opportunities
Requirement:
 Organizations must determine external and internal issues (Clause 4.1) and the needs and
expectations of interested parties (Clause 4.2) that might affect the ISMS.
 Consider risks and opportunities to:
o Ensure the ISMS achieves its intended outcomes.
o Prevent or reduce undesired effects.
o Achieve continual improvement.
Examples:
Risk: Emerging threats like phishing or ransomware attacks. Opportunity: Enhance employee training
programs on recognizing phishing attempts.
Action: Implement regular threat intelligence updates and awareness campaigns.
Implementation:
 Use tools like SWOT analysis or risk assessment frameworks to identify risks and opportunities.
 Document actions in an ISMS risk treatment plan.

83. Clause 6.1.2: Information Security Risk Assessment
Requirement:
Establish and maintain a risk assessment process:
 Identify information security risks.
 Analyze risks based on criteria like likelihood and impact.
 Prioritize risks for treatment.
Means of Implementation:
Establish Risk Assessment Criteria:
o Define parameters (e.g., likelihood of occurrence, business impact).
o Example: High likelihood of phishing attacks; critical impact on
customer data loss.

84. Conduct Risk Identification:
o Identify risks to confidentiality, integrity, and availability of
information.
o Example: Risk of data breaches due to outdated software.
Analyze and Evaluate Risks:
o Use qualitative or quantitative approaches (e.g., risk
matrices).
Example: Assign a high-risk rating to systems with unpatched
vulnerabilities

85. Assess Impact of Changes:
o Evaluate risks, opportunities, and resource requirements.
o Example: Migrating to a new data center requires updating access
control policies.
Develop and Communicate Plans:
o Include timelines, responsibilities, and testing protocols.
o Example: Roll out a new endpoint protection solution in phases, starting
with low-risk departments.
Monitor and Validate Changes:
o Ensure that changes achieve their intended purpose.
o Example: Conduct post-implementation reviews to validate the
effectiveness of new controls.

86. Document Findings:
o Record identified risks and their evaluations in
a risk register or similar tool.
Review Regularly:
Reassess risks during major changes or at
predefined intervals

87. Clause 6.1.2: Information Security Risk Assessment
Requirement:
 Establish a process for assessing information security risks, considering:
1. The context of the organization.
2. The identification of risks related to loss of confidentiality, integrity, and availability.
3. The risk assessment criteria (likelihood, impact).
4. Documenting and maintaining results.
Examples:
Scenario: A company’s confidential data may be exposed due to weak access controls.
o Risk Assessment Criteria:
 Likelihood: High (frequent unauthorized access attempts).
 Impact: High (potential data breach causing reputational damage).
Result: Prioritize strengthening access controls.
Implementation:
 Adopt frameworks like NIST Cybersecurity Framework or ISO 31000 for structured risk assessments.

88. Risk Treatment Matrix Example:
Very High Avoid or Mitigate
Stop project, change the
process, implement strict
controls
High Mitigate or Transfer
Enhance safety protocols, buy
insurance
Medium Mitigate or Transfer
Implement contingency plans,
subcontract certain tasks
Low Retain or Mitigate
Accept risk, monitor, or
implement simple controls
Very Low Retain
Monitor with minimal
intervention
A Risk Rating Matrix combined with Risk Treatment provides a systematic approach to assessing, evaluating, and
managing risks in a project, organization, or process. While the matrix helps prioritize risks based on their
likelihood and impact, the treatment part refers to the actions taken to mitigate or manage those risks.
1. Risk Rating Matrix
The Risk Rating Matrix evaluates each risk based on its likelihood (probability of occurrence) and impact
(consequence or severity of the outcome). The combination of these two factors helps determine the risk level
and prioritization.

89. Risk Rating Table (example)
Consequence
Likelihood
1
(Insignificant)
2
(First aid
injury)
3
(Minor injury/ ill
health)
4
(Major injury/ ill
health)
5
(Fatalities)
1
(Unlikely to occur but possible)
1 2 3 4 5
2
(unlikely but can reasonably
expected to occur)
2 4 6 8 10
3
(Will occur several times)
3 6 9 12 15
4
(Will occur frequently)
4 8 12 16 20
5
(Continually experienced)
5 10 15 20 25

90. Risk Levels:
 Low Risk: Risks that have low likelihood and/or
impact.
 Medium Risk: Risks that have moderate likelihood
and/or impact.
 High Risk: Risks that have higher likelihood or impact
and require attention.
 Very High Risk: Risks that have a high likelihood
and/or severe impact and require immediate treatment
and action.

91. Clause 6.1.3: Information Security Risk Treatment
Requirement:
Select and implement controls to treat identified risks. Document this
process in a Statement of Applicability (SoA), which includes:
 Selected controls from Annex A.
 Omitted controls and justification.
 Linkages to specific risk treatment actions.
Means of Implementation:
Identify Controls:
o Map risks to relevant controls in Annex A.
o Example: Use encryption (A.10.1) to secure sensitive data during
transmission.

92. Develop a Risk Treatment Plan:
o Define actions, responsibilities, and timelines.
o Example: Upgrade firewalls to address external
intrusion risks.
Create a Statement of Applicability (SoA):
o Document selected controls, omitted controls, and
justifications.
o Example: Exclude control A.13.2.3 (secure disposal of
media) if the organization uses cloud-based storage
exclusively.

93. Implement and Test Controls:
o Deploy controls, conduct regular testing, and validate
their effectiveness.
Monitor and Review:
Ensure that risk treatment measures remain effective as
threats evolve

94. Clause 6.1.3: Information Security Risk Treatment
Requirement:
 Organizations must:
1. Select controls to treat identified risks (Annex A).
2. Justify controls based on risk assessments.
3. Document a Statement of Applicability (SoA) to outline selected controls, omitted controls, and their justification.
Examples:
Identified Risk: Unauthorized access to a cloud storage system.
o Control: Implement multi-factor authentication (Annex A.5.15).
o SoA Justification: Reduces the likelihood of unauthorized access by requiring two independent authentication
factors.
Omitted Control: Physical destruction of data storage devices (Annex A.8.4).
o Justification: Data is stored entirely in the cloud, making this control unnecessary.
Implementation:
 Develop an SoA to document control decisions.
Continuously review risk treatments for relevance as threats evolve.

95. . Risk Treatment (Management)
Once risks have been assessed using the Risk Rating Matrix, the next step is
to determine how to treat (manage) them. There are several strategies for risk
treatment, and they can be applied depending on the risk level.
Risk Treatment Strategies:
Risk Avoidance:
o Objective: Eliminate the risk entirely by changing the plan or process.
o When to Apply: For Very High Risk or High Risk that cannot be
mitigated effectively.
o Example: Stopping a particular project that is too risky or changing a
process to avoid hazardous situations.

96. Risk Reduction (Mitigation):
o Objective: Reduce the likelihood and/or impact of the risk.
o When to Apply: For High and Medium Risk.
o Example: Implementing safety protocols to minimize workplace
accidents or installing backup systems to prevent data loss.
Risk Transfer:
o Objective: Shift the risk to a third party.
o When to Apply: For Medium or Low Risk where the organization
does not want to bear the full risk.
o Example: Purchasing insurance or outsourcing certain operations to
transfer associated risks.

97. Risk Retention (Acceptance):
o Objective: Accept the risk if the cost of mitigation is greater than the potential
impact, or if the likelihood is very low.
o When to Apply: For Low Risk.
o Example: Accepting minor risks such as the possibility of slight delays in a
project due to external factors.
Risk Exploitation:
o Objective: In some cases, organizations may actively seek out risks if there is a
potential for high reward.
o When to Apply: For Medium or Low Risk where the opportunity outweighs the
threat.
o Example: Entering a new market with calculated risk, hoping for a high return on
investment.

98. Implementing Risk Treatment Plans:
 Assign Responsibilities: Ensure that specific team members are
assigned to monitor and manage each identified risk.
 Develop Action Plans: Outline detailed actions, timelines, and
resources needed to mitigate or treat each risk.
 Monitor and Review: Continuously monitor risks and adjust
treatment strategies as necessary based on changing
circumstances.
 Document: Keep a record of all risks, treatments, and mitigation
efforts for future reference and audits.

99. Clause 6.2: Information Security Objectives and Planning to Achieve Them
Requirement:
Organizations must establish measurable objectives that:
 Align with ISMS policy.
 Reflect identified risks and opportunities.
 Are measurable, communicated, and updated regularly.
Means of Implementation:
Set SMART Objectives:
o Specific, Measurable, Achievable, Relevant, Time-bound.
o Example: Reduce unauthorized access attempts by 30% within six months.
Define Plans to Achieve Objectives:
o Specify actions, timelines, resources, and responsible personnel.
Example: Conduct monthly security awareness sessions for employeesa

100. Monitor Progress:
o Use KPIs to track performance.
o Example: Monitor the number of successful and blocked login
attempts.
Communicate Objectives:
o Share objectives across the organization to ensure alignment.
o Example: Include objectives in employee onboarding and
awareness programs.
Review and Update:
Assess relevance during management reviews or significant
organizational changes

101. Clause 6.2: Information Security Objectives and Planning to Achieve Them
Requirement:
 Organizations must establish measurable information security objectives that:
o Align with the ISMS policy.
o Consider applicable risks, opportunities, and business requirements.
o Be measurable, monitored, communicated, and updated as needed.
Examples:
Objective: Reduce phishing incidents by 30% within one year.
o Target: Achieve 95% participation in employee security awareness training.
o Measurement: Track phishing simulation success rates quarterly.
o Responsibility: Security awareness team.
Objective: Ensure 100% compliance with data retention policies by Q4.
o Target: Audit 10% of records monthly for retention policy adherence.
Implementation:
 Use the SMART framework (Specific, Measurable, Achievable, Relevant, Time-bound) for setting objectives.
 Assign responsibilities and allocate resources for achieving objectives.

102. Clause 6.3: Planning of Changes
Requirement:
Organizations must ensure that changes to the ISMS are:
 Planned systematically.
 Evaluated for potential consequences.
 Implemented without compromising the ISMS's integrity.
Means of Implementation:
Define Change Management Process:
o Create a documented procedure for planning and approving changes.
Example: Introduce a change request form to capture details of proposed
changes

103. Clause 6.3: Planning of Changes
Requirement:
 Organizations must plan changes to the ISMS systematically, considering:
o The purpose and potential consequences of the change.
o The integrity of the ISMS.
o Resource availability.
o Responsibilities for implementing changes.
Examples:
Scenario: Migrating from on-premises servers to a cloud infrastructure.
o Purpose: Enhance scalability and reduce maintenance costs.
o Considerations:
 Impact on existing security controls.
 Retraining IT staff on cloud security practices.

104. Plan:
Perform a risk assessment specific to cloud environments.
Update access controls to address cloud-specific threats.
Scenario: Expanding operations to a new region.
Considerations:
Compliance with local data protection laws.
Revising ISMS policies to account for regional differences.
Implementation:
Maintain a documented change control process.
Use a change management framework like ITIL to align ISMS changes with
business goals.

105. Example Risk Treatment Plan:
Risk ID Description Impact Likelihood Risk Level Treatment
RISK001
Unpatched
OS
vulnerabilities
Severe High High
Apply
patches for
critical
vulnerabilities
immediately.
RISK002
Missing
updates on
web servers
Severe High High
Perform
regular
vulnerability
scans and
enforce patch
management.

106. Examples of Implementation for Clause 6
Clause Action
6.1.1 Address risks and opportunities
6.1.2 Perform risk assessment
6.1.3 Develop risk treatment plans
6.2 Set and track information security objectives
6.3 Plan and manage ISMS changes

107. Summary of Clause 6 Planning Steps with Examples
Clause Key Action
6.1.1 Address risks and opportunities
6.1.2 Perform risk assessment
6.1.3 Treatrisks and document controls in the SoA
6.2 Set measurableobjectives
6.3 Plan changes systematically

108. The ISO 27001 standard lines up four possible
risk treatment options.

110. Category Risk/Opportunity Description Controls Responsibilities
Risks Data Breach
Unauthorized
access or
exposure of
sensitive
information.
Encryption,
multi-factor
authentication
(MFA), regular
audits
IT Security
Team
Insider Threats
Employees
misusing access
to data or
systems.
Access control
policies, user
activity
monitoring,
awareness
training
HR Department,
IT Security
Team
Phishing and
Cyber Attacks
Email-based
attacks to steal
credentials or
distribute
malware.
Anti-phishing
tools, employee
training,
incident
response plans
IT Security
Team,
Management
Non-compliance
with Regulations
Failure to
comply with
data protection
laws and
standards.
Legal
compliance
audits, policy
reviews,
employee
awareness
Compliance
Officer, Legal
Team
System Downtime
Unavailability
of critical IT
systems,
impacting
operations.
Business
continuity plans,
system
redundancy,
uptime
monitoring
IT Operations
Team

111. Objective Target
Measuremen
t
Timeline
How
(Methods)
Responsibilitie
s
Ensure
Confidentialit
y of
Information
Reduce
unauthorized
access incidents
by 95%.
Number of
unauthorized
access
incidents
reported.
Annually
Implement
access
controls,
user
monitoring,
and audits.
IT Security
Team
Enhance
Employee
Security
Awareness
Achieve 100%
completion rate
for security
training
programs.
Training
completion
records and
post-training
assessments.
Quarterly
Conduct
security
training
sessions
and
phishing
simulations
.
HR
Department, IT
Security Team
Improve
Incident
Response
Time
Respond to
security
incidents within
2 hours.
Average
response time
for incidents.
Monthly
Incident
response
plan, real-
time
monitoring,
and
reporting.
IT Operations
Team
Ensure Data
Integrity
Zero incidents
of data
corruption or
unauthorized
modifications.
Number of
data integrity
breaches
detected.
Annually
Implement
data
validation,
secure
backups,
and
checksums.
IT Security
Team, Database
Admin
Achieve
100%
Compliance
with
Regulations
Pass all
regulatory and
compliance
audits with no
nonconformities
.
Audit reports
and corrective
action
tracking.
Biannuall
y
Regular
compliance
reviews,
internal
and
external
audits.
Compliance
Officer, Legal
Team

115. internal communication for an Information Security Management System (ISMS) in
accordance with ISO 27001:2022 Clause 7.4:
What Who When Where Why How
Information
Security
Policies and
Objectives
Top
Management
to All
Employees
At launch,
annually, or
updates
Email,
intranet,
team
meetings
Ensure
alignment with
ISMS goals and
compliance
requirements
Document
distribution,
presentations
Security
Incident
Reports
Employees to
IT Security
Team
As incidents occur Incident
reporting
platform
Ensure timely
detection and
response to
security threats
Incident
reporting
forms and
workflows
Risk
Assessment
Results
Risk
Management
Team to
Management
Quarterly ISMS review
meetings
Inform
decision-
making on risk
controls
Risk
assessment
reports and
dashboards
Changes to
Security
Controls
IT Security
Team to All
Affected
Users
As changes occur Email,
intranet
updates
Ensure
employees
understand and
comply with
updated
controls
Change
management
notifications
Training and
Awareness
Updates
HR/IT
Security
Team to
Employees
Quarterly or as
needed
Workshops,
online
platforms
Enhance
employee
awareness of
ISMS
requirements
Training
sessions and
e-learning
modules

116. What Who When Where Why How
ISMS Policy
Statement
ISMS Manager to
Clients/Stakehold
ers
At the start
of
implementati
on and
updates
Company
website,
emails
Demonstrate
commitment
to
information
security
Policy
documents,
press
releases
Compliance
with
Legal/Regulat
ory
Requirements
Compliance
Officer to
Regulators
As required
by law or
upon
changes
Regulator
y
submissio
ns
Ensure
compliance
with legal
and
contractual
obligations
Official
filings and
formal
communicati
on
Incident
Notifications
IT Security Team
to Affected
Parties
Within SLA
timelines or
immediately
after
detection
Email,
phone,
incident
response
portal
Inform
affected
parties about
security
breaches and
mitigations
Incident
response
reports
ISMS
Certification
Status
Management to
Clients/Interested
Parties
Annually or
upon
certification
Reports,
official
website
Build trust
and
demonstrate
adherence to
ISO 27001
standards
Certification
reports,
official
announceme
nts
Service-Level
Agreements
(SLAs) on
ISMS
IT/Legal Teams
to
Customers/Vend
ors
At contract
signing and
renewals
Contracts,
emails
Define
responsibiliti
es for
information
security in
agreements
Contracts,
terms, and
conditions
documents
External communication of isms

117. Some of the mandatory ISO 27001 documents
and records
●Some of the mandatory ISO 27001 documents and records:
 ISMS Scope document
 Information Security Policy
 Risk Assessment Report
 Statement of Applicability
 Internal Audit Report

118. Here are the items you must document if you want to be compliant with ISO 27001, and the most common ways to title those documents:
What must be documented ISO 27001 reference Usually documented through
Scope of the ISMS Clause 4.3 ISMS Scope document
Information security policy Clause 5.2 Information Security Policy
Risk assessment and risk
treatment process
Clause 6.1.2 Risk Assessment and Treatment
Methodology
Statement of Applicability Clause 6.1.3 d) Statement of Applicability
Risk treatment plan Clauses 6.1.3 e, 6.2, and 8.3 Risk Treatment Plan
Information security objectives Clause 6.2 List of Security Objectives
Risk assessment and treatment
report
Clauses 8.2 and 8.3 Risk Assessment & Treatment
Report
Inventory of assets Control A.5.9* Inventory of Assets, or List of
Assets in the Risk Register

119. Acceptable use of assets Control A.5.10* IT Security Policy
Incident response procedure Control A.5.26* Incident Management
Procedure
Statutory, regulatory, and
contractual requirements
Control A.5.31* List of Legal, Regulatory, and
Contractual Requirements
Security operating procedures for
IT management
Control A.5.37* Security Procedures for IT
Department
Definition of security roles and
responsibilities
Controls A.6.2 and A.6.6* Agreements, NDAs, and
specifying responsibilities in each
security policy and procedure
Definition of security
configurations
Control A.8.9* Security Procedures for IT
Department
Secure system engineering
principles
Control A.8.27* Secure Development Policy

120. Non-mandatory ISO 27001 documents
There are numerous non-mandatory ISO 27001 documents that can be used for the
implementation, especially for the security controls from Annex A, but not all of them are
equally useful. I find these non-mandatory documents to be most commonly used:
 Procedure for Document and Record Control (clause 7.5, control A.5.33)
 Procedure for Internal Audit (clause 9.2)
 Procedure for Corrective Action (clause 10.2)
 Information Classification Policy (controls A.5.10, A.5.12, and A.5.13)
 Information Transfer Policy (control A.5.14)
 Access Control Policy (control A.5.15)

121.  Password Policy (controls A.5.16, A.5.17, and A.8.5)
 Supplier Security Policy (controls A.5.19, A.5.21, A.5.22, and A.5.23)
 Disaster Recovery Plan (controls A.5.29, A.5.30, and A.8.14)
 Mobile Device, Teleworking, and Work from Home Policy (controls A.6.7,
A.7.8, A.7.9, and A.8.1)
 Procedures for Working in Secure Areas (controls A.7.4 and A.7.6)
 Clear Desk and Clear Screen Policy (control A.7.7)
 Bring Your Own Device (BYOD) Policy (controls A.7.8 and A.8.1)
 Disposal and Destruction Policy (controls A.7.10, A.7.14, and A.8.10)
 Backup Policy (control A.8.13)
 Encryption Policy (control A.8.24)
 Change Management Policy (control A.8.32)

122. ISO 27001 records that are mandatory
What must be recorded ISO 27001 reference Usually recorded through
Trainings, skills, experience, and
qualifications
Clause 7.2 Training certificates and CVs
Monitoring and measurement
results
Clause 9.1 Measurement Report
Internal audit program Clause 9.2 Internal Audit Program
Results of internal audits Clause 9.2 Internal Audit Report
Results of the management
review
Clause 9.3 Management Review Minutes
Results of corrective actions Clause 10.2 Corrective Action Form
Logs of user activities,
exceptions, and security events
Control A.8.15* Automatic logs in information
systems

123. 8. Operation
8.1 Operational planning and control
– establishing criteria for processes
– implementing control of the processes in accordance with the criteria
8.2 Information security risk assessment
8.3 Information security risk treatment

125. 9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management review

126. 10. Improvement
10.1 Continual improvement measurement, analysis and
evaluation
10.2 Nonconformity and corrective action

130. ISO 27001:2022 CHANGES

131. ISO 27001:2022 NEW CONTROLS
• 5.7 Threat Intelligence
• 5.23 Information Security for use of Cloud Services
• 5.30 ICT Readiness for Business Continuity
• 7.4 Physical Security Monitoring
• 8.9 Configuration Management
• 8.10 Information Deletion
• 8.11 Data Masking
• 8.12 Data Leakage Prevention
• 8.16 Monitoring Activities
• 8.23 Web Filtering
• 8.28 Secure Coding
Organisational Controls
Physical Controls
Technical Controls

132. ISO 27001:2022 NEW CONTROLS

133. ISO 27001:2022 NEW CONTROLS

135. Controls

136. Organizational control : Threat Intelligence
❖ What is Threat intelligence in ISO & What the purpose is?
Operation
al
HOW & WHERE?
3
1
2
Tactical
WHAT?
Strategic
WHO & WHY
3 Level of Threat
intelligence
1. Strategic Threat Intelligence: high level
information about the threat landscape
2. Tactical Threat Intelligence: intelligence on
tools, techniques and attack methodologies
3. Operational Threat Intelligence: intelligence
on specific attacks and indicators

137. Physical Controls
Natural disaster
Single entry point
CCTV camera
surveillance
24×7 on-site security
guards
Uninterruptible
Power Supply
Security of
information assets
Authorized Entry point
Internet access
control