ISO/IEC 27001:2022 - Information Security Management Systems

Talk to ACSGP Request a Quote
Standard
iso-27001
Organizations Certified (Tracked)
96,709
Certification Cycle
3 years (surveillance annually)

Introduction

Primary Aim

Establish, implement, maintain and continually improve a management system aligned to ISO-27001.

Process Focus

Risk-based thinking, process approach, and performance evaluation.

Outcome

Consistent, effective, and evidence-based results.

ISO/IEC 27001:2022 establishes requirements for an Information Security Management System (ISMS) to manage information risks systematically, protecting confidentiality, integrity, and availability.

It uses a risk-based approach, with Annex A providing 93 controls across 4 themes: organizational, people, physical, technological.

Major Requirements Mapped to Clauses:

- Clause 4: Context – Internal/external issues, interested parties.

- Clause 5: Leadership – Policy, roles.

- Clause 6: Planning – Risks/opportunities, objectives.

- Clause 7: Support – Resources, competence, communication.

- Clause 8: Operation – Risk treatment, controls implementation.

- Clause 9: Performance – Monitoring, audits, reviews.

- Clause 10: Improvement – Nonconformity, continual improvement.

- Annex A: Controls selection via Statement of Applicability (SoA).

Major Requirements (mapped to clauses)

  • Clause 4 — Context of the organization
  • Clause 6 — Planning (risks & opportunities, objectives)
  • Clause 8 — Operation (operational planning & control, change, outsourced processes)
  • Clause 10 — Improvement (nonconformity, corrective action, continual improvement)
  • Clause 5 — Leadership
  • Clause 7 — Support (resources, competence, communication, documented information)
  • Clause 9 — Performance evaluation (monitoring, internal audit, management review)
Context & Leadership Planning & Risks Support & Operations Performance & Improvement

Certification Expectations (for auditees)

  • Information asset inventory and risk register; SoA justifying control selection/exclusions; evidence of control effectiveness (e.g., access logs, encryption policies).
  • Incident management procedures with response times; supplier security agreements; awareness training metrics.
  • Internal audits covering ISMS scope; management reviews with risk updates; simulated breach exercises.
Themes: leadership commitment, competence, documented info, operational control, monitoring & measurement, internal audit, management review.

How ACSGP conducts the audit

Aligned to ISO/IEC 17021-1 (requirements for bodies providing audit and certification) and ISO 19011 (guidelines for auditing management systems).

  1. Compliant with ISO/IEC 17021-1 for ISMS certification and ISO 19011 for cybersecurity audit methods, emphasizing confidentiality.

  2. Process: Stage 1 SoA/risk review; Stage 2 control testing via penetration simulations if applicable; surveillance on threat landscapes.

  3. Auditors certified in CISA/CISM; findings per ISO 19011, with remote options for global teams.

Value Addition Auditing: We assess both efficiency and effectiveness, ensuring your management system becomes an asset, not a liability—while maintaining impartiality, competence, and evidence-based principles.

Benefits of conformity with the standard

  • Reduces breach risks by 30-50%, minimizing financial losses (average breach cost $4.45M).
  • Provides regulatory assurance (e.g., GDPR, HIPAA), building trust with clients and partners.
  • Fosters a security-aware culture, improving incident response times by 40%.
  • Enables competitive differentiation in digital markets, with certified firms winning 20% more contracts.

Benefits of ACSGP Certification

  • IASCB-backed for universal acceptance, including cloud providers.
  • Bundled with ISO 20000 for IT security synergy.
  • ACSGP cyber threat intelligence briefings quarterly.
  • Gap analysis tools tailored to Annex A updates.
Speak to a Professional Request Proposal
Back to certifications