ISO 27001:2022 is the latest version of the international standard for Information Security Management Systems (ISMS). It provides a framework for managing sensitive information, reducing risk, and ensuring data security. AvISO helps organisations implement, maintain, and continually improve their ISMS to achieve compliance and maximise value.

What is ISO 27002:2022 and why is it Important?

ISO 27002 is a supporting document to provide further detail, clarification, and guidance on Annex A in ISO 27001:2022. It should be noted that ISO 27002 is not a certification or a quality mark - it is simply a guideline for how your organisation can implement Information Security best practices. 

Many clients have asked us how they can prepare and transition to the latest version of ISO 27001.  We know that many companies will be taking a phased approach to implementation, so we have produced a series of articles explaining how specific controls work and guidance on how they should be implemented.

Annex A 27001:2022, What is it?

Annex A serves as a comprehensive reference for organisations implementing ISO 27001. Its primary purpose is to provide a structured catalogue of security controls that can be used to manage information security risks effectively. These controls are designed to:

• Support risk treatment: Annex A helps organisations take appropriate measures to address risks identified during their risk assessment process.
• Ensure consistency and completeness: By following Annex A, organisations can avoid gaps in their security framework and ensure all critical areas are covered.
• Provide flexibility: The controls are not mandatory but act as guidance, allowing organisations to tailor them to their specific context, size, and risk profile.
• Facilitate compliance and certification: Annex A aligns with ISO 27001 requirements, making it easier for organisations to demonstrate conformity during audits.
• Promote best practice: The controls reflect globally recognised security principles, helping organisations adopt industry-standard approaches to information security.
• Enable integration: Annex A supports integration with other management systems (such as ISO 9001 or ISO 42001), creating a unified governance structure.

What does ISO 27001:2022 mean for your organisation? 

In general, you can expect a more streamlined approach to implementing your information security policies and procedures.

What are the controls in ISO 27001:2022 Annex A? 

• Information security for the use of cloud services
• Data masking
• Information and Communication Technology readiness for business continuity
• Physical security monitoring
• Data leakage prevention
• Configuration management
• Information deletion
• Threat intelligence
• Monitoring activities
• Secure coding
• Web filtering

Each control is associated with attributes to help filter, sort, and present the controls in different views for different audiences. These attributes are provided in a table right before the statement of each control. Attributes are:

Control type

• Preventive - Measures designed to stop security incidents before they occur.
• Detective - Controls that identify and alert you to potential threats or breaches.
• Corrective - Actions taken to restore systems and mitigate damage after an incident.

Information security properties

• Confidentiality - Ensuring information is accessible only to authorised individuals.
• Integrity - Maintaining accuracy and consistency of data throughout its lifecycle.
• Availability - Guaranteeing that information and systems are accessible when needed.

Cybersecurity concepts

• Identify - Understand and catalogue assets, risks, and vulnerabilities.
• Protect - Implement safeguards to secure systems and data.
• Detect - Monitor for anomalies and recognise potential security events.
• Respond - Act quickly to contain and manage security incidents.
• Recover - Restore normal operations and learn from incidents to improve resilience.

Operational Capabilities

• Governance 
• Physical security and so forth… (complete list available on AvISO IMS toolbox – a link to be provided that explains about AvISO IMS toolbox)

Security domains

• Governance and ecosystem
• Protection
• Defence
• Resilience

AvISO's Approach to 27001:2022

AvISO’s approach to ISO 27001

At AvISO, we do not see ISO 27001 as a tick-box exercise. Our focus is on building a practical, integrated Information Security Management System (ISMS) that works for your organisation day-to-day. We combine deep technical knowledge with a collaborative approach, ensuring security controls are tailored to your risks, processes, and culture.

Key elements of our approach:

• Risk-driven implementation: We start with a thorough risk assessment to ensure controls are proportionate and relevant.
• Integration with existing systems: ISO 27001 is aligned with other standards such as ISO 9001, ISO 14001, and ISO 42001, creating a single, streamlined management system.
• Focus on usability: Documentation is clear, concise, and practical—no unnecessary complexity.
• Continuous improvement mindset: We help you embed processes that evolve with your business and technology landscape.