The Core Structure of ISO 27001:2022 – Everything You Need to Know

Jay TilluJay Tillu
4 min read

ISO 27001:2022 is the latest iteration of the globally recognized standard for Information Security Management Systems (ISMS). It provides a structured approach to managing information security risks, ensuring data confidentiality, integrity, and availability. But how exactly is this standard structured, and what are its key components? Understanding its core structure is crucial for successful implementation and certification. Let’s dive into the core structure of ISO 27001:2022.

Understanding the Structure of ISO 27001:2022

ISO 27001:2022 follows the Annex SL Structure, which is a high-level framework used across multiple ISO management system standards. This uniform structure helps organizations integrate ISO 27001 with other standards like ISO 9001 (Quality Management) and ISO 27701 (Privacy Information Management).

The standard is divided into two main parts:

  1. Main Clauses (0–10) – The fundamental requirements organizations must follow to establish an ISMS.

  2. Annex A Controls – A set of security controls that support risk management and security best practices.

Detailed Breakdown of ISO 27001:2022

The core structure of ISO 27001:2022 consists of 10 clauses. These clauses define the framework for establishing, implementing, maintaining, and improving an ISMS. Let’s explore each clause:

Part 1: Main Clauses (0–10) - The Mandatory Framework

The first part of ISO 27001:2022 consists of 10 clauses that provide the foundation for implementing and maintaining an ISMS.

  • These define the core structure of the standard.

  • Clauses 4 to 10 contain the mandatory requirements for an Information Security Management System (ISMS).

  • Organizations must comply with these requirements to achieve ISO 27001 certification.

  • They provide a high-level framework on topics like risk management, leadership, and continuous improvement.

Clauses 0–3: Introduction & Basics (Informative)

These are not mandatory but help you understand the standard:

  • Clause 0 – Introduction: Explains the purpose of ISO 27001 and why it’s important.

  • Clause 1 – Scope: Defines which types of organizations can use the standard.

  • Clause 2 – Normative References: Just says ISO 27000 is the reference document.

  • Clause 3 – Terms & Definitions: Lists key security terms used in the standard.

Clauses 4–10: Core ISMS Requirements (Mandatory)

These must be followed to get ISO 27001 certified.

Clause 4 – Context of the Organization:

  • Identify internal & external factors affecting security.

  • Understand stakeholders’ expectations.

Clause 5 – Leadership:

  • Top management must support and drive security initiatives.

  • Define roles, responsibilities, and policies.

Clause 6 – Planning:

  • Identify risks & opportunities.

  • Set security objectives and make a plan to achieve them.

Clause 7 – Support:

  • Ensure people have the right skills & training.

  • Maintain proper documentation for security management.

Clause 8 – Operation:

  • Implement risk treatments and security measures.

  • Run your ISMS as part of daily operations.

Clause 9 – Performance Evaluation:

  • Monitor, measure, analyze, and evaluate security performance.

  • Monitor, measure, analyze, and evaluate security performance.

Clause 10 – Improvement:

  • Address non-conformities & take corrective action.

  • Continuously improve the ISMS.

Part 2: Annex A: Security Controls (Flexible & Customizable)

Annex A provides 93 security controls grouped into 4 themes.

⚠️ Not all controls are mandatory—you only apply the ones relevant to your risks.

🔵 Theme 1: Organizational Controls (37 controls)

  • Covers policies, risk management, supplier security, incident response, etc.

🟢 Theme 2: People Controls (8 controls)

  • Focuses on HR security, training, and responsibilities of employees.

🟠 Theme 3: Physical Controls (14 controls)

  • Deals with building security, asset protection, and secure work environments.

🔴 Theme 4: Technological Controls (34 controls)

  • Includes access control, encryption, monitoring, and cyber defenses.

Why Understanding the Structure Matters?

Knowing the core structure of ISO 27001:2022 helps organizations:

  • Implement the ISMS effectively

  • Align security policies with business goals

  • Streamline audits and compliance efforts

  • Integrate ISO 27001 with other standards

By following this structured approach, businesses can ensure a robust, scalable, and continuously improving information security framework.

Final Thoughts

ISO 27001:2022 provides a clear roadmap for organizations to secure their information assets systematically. Understanding its structure—main clauses and Annex A controls—enables businesses to navigate compliance with ease and confidence.

If you're looking to implement ISO 27001:2022 in your organization, start by assessing your current security posture and aligning your ISMS with these core principles.

👉 Stay tuned for more articles on ISO 27001:2022 as we break down key components to help you achieve compliance seamlessly!

Learn more about Compliance

Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

compliance Securitysecurityawareness#cybersecuritycybersecurityCyberSecISO 27001iso27701cloud security

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!