This area relates to how an organisation understands the context in which its ISMS operates. ISO 27001:2022 (Clause 4.1) addresses the identification of internal and external issues that are relevant to the organisation's purpose and that may affect its ability to achieve the intended outcomes of the ISMS.

These issues can include both positive and negative factors. Examples of internal issues might include organisational structure, culture, resources, or capabilities. Examples of external issues might include legal, regulatory, technological, competitive, market, or environmental factors at international, national, regional, or local levels.

Organisations may document and review these issues in various ways. Examples of this might include structured analysis exercises, registers, or internal documents that are periodically reviewed.

This area relates to how an organisation identifies the parties that have an interest in its ISMS and determines their relevant requirements. ISO 27001:2022 (Clause 4.2) addresses the identification of interested parties and their needs and expectations.

Interested parties are individuals or entities that may affect, be affected by, or perceive themselves to be affected by the organisation's information security activities. Examples of this might include customers, regulatory authorities, employees, suppliers, or industry bodies.

Organisations may capture this information in various forms, such as registers, documented analyses, or records that are periodically reviewed.

This area relates to how an organisation defines and documents the boundaries and applicability of its management system. ISO 27001:2022 (Clause 4.3) addresses the determination of the ISMS scope.

The scope identifies the information assets, processes, functions, sites, or systems covered by the management system. It typically reflects the organisation's context, the requirements of interested parties, and the interfaces between the organisation's own activities and those performed by other organisations.

The scope is generally documented and made available as documented information.

This area relates to how an organisation identifies and manages the processes that underpin its ISMS. ISO 27001:2022 (Clause 4.4) addresses the establishment, implementation, maintenance, and continual improvement of the ISMS, including the processes needed and their interactions.

Organisations may document process interactions in various ways. Examples of this might include process maps, procedural documents, or system descriptions that show how processes are applied across the organisation.

This area relates to the existence of a documented information security policy within an organisation's ISMS. ISO 27001:2022 (Clause 5.2) addresses the establishment of a top-level information security policy.

An information security policy typically covers the organisation's approach to protecting information, provides a framework for setting information security objectives, and reflects commitments relating to applicable requirements and continual improvement.

Organisations may structure this policy in various ways. The policy is generally expected to be available as documented information, communicated to relevant personnel and interested parties, and reviewed at planned intervals.

This area relates to how an organisation assigns and communicates roles, responsibilities, and authorities relevant to information security. ISO 27001:2022 (Clause 5.3) addresses the assignment and communication of responsibilities and authorities for roles relevant to the ISMS.

Organisations may communicate roles and responsibilities in various ways. Examples of this might include organisational charts, job descriptions, or documented procedures that identify who is responsible for specific ISMS-related activities.

This area relates to how an organisation identifies and addresses information security risks and opportunities. ISO 27001:2022 (Clause 6.1) addresses the planning of actions to address risks and opportunities in the context of the ISMS.

This typically involves considering the organisation's context, the requirements of interested parties, and the intended outcomes of the ISMS. Risks and opportunities may relate to the confidentiality, integrity, or availability of information assets.

Organisations may document and manage this in various forms. Examples of this might include risk registers, treatment plans, or documented processes for ongoing review.

Clause 6.1.3 relates to how an organisation determines and applies a process for treating its information security risks. It requires the organisation to define and apply an information security risk treatment process, determine appropriate controls, and produce a Statement of Applicability.

Risk treatment approaches typically include modifying, avoiding, sharing, or accepting risks. The organisation is required to compare the determined controls with those in Annex A to verify that no necessary controls have been omitted.

Organisations are required to produce a Statement of Applicability that identifies the necessary controls (including those from Annex A), indicates whether they are implemented, and provides justification for both inclusion and any exclusions of Annex A controls. A risk treatment plan, detailing the actions to be taken, responsibilities, and timescales for implementing selected controls, is also a key output of this process.

This area relates to how an organisation determines and manages its information security objectives. ISO 27001:2022 (Clause 6.2) addresses the establishment of information security objectives at relevant functions and levels.

Information security objectives are typically consistent with the information security policy, consider the results of risk assessment and risk treatment, and are monitored and communicated. They may be quantitative or qualitative in nature.

Organisations may document objectives in various formats, such as objective registers, management documents, or performance management frameworks.

This area relates to how an organisation determines and manages the infrastructure and supporting resources needed for its management system. Relevant ISO standards (e.g. ISO 27001:2022 Clause 7.1) address the provision of resources necessary to establish, implement, maintain, and continually improve the management system.

Infrastructure relevant to the management system may include physical facilities, hardware, software, networks, and supporting utilities. Organisations may maintain records of assets and their maintenance in various ways.

Examples of this might include asset inventories, maintenance schedules, or equipment registers.

This area relates to how an organisation determines and maintains the competence of personnel whose work affects information security performance. ISO 27001:2022 (Clause 7.2) addresses the competence requirements for persons working under the organisation's control.

Competence may be acquired through education, training, or experience. Organisations are expected to retain documented information as evidence of competence.

Examples of this might include training records, skills matrices, qualifications logs, or appraisal documentation that records competency requirements and how they are met.

This area relates to how an organisation plans and manages communications relevant to its ISMS. ISO 27001:2022 (Clause 7.4) addresses the determination of internal and external communications relevant to the management system.

This typically covers what information is communicated, when it is communicated, to whom, by whom, and by what means. Organisations may also address how personnel are made aware of the information security policy, objectives, and their contribution to the effectiveness of the ISMS.

Examples of this might include communication plans, awareness programmes, or documented procedures for internal and external information flows.

This area relates to how an organisation manages and controls the use of external providers in relation to its ISMS. ISO 27001:2022 (Clause 8.1, and related Annex A controls) addresses the planning, implementation, and control of processes relevant to the ISMS, including those involving external parties.

This typically covers how the organisation ensures that externally provided processes, products, or services that affect information security are identified and managed. Examples of this might include supplier selection criteria, contractual information security requirements, or monitoring processes for external providers.

Organisations may document this through supplier management procedures, contracts, or performance review records.

This area relates to how an organisation creates, controls, and maintains documented information in support of its ISMS. ISO 27001:2022 (Clause 7.5) addresses the management of documented information, including its creation, update, and control.

Documented information in an ISMS context typically includes policies, procedures, records, and other information determined to be necessary for the effectiveness of the management system. Control measures generally address availability, suitability for use, protection, distribution, access, retrieval, storage, and retention or disposal.

Organisations may manage documented information through various systems or processes.

This area relates to how an organisation plans and conducts internal audits of its ISMS. ISO 27001:2022 (Clause 9.2) addresses the establishment and implementation of an internal audit programme.

Internal audits are typically used to assess whether the ISMS conforms to the organisation's own requirements and to the requirements of ISO 27001, and whether it is effectively implemented and maintained. An audit programme generally takes into account the importance of the processes involved and the results of previous audits.

Organisations are expected to retain documented information relating to audit plans and results.

This area relates to how an organisation conducts and records management reviews of its ISMS. ISO 27001:2022 (Clause 9.3) addresses the requirement for top management to review the ISMS at planned intervals.

Management reviews typically consider inputs such as audit results, the status of nonconformities, performance against objectives, and feedback from interested parties. Outputs may include decisions relating to continual improvement opportunities and resource needs.

Organisations are expected to retain documented information as evidence of management review outcomes.

This area relates to how an organisation identifies, manages, and documents nonconformities, corrective actions, and improvement opportunities within its ISMS. ISO 27001:2022 (Clause 10.2) addresses the management of nonconformities and corrective actions.

This area typically covers how the organisation responds when a nonconformity arises, including actions taken to address it, investigation of root causes where appropriate, and steps taken to prevent recurrence.

Organisations are expected to retain documented information relating to the nature of nonconformities, actions taken, and the effectiveness of those actions.

This area relates to whether an organisation has established and documented rules for controlling access to information and other associated assets. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.15).

Access control rules typically address physical and logical access, identity lifecycle management, and the allocation and management of authentication information.

Organisations may address this through a standalone policy document or as part of broader information security policy documentation.

This area relates to whether an organisation has established and documented rules for the acceptable use of information assets and other associated assets. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.10).

An acceptable use policy typically covers how information and associated assets are to be handled, and arrangements for the return of assets when employment, contracts, or agreements change or end.

Organisations may address this through a standalone policy document or within broader information security policy documentation.

This area relates to whether an organisation has established and documented rules for the backup of information and associated assets. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 8.13).

Backup rules typically cover the maintenance and testing of copies of information, software, and systems. The scope and frequency of backups may reflect the organisation's recovery objectives and risk assessment outcomes.

Organisations may address this through a standalone backup policy or within operational procedures documentation.

This area relates to whether an organisation has established and documented rules for maintaining a clear desk and clear screen environment. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 7.7). Clear desk rules typically address the handling of papers and removable storage media; clear screen rules typically address information processing facilities when not in use.

Organisations may address this through a standalone policy document or as part of broader physical security or acceptable use documentation.

This area relates to whether an organisation has established and documented rules for managing the configurations of its assets. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 8.9).

Configuration management rules typically cover the security configurations of hardware, software, services, and networks. Organisations may maintain configuration baselines and document approved configurations as part of their information security controls.

This may be addressed through a standalone policy or as part of asset management or operational security documentation.

This area relates to whether an organisation has established and documented rules for the use of cryptographic controls. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 8.24).

Rules in this area typically cover the effective use of cryptography for information protection, and the management of cryptographic keys throughout their lifecycle.

Organisations may address this through a standalone policy document or within broader information security policy documentation.

This area relates to whether an organisation has established and documented rules for the classification, labelling, and handling of information. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Controls 5.12, 5.13, and 5.14).

Rules in this area typically cover the classification of information according to confidentiality, integrity, and availability requirements; the labelling of information in accordance with the classification scheme; and arrangements for information transfer.

Organisations may address this through a standalone policy or within information management documentation.

This area relates to whether an organisation has established and documented rules for the use of mobile devices. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.13 and related endpoint controls under Annex A, Control 8.1).

Rules in this area typically address how information accessed, processed, or stored on mobile devices is protected, reflecting the organisation's risk assessment and operational context.

Organisations may address this through a standalone mobile device policy or as part of endpoint security or acceptable use documentation.

This area relates to whether an organisation has established and documented rules for managing operational information processing procedures. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.37).

Operational controls rules typically address the documentation of operating procedures for information processing facilities and how those procedures are made available to personnel who require them.

Organisations may address this through a standalone policy or within operational management documentation.

This area relates to whether an organisation has established and documented rules for protecting physical assets associated with information assets. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Controls 7.1–7.13).

Physical and environmental security rules typically address areas such as security perimeters, access controls for secure areas, protection of equipment, management of off-site assets, and protection from environmental threats such as power failures or physical damage.

Organisations may address this through a standalone policy document or within broader operational security documentation.

You must be able to demonstrate that you have rules for protecting assets from malware and technical vulnerabilities.

Your Protection from Malware Policy must be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

This area relates to whether an organisation has established and documented rules for the preservation of privacy and protection of personally identifiable information (PII). This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.34).

Rules in this area typically address how the organisation identifies and meets applicable legal, regulatory, and contractual requirements for personal information protection.

Organisations may address this through a standalone policy or within broader data protection and privacy documentation.

This area relates to whether an organisation has established and documented rules for protecting information when personnel work remotely. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.7).

Remote working rules typically address the protection of information accessed, processed, or stored outside the organisation's premises.

Organisations may address this through a standalone remote working policy or as part of acceptable use or mobile device documentation.

This area relates to whether an organisation has established and documented rules for managing information security risks associated with suppliers and the supply chain. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Controls 5.19–5.23).

Supplier rules typically cover the management of information security risks in supplier relationships, requirements communicated to suppliers, processes for monitoring supplier security practices, and arrangements for cloud services.

Organisations may address this through a standalone supplier policy, contractual provisions, or supplier management procedures.

This area relates to whether an organisation has established and documented rules for collecting and analysing threat intelligence relevant to information security. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.7).

Threat intelligence rules typically cover how the organisation collects, analyses, and uses information about developing information security threats. This can include maintaining contacts with relevant authorities, specialist security forums, and professional associations.

Organisations may address this through a standalone policy or within security monitoring and incident management documentation.

This area relates to whether an organisation has established and documented rules for protecting intellectual property rights. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 5.32).

Rules in this area typically address how the organisation identifies and complies with legal, regulatory, and contractual requirements related to intellectual property, including software, documentation, and other information assets.

Organisations may address this through a standalone policy or within information asset management or acceptable use documentation.

This area relates to whether an organisation has established and documented rules for managing software installation on operational systems. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 8.19).

Rules in this area typically address how software installation on operational systems is controlled to protect against the introduction of vulnerabilities or unauthorised software.

Organisations may address this through a standalone policy or within configuration management or operational security documentation.

This area relates to how an organisation plans and manages its response to information security incidents. ISO 27001:2022 (Clause 8.1 and Annex A, Controls 5.24–5.28) addresses the planning and control of information security incident management processes.

An information security incident management process typically covers the recording and communication of incidents, assignment of roles and responsibilities, response procedures, and the identification and preservation of evidence related to information security events.

Organisations may document this through incident response plans, procedures, or playbooks.

This area relates to how an organisation plans and controls changes that may affect information security. ISO 27001:2022 (Clause 8.1 and Annex A, Control 8.32) addresses the management of changes to information processing facilities and systems.

Change management processes typically address how planned changes are controlled, how the consequences of unintended changes are assessed, and how adverse effects are mitigated.

Organisations may address this through change management procedures, configuration management documentation, or operational controls.

This area relates to how an organisation plans for the continuity of information security during a disruption. ISO 27001:2022 (Annex A, Controls 5.29 and 5.30) addresses information security continuity and ICT readiness for business continuity.

This typically involves identifying credible disruption scenarios, assessing their impact on information security, and establishing plans to maintain information security at an acceptable level during disruption. ICT continuity readiness is generally planned, implemented, maintained, and tested in line with business continuity objectives.

Organisations may address this through business continuity plans, ICT continuity documentation, or related business impact analyses.

This area relates to how an organisation conducts background verification checks on personnel. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.1).

Background verification activities typically take into account applicable laws, regulations, and ethical considerations, and are proportionate to the business requirements, the classification of information to be accessed, and the risk profile of the role.

Organisations may carry out these checks prior to employment and on an ongoing basis, depending on their context and applicable requirements.

This area relates to whether an organisation has contractual arrangements with employees that address information security responsibilities. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.2).

Terms and conditions of employment typically address the information security responsibilities of both the individual and the organisation. This can include obligations relating to confidentiality, acceptable use, compliance with policies, and handling of information assets.

Organisations may address this through employment contracts, offer letters, or supplementary agreements.

This area relates to whether an organisation has a formal process for addressing violations of information security policies and procedures. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.4).

A disciplinary process in this context typically provides a mechanism for taking defined actions against personnel or other relevant interested parties who have committed a violation. The process is generally communicated to relevant individuals.

Organisations may address this through HR policies, disciplinary procedures, or as part of employment terms and conditions.

This area relates to whether an organisation has confidentiality or non-disclosure agreements in place to protect information. This is addressed within the controls framework of ISO 27001:2022 (Annex A, Control 6.6).

Confidentiality and non-disclosure agreements typically reflect the organisation's requirements for the protection of information. They are generally signed by personnel and other relevant interested parties and reviewed periodically.

Organisations may use standalone non-disclosure agreements or incorporate confidentiality obligations within employment contracts or supplier agreements.

This area relates to how an organisation identifies and maintains an inventory of its information assets and supporting assets. ISO 27001:2022 (Annex A, Control 5.9) addresses the maintenance of an inventory of information and other associated assets.

An information asset register typically records information assets along with their supporting assets, assigned owners, and relevant attributes. Asset ownership is an important element of information security accountability.

Organisations may maintain this inventory in various formats, such as registers, databases, or asset management systems.

This area relates to how an organisation establishes and applies a consistent approach to information security risk assessment. ISO 27001:2022 (Clause 6.1.2) addresses the establishment and application of an information security risk assessment process.

Risk assessment criteria typically define how risks are identified, analysed, and evaluated. Applying criteria consistently supports the production of results that are repeatable, valid, and comparable across different assessments and time periods.

Organisations may document their risk assessment criteria within risk management frameworks, procedures, or methodology documents.

This area relates to how an organisation conducts and maintains its information security risk assessments. ISO 27001:2022 (Clause 6.1.2) addresses the implementation of information security risk assessment processes.

Risk assessments in this context typically identify risks associated with the loss of confidentiality, integrity, and availability of information within the ISMS scope, analyse their potential consequences and likelihood, and evaluate them against the organisation's risk criteria to prioritise treatment.

Organisations are expected to retain documented information relating to risk assessment results.

This area relates to how an organisation plans and manages information security risk treatment. ISO 27001:2022 (Clause 6.1.3) addresses the selection and documentation of risk treatment options and the establishment of a risk treatment plan.

A risk treatment plan typically records selected treatment options for identified risks, taking into account the results of risk assessment. Where residual risks remain, the plan typically includes approval by risk owners and documented acceptance of residual risks.

Organisations are expected to retain documented information relating to the risk treatment process and its outcomes.

This area relates to how an organisation documents and maintains a Statement of Applicability (SoA) for its ISMS. ISO 27001:2022 (Clause 6.1.3d) addresses the preparation of the Statement of Applicability.

The SoA typically records the controls determined as necessary to address information security risks, references the controls in Annex A of ISO 27001:2022 for comparison, provides justification for the inclusion or exclusion of controls, and indicates implementation status.

The SoA is a key piece of documented information within an ISO 27001 ISMS and is generally reviewed and updated as the organisation's risk profile evolves.