An In-Depth Overview of ISO/IEC 27001:2022 Governance Controls

The ISO 27001:2022 Governance Controls  Annex A, categorizes controls under Organizational, People, Physical and Technological themes. Each of these controls has a control title, an attribute table, a description of the control, its purpose for implementation, guidance on how the control should be implemented, and other related information ISO/IEC 27002: Overview of controls. More specifically, the attribute table discusses the following properties about the controls:

1. Control Type (Preventive, Detective, Corrective)
2. Information Security Properties (Confidentiality, Integrity, Availability)
3. Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover)
4. Operational Capabilities
   a. Governance
   b. Asset Management
   c. Identity and Access Management
   d. Information Protection
   e. Information Security Assurance
   f. Information Security and Event Management
   g. Threat and Vulnerability Management
   h. Physical Security
   i. Human Resource Security
   j. Supplier Relationship Security
   k. Application Security
   l. System and Network Security
   m. Secure Configuration
   n. Continuity
   o. Legal Compliance
5. Security Domains (Governance and Ecosystem, Protection, Defence and Resilience)

The ISO 27002 standard provides flexibility in categorizing the controls based on the attribute that is more suitable to the information security requirements of the business. Annex A in the ISO/IEC 27002 document highlights how organizations can group various Organizational, People, Physical and Technological controls based on the different attributes, for example, their nature i.e. Preventive, Detective, and Corrective.

However, I found it useful to group these controls based on their operational capabilities. This, I believe, also ensures to draft topic-specific policies more easily and map them to the various operations of the organization. It will therefore allow a more seamless integration of the information security policies into the organization’s operational processes. This series of blogs will introduce you to the various controls under each operational capability also mapping the earlier ISO/IEC 27001:2013 control categories that feature for that operational capability.

ISO/IEC 27001:2022 Governance Controls

This operational capability involves all of the Organizational Controls namely, 5.1 to 5.6, 5.8, and 5.24 and maps to control categories A.5, A.6, A.7, A.14, and A.16 of the ISO/IEC 27001:2013 framework (For more information on the mapping of the ISO/IEC 27001:2013 vs. 2022 controls visit to download your copy of the comparison table). However, some of these controls overlap with other operational capabilities and reflect in the appropriate sections of the upcoming blogs.

Let us now take a look at what are these ISO 27001:2022 governance controls and how should they be implemented.

5.1 Policies for Information Security

This preventive control helps in ensuring that adequate direction and support is received from the management for setting up an information security policy and the relevant topic-specific policies for governing the information security management system (ISMS). These policies must be defined, approved and communicated by the management while seeking acknowledgement from the relevant interested parties. There has to be a process to ensure a regular review of and modifications to the policy at planned intervals or when significant changes occur. When drafting the information security policy, the management should consider the context of the organization, the requirements from the interested parties including those coming from the business strategy, regulations, legislation, contracts, current and projected information security risks, and the threat landscape. It is essential to include sections on:

1. Definition of information security and the information security objectives
2. Guidelines to conduct the various information security activities within the scope of the ISMS
3. Commitment to satisfy the applicable requirements and continually improve the ISMS
4. Description of the relevant roles and responsibilities for information security management
5. Any exemptions or exceptions to the policy
6. References to topic-specific policies (if the information security policy does not include the topic-specific guidelines in the same document)

Topic-specific policies can be tailored to suit business requirements and must be more detailed. The appropriate level of management can decide on the required number of such policies for specific topics and approve the same.

5.2 Information Security Roles and Responsibilities

This is an important preventive control that helps to identify the specific roles required to shoulder the various responsibilities outlined in the scope of the ISMS. The roles have to be carefully defined and care must be taken to ensure that the responsibilities outlined do not overlap among different roles. The next control (5.3) ensures to prevent this from happening. Allocation of these roles for implementing, operating, and managing information security within the organization should be done in accordance with the information security policy and topic-specific policies. The various responsibilities can be defined to include the following information security activities:

1. Protection of information assets and their supporting assets
2. Managing the various information security processes
3. Performing information security risk management activities
4. Managing access rights of employees handling the information assets and their supporting assets

Organizations can consider appointing an information security manager to shoulder the overall responsibility for defining and managing information security activities carried out within the organization. The information security personnel can assign other employees from the information technology or related departments to perform certain information security tasks while ensuring to monitor the activities themselves.

5.3 Segregation of Duties

The purpose of this control is to ensure that the conflicting duties and areas of responsibilities identified in the above control (5.2) are segregated thus preventing any risks of fraud, error, or bypassing of information security controls. It is important for organizations to first carefully determine the areas of responsibilities that need segregation and then assign them to the relevant roles. Some of these areas of responsibilities include managing:

1. Change requests and changes
2. Access rights
3. Code reviews
4. Software development and production systems
5. Various system applications
6. Databases and other storage systems
7. Information security controls

Organizations should also bear in mind that, the provisioning of roles must be done in a way to minimize access problems in case a role is removed or reassigned. For smaller organizations where segregation of certain responsibilities is challenging, compensating controls to track any suspicious or accidental activities can be considered which include deploying monitoring controls, maintaining audit trails, and management supervision. For organizations where a large number of roles have been defined, automated tools can be used to identify any conflicting activities and facilitate their removal and appropriate allocation.

5.4 Management Responsibilities

This preventive control requires the management to demonstrate their support for the information security policy and topic-specific policies, procedures and information security controls ensuring that all personnel are fully aware of and fulfill their responsibilities. This includes:

1. Setting up meetings to brief information security personnel about their commitment and responsibilities prior to granting them their access rights
2. Ensuring that the information security personnel achieve the required level of awareness about information security as their role demands and fulfill their respective responsibilities accordingly
3. Fostering a culture of constant learning and development for information security personnel to gain competency through ongoing professional education and staying updated with the latest security trends
4. Encouraging the personnel to comply to the organizations terms and conditions of employment and those outlined in the information security policy
5. Providing an appropriate channel of communication for reporting discrepancies or violations (whistleblowing)
6. Providing adequate resources and duration for planning information security  related activities within the scope of the ISMS

The following two controls are both preventive and corrective in nature. Maintaining the right contacts with authorities and special interest groups help organizations to take preventive measures against certain evolving attack trends. In the event that the organization experiences an information security incident or breach, these contacts help to communicate the matter through appropriate channels and provide guidance to take immediate corrective actions while responding to the events and recovering from damage or losses if any.

5.5 Contact with Authorities

It is important for an organization to identify and maintain contacts with relevant authorities. These include law enforcement agencies, regulatory bodies, and supervisory authorities (e.g. CERT/CC etc.) Identifying and maintaining these contacts is important for channelizing the reporting of security incidents through appropriate mediums/ communication channels and understanding their current and upcoming expectations e.g. new regulations, amendment to existing policies, etc.

This helps to anticipate and prepare for upcoming changes in the relevant regulations that affect the organization. Moreover, other relevant authorities applicable include, utilities, emergency services, electricity supplier, health and safety, etc. Also, organizations would require contacting these additional authorities for matters related to business continuity, line routing and availability, and facilities for equipment protection and maintenance.

5.6 Contact with Special Interest Groups

In addition to maintaining contacts with authorities, it is important to establish contacts with special interest groups or other specialized security forums and professional associations to stay updated with the latest security trends in products, services, attacks, and threat landscape for improving the competency of the information security personnel. It can serve as a means to:

1. Learning about the best practices and latest security trends
2. Receiving early warnings of vulnerabilities, patch alerts, and information from third-party advisories on the latest breaches
3. Accessing expert information security advice
4. Receiving suitable liaison points when dealing with information security incidents

5.8 Information Security in Project Management

This preventive control helps organizations to integrate information security activities while managing any type of project regardless of its complexity, size, duration, and application area. These information security activities include:

1. Identifying any information security risks included in the project requirements, those associated with the execution of the project and those involved during communication of project details
2. Identifying information security related requirements (legal/contractual/regulatory/business) at an early stage
3. Classifying the type of information involved in the project, identifying the security requirements for safeguarding this information and negative impacts in the absence of adequate security measures
4. Understanding the required protection (in terms of the confidentiality, integrity and availability) for the information assets and its supporting assets involved in the project
5. Managing the authentication, access provisioning and authorization processes for all the entities involved in the project and interested parties
6. Communicating the information security responsibilities to the users involved in the project
7. Implementing the requirements derived from business processes e.g. related to accounting activities of users involved in the project such as logging and monitoring and preserving non-repudiation
8. Implementing the requirements mandated by other information security controls e.g. application being developed needs to interface with the existing intrusion detection system, security information and event management (SIEM) tools, data leakage prevention (DLP) and detection tools etc.
9. Considering and planning according to the level of assurance required for third parties to meet the organization’s information security policy requirements

5.24 Information Security Incident Management Planning and Preparation

This corrective control helps organizations to effectively plan and prepare for managing information security incidents by:

1. Establishing a criteria for identifying an information security incident
2. Establishing a standard method for reporting any information security events
3. Determining the point of contact for the incident management process
4. Developing and implementing a process to monitor, detect, classify, analyze, document, report, and communicate these information security incidents by manual or automatic means
5. Allowing only competent personnel to handle the information security incident issues and ensuring to provide regular training and mentoring facilities for them
6. Managing the information security incidents from detection to conclusion, a controlled recovery process, and activation of crisis management and continuity plans when required
7. Coordinating with internal, external stakeholders including, authorities, special interest groups, suppliers, clients for escalating and/or communicating the information security incident within the defined time frame
8. Logging the incident management activities, collecting appropriate evidence, performing root-cause analysis, and documenting this in suitable incident forms
9. Developing suitable processes to record the lessons learned and feedback received on the information security incident management process and related activities

In addition to this, for information security incidents that transcend organizational and national boundaries, organizations should share information about these incidents with external organizations as appropriate.