← All frameworks
International INTERNATIONAL · pass_fail · International

ISO 27001

ISO/IEC 27001:2022

2022

93 controls · 4 domains
Start assessment in platform →

About this framework

ISO 27001 is the leading international standard for information security management. It sets out how to build a system that finds your risks and applies the right controls, with independent certification to prove it.

Who needs this

For organisations wanting a globally recognised, certifiable mark of strong security, often required by enterprise customers.

Cross-framework coverage

Controls in ISO 27001 also cover:

CIS Controls 19 shared
NCA ECC-2 19 shared
Qatar NIA 19 shared
UAE IA 19 shared
ADHICS 19 shared

See how ISO 27001 connects to the rest → the Security Universe

Control domains

A.5 · Organizational controls 37
A.5.1
Policies for information security
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.2
Information security roles and responsibilities
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.3
Segregation of duties
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.4
Management responsibilities
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.5
Contact with authorities
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.6
Contact with special interest groups
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.7
Threat intelligence
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.8
Information security in project management
A.5.9
Inventory of information and other associated assets
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.10
Acceptable use of information and other associated assets
A.5.11
Return of assets
A.5.12
Classification of information
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.5.13
Labelling of information
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.5.14
Information transfer
A.5.15
Access control
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.16
Identity management
NIST CSFCIS ControlsHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.17
Authentication information
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.18
Access rights
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.19
Information security in supplier relationships
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.20
Addressing information security within supplier agreements
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.21
Managing information security in the ICT supply chain
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.22
Monitoring, review and change management of supplier services
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRNIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.23
Information security for use of cloud services
CIS ControlsCyber EssentialsCyber Essentials PlusNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
A.5.24
Information security incident management planning and preparation
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.25
Assessment and decision on information security events
A.5.26
Response to information security incidents
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.27
Learning from information security incidents
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.28
Collection of evidence
A.5.29
Information security during disruption
A.5.30
ICT readiness for business continuity
NIST CSFCIS ControlsNIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICS
A.5.31
Legal, statutory, regulatory and contractual requirements
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.32
Intellectual property rights
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.33
Protection of records
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.5.34
Privacy and protection of personal identifiable information (PII)
A.5.35
Independent review of information security
A.5.36
Compliance with policies, rules and standards for information security
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.5.37
Documented operating procedures
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.6 · People controls 8
A.6.1
Screening
A.6.2
Terms and conditions of employment
A.6.3
Information security awareness, education and training
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.6.4
Disciplinary process
A.6.5
Responsibilities after termination or change of employment
A.6.6
Confidentiality or non-disclosure agreements
A.6.7
Remote working
A.6.8
Information security event reporting
A.7 · Physical controls 14
A.7.1
Physical security perimeters
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSHIPAA Security RuleNCA CCCSAMA CSF
A.7.2
Physical entry
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.3
Securing offices, rooms and facilities
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.4
Physical security monitoring
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRNIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.5
Protecting against physical and environmental threats
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.6
Working in secure areas
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.7
Clear desk and clear screen
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.8
Equipment siting and protection
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.9
Security of assets off-premises
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.10
Storage media
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.11
Supporting utilities
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.12
Cabling security
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.13
Equipment maintenance
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.7.14
Secure disposal or re-use of equipment
A.8 · Technological controls 34
A.8.1
User endpoint devices
A.8.2
Privileged access rights
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.3
Information access restriction
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.4
Access to source code
A.8.5
Secure authentication
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.6
Capacity management
A.8.7
Protection against malware
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.8.8
Management of technical vulnerabilities
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.9
Configuration management
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.10
Information deletion
A.8.11
Data masking
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.8.12
Data leakage prevention
NIST CSFCIS ControlsDORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.8.13
Information backup
NIST CSFCIS ControlsNIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICS
A.8.14
Redundancy of information processing facilities
NIST CSFCIS ControlsNIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICSPCI DSS 4.0.1SAMA CSF
A.8.15
Logging
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRNIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.16
Monitoring activities
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRNIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.17
Clock synchronization
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRNIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.18
Use of privileged utility programs
A.8.19
Installation of software on operational systems
A.8.20
Networks security
A.8.21
Security of network services
A.8.22
Segregation of networks
NIST CSFCIS ControlsNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
A.8.23
Web filtering
A.8.24
Use of cryptography
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.25
Secure development life cycle
A.8.26
Application security requirements
A.8.27
Secure system architecture and engineering principles
A.8.28
Secure coding
A.8.29
Security testing in development and acceptance
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.30
Outsourced development
NIST CSFCIS ControlsPCI DSS 4.0.1NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
A.8.31
Separation of development, test and production environments
A.8.32
Change management
A.8.33
Test information
A.8.34
Protection of information systems during audit testing

Ready to assess against ISO 27001?

Start free trial →