Strike Graph security compliance blog

How many controls are there in ISO 27001:2022?

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Jun 30, 2023 7:00:00 AM

As a quick refresher: controls are actions that mitigate security risks. They’re typically defined by three main factors: who performs an activity, the nature of the action, and how often the action happens.

When it comes to the original ISO 27001 framework, there are 114 ISO 27001 controls that address specific security risks to ensure an organization’s information security management system (ISMS) is robust enough to protect sensitive data. 

However, with the release of ISO 27001:2022, the number of controls is being reduced to 93 from the original 114 controls.

The main part of ISO 27001 that has been changed pertains to its Annex A controls and domains. This is where controls have been merged, removed, and added.

Previously, Annex A’s 114 controls were divided into 14 categories or domains:

  • Information security policies 
  • Organization of information security 
  • Human resources security 
  • Asset management 
  • Access control 
  • Cryptography 
  • Physical and environmental security 
  • Operational security 
  • Communications security 
  • System acquisition, development, and maintenance 
  • Supplier relationships  
  • Information security incident management  
  • Information security aspects of business continuity management  
  • Compliance   

In ISO 27001:2022, the 14 domains have been replaced by four themes:

  • People (8 controls)
  • Organizational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

Furthermore, ISO 27001:2022 controls now have five types of attributes so that they’re easier to categorize:

  • Control type: preventive, detective, corrective
  • Information security properties: confidentiality, integrity, availability
  • Cybersecurity concepts: identify, detect, protect, respond, recover
  • Operational capabilities: continuity, application security, governance, asset management, information security assurance, identity and access management, legal and compliance, threat and vulnerability management, secure configuration, information security event management, information protection, physical security, human resource security, supplier relationships security, system and network security
  • Security domains: protection, governance and ecosystem, defense, resilience

So, what are the new controls that ISO 27001:2022 has introduced? Let’s take a look at each of those now.

Threat intelligence

This control requires your organization to gather information both internally and externally about threats, including attack trends as well as technologies and methods attackers are employing. Next, you’ll need to analyze all of this information in order to take appropriate actions to mitigate risk and ensure your organization is safe.

Information security for use of cloud services

For this control, you’ll need to determine and set security requirements for cloud services, including criteria for selecting a cloud provider, what’s considered acceptable use of the cloud, and requirements when terminating the service. These security measures around buying, utilizing, managing, and canceling the use of cloud services will allow your organization to better protect the information you have stored in the cloud.

ICT readiness for business continuity

The ICT readiness control requires your organization to have its information and communication technology (ICT) ready for potential disruptions. This process will include creating a plan — which includes a thorough understanding of risks as well as business needs for recovery — implementing that plan, setting up a technology maintenance process, and testing your disaster recovery and/or business continuity plans. This control ensures that all required assets and information are available when they’re needed should an incident occur.

Physical security monitoring

For the physical security monitoring control, you’ll need to monitor sensitive areas like warehouses, offices, and other facilities in order to ensure only authorized personnel have access to them. This can include hiring a security guard and/or installing an alarm or video monitoring system. Although no documentation is required for this control by ISO 27001:2022, you may want to independently document what is being monitored, who is in charge of what system and/or who is monitoring a specific area/premises, and more.

Configuration management

The configuration management control requires your organization to manage the whole cycle of security configuration for your technology, including networks, systems, services, software, and hardware. You’ll need to create a process for defining, proposing, implementing, monitoring, reviewing, managing, and approving security configurations. This will help your organization ensure you have a robust security program in place and will also help you avoid any unauthorized changes to your configurations. This control will need to be documented.

Information deletion

For this control, you’ll need to set up a process in order to define which data need to be deleted and when as well as define methods and responsibilities for deletion. This will allow you to effectively and efficiently delete data from networks like your cloud services and IT systems when they’re no longer required. Deleting such data will help you comply with privacy and other security requirements, as well as avoid any leakage of sensitive information.

Data masking

For this control, you’ll need to set up processes to determine which of your data need to be masked, who can access which type of data, and which methods — like anonymization, encryption, pseudonymization, or obfuscation — will be used in order to mask the data. This data masking and access control will help your organization limit the exposure of sensitive information like personal identifiable information (PII).

Data leakage prevention

This control requires your organization to determine the sensitivity of data, assess the risks of various technologies, monitor channels, and define which technology to use in order to prevent data leakage. This will help you avoid unauthorized disclosure of sensitive information as well as detect any such leaks in a timely manner. It may include implementing measures like encryption, restricting uploads, and disabling downloads across your technology ecosystem in order to keep sensitive data safe.

Monitoring activities

For this control, you’ll need to continuously monitor your networks, systems, and applications — including log-ons, activity, and traffic — in order to recognize any unusual activity and take appropriate action. You’ll define which systems will be monitored, how they will be monitored, who will be responsible for monitoring what, how to define unusual activity, how to report any incidents, and more.

Web filtering

The web filtering control requires your organization to establish processes to manage which websites your users are accessing, determine which types of websites aren’t allowed, and establish how your web filtering tools are maintained in order to prevent your network and systems from being compromised.

Secure coding

This control ensures your organization is using secure coding principles in order to reduce vulnerabilities in your software. Applying these principles to your software development process can help your organization be safe from tampering, attacks, malicious log-ons, and ensure only safe external apps and tools are allowed.

Are you ready to start preparing for ISO 27001:2022? The good news is if you’re already in the process of achieving ISO 27001:2013, all your work is not lost. In fact, ISO 27001:2013 will not be retired for another three years. However, you may want to start using the new Annex A controls from ISO 27001:2022, and Strike Graph can help with that.