ISO/IEC 27001:2022
Crosswalk to NIST CSF 2.0 · 123 controls · Updated April 2026.
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It specifies requirements for establishing, operating, monitoring, and improving an ISMS, and includes 93 Annex A controls organized into four themes — Organizational, People, Physical, and Technological.
About ISO 27001:2022
ISO 27001:2022 restructured the Annex A controls that were in the 2013 edition — 93 controls in 4 themes replaces 114 controls in 14 domains. The change reflects modern practice: controls that were historically siloed (e.g., supplier relationships, cryptography) are now grouped by function rather than by domain.
Certification requires a formal ISMS with documented risk treatment, management review, and an internal audit program. Stage 1 and Stage 2 audits are conducted by an accredited certification body, typically on a three-year cycle with annual surveillance.
SecurityStack maps ISO 27001:2022 Annex A controls to NIST CSF 2.0 categories. Organizations pursuing ISO 27001 often start with NIST CSF as the internal framing then map to ISO for external certification.
Primary audience: International organizations, enterprise SaaS vendors selling into European markets, and any organization pursuing formal ISMS certification.
Controls by domain
123 controls across 6 groups. Mapping strengths to NIST CSF 2.0 categories are summarized below.
Main Body Clauses 15 controls
| Control ID | Name |
|---|---|
| ISO-CL.10.1 | Clause 10.1 - Continual Improvement Continual Improvement |
| ISO-CL.10.2 | Clause 10.2 - Nonconformity and Corrective Action Nonconformity and Corrective Action |
| ISO-CL.4.1 | Clause 4.1 - Understanding the Organization and Its Context Understanding the Organization and Its Context |
| ISO-CL.4.2 | Clause 4.2 - Understanding Needs/Expectations of Interested Parties Understanding Needs/Expectations of Interested Parties |
| ISO-CL.5.2 | Clause 5.2 - Information Security Policy Information Security Policy |
| ISO-CL.5.3 | Clause 5.3 - Organizational Roles, Responsibilities and Authorities Organizational Roles, Responsibilities and Authorities |
| ISO-CL.6.1 | Clause 6.1 - Actions to Address Risks and Opportunities Actions to Address Risks and Opportunities |
| ISO-CL.6.1.2 | Clause 6.1.2 - Information Security Risk Assessment Information Security Risk Assessment |
| ISO-CL.6.1.3 | Clause 6.1.3 - Information Security Risk Treatment Information Security Risk Treatment |
| ISO-CL.7.4 | Clause 7.4 - Communication Communication |
| ISO-CL.8.1 | Clause 8.1 - Operational Planning and Control Operational Planning and Control |
| ISO-CL.8.2 | Clause 8.2 - Information Security Risk Assessment (ongoing) Information Security Risk Assessment (ongoing) |
| ISO-CL.8.3 | Clause 8.3 - Information Security Risk Treatment (ongoing) Information Security Risk Treatment (ongoing) |
| ISO-CL.9.1 | Clause 9.1 - Monitoring, Measurement, Analysis and Evaluation Monitoring, Measurement, Analysis and Evaluation |
| ISO-CL.9.3 | Clause 9.3 - Management Review Management Review |
Organizational Controls (A.5) 15 controls
| Control ID | Name |
|---|---|
| ISO-A.5.11 | A.5.11 - Return of Assets Return of Assets |
| ISO-A.5.12 | A.5.12 - Classification of Information Classification of Information |
| ISO-A.5.13 | A.5.13 - Labelling of Information Labelling of Information |
| ISO-A.5.14 | A.5.14 - Information Transfer Information Transfer |
| ISO-A.5.22 | A.5.22 - Monitoring/Review/Change Mgmt of Supplier Services Monitoring/Review/Change Mgmt of Supplier Services |
| ISO-A.5.23 | A.5.23 - Information Security for Use of Cloud Services (NEW 2022) Information Security for Use of Cloud Services (NEW 2022) |
| ISO-A.5.24 | A.5.24 - Incident Management Planning and Preparation Incident Management Planning and Preparation |
| ISO-A.5.3 | A.5.3 - Segregation of Duties Segregation of Duties |
| ISO-A.5.32 | A.5.32 - Intellectual Property Rights Intellectual Property Rights |
| ISO-A.5.34 | A.5.34 - Privacy and Protection of PII Privacy and Protection of PII |
| ISO-A.5.35 | A.5.35 - Independent Review of Information Security Independent Review of Information Security |
| ISO-A.5.37 | A.5.37 - Documented Operating Procedures Documented Operating Procedures |
| ISO-A.5.4 | A.5.4 - Management Responsibilities Management Responsibilities |
| ISO-A.5.5 | A.5.5 - Contact with Authorities Contact with Authorities |
| ISO-A.5.6 | A.5.6 - Contact with Special Interest Groups Contact with Special Interest Groups |
People Controls (A.6) 5 controls
| Control ID | Name |
|---|---|
| ISO-A.6.2 | A.6.2 - Terms and Conditions of Employment Terms and Conditions of Employment |
| ISO-A.6.4 | A.6.4 - Disciplinary Process Disciplinary Process |
| ISO-A.6.5 | A.6.5 - Responsibilities After Termination or Change of Employment Responsibilities After Termination or Change of Employment |
| ISO-A.6.6 | A.6.6 - Confidentiality or Non-Disclosure Agreements Confidentiality or Non-Disclosure Agreements |
| ISO-A.6.7 | A.6.7 - Remote Working Remote Working |
Physical Controls (A.7) 14 controls
| Control ID | Name |
|---|---|
| ISO-A.7.1 | A.7.1 - Physical Security Perimeters Physical Security Perimeters |
| ISO-A.7.10 | A.7.10 - Storage Media Storage Media |
| ISO-A.7.11 | A.7.11 - Supporting Utilities Supporting Utilities |
| ISO-A.7.12 | A.7.12 - Cabling Security Cabling Security |
| ISO-A.7.13 | A.7.13 - Equipment Maintenance Equipment Maintenance |
| ISO-A.7.14 | A.7.14 - Secure Disposal or Re-Use of Equipment Secure Disposal or Re-Use of Equipment |
| ISO-A.7.2 | A.7.2 - Physical Entry Physical Entry |
| ISO-A.7.3 | A.7.3 - Securing Offices, Rooms and Facilities Securing Offices, Rooms and Facilities |
| ISO-A.7.4 | A.7.4 - Physical Security Monitoring (NEW 2022) Physical Security Monitoring (NEW 2022) |
| ISO-A.7.5 | A.7.5 - Protecting Against Physical and Environmental Threats Protecting Against Physical and Environmental Threats |
| ISO-A.7.6 | A.7.6 - Working in Secure Areas Working in Secure Areas |
| ISO-A.7.7 | A.7.7 - Clear Desk and Clear Screen Clear Desk and Clear Screen |
| ISO-A.7.8 | A.7.8 - Equipment Siting and Protection Equipment Siting and Protection |
| ISO-A.7.9 | A.7.9 - Security of Assets Off-Premises Security of Assets Off-Premises |
Technological Controls (A.8) 18 controls
| Control ID | Name |
|---|---|
| ISO-A.8.13 | A.8.13 - Information Backup Information Backup |
| ISO-A.8.14 | A.8.14 - Redundancy of Information Processing Facilities Redundancy of Information Processing Facilities |
| ISO-A.8.18 | A.8.18 - Use of Privileged Utility Programs Use of Privileged Utility Programs |
| ISO-A.8.22 | A.8.22 - Segregation of Networks Segregation of Networks |
| ISO-A.8.23 | A.8.23 - Web Filtering (NEW 2022) Web Filtering (NEW 2022) |
| ISO-A.8.25 | A.8.25 - Secure Development Life Cycle Secure Development Life Cycle |
| ISO-A.8.26 | A.8.26 - Application Security Requirements Application Security Requirements |
| ISO-A.8.27 | A.8.27 - Secure System Architecture and Engineering Principles Secure System Architecture and Engineering Principles |
| ISO-A.8.28 | A.8.28 - Secure Coding (NEW 2022) Secure Coding (NEW 2022) |
| ISO-A.8.29 | A.8.29 - Security Testing in Development and Acceptance Security Testing in Development and Acceptance |
| ISO-A.8.3 | A.8.3 - Information Access Restriction Information Access Restriction |
| ISO-A.8.30 | A.8.30 - Outsourced Development Outsourced Development |
| ISO-A.8.31 | A.8.31 - Separation of Development/Test/Production Environments Separation of Development/Test/Production Environments |
| ISO-A.8.32 | A.8.32 - Change Management Change Management |
| ISO-A.8.33 | A.8.33 - Test Information Test Information |
| ISO-A.8.34 | A.8.34 - Protection of Info Systems During Audit Testing Protection of Info Systems During Audit Testing |
| ISO-A.8.4 | A.8.4 - Access to Source Code Access to Source Code |
| ISO-A.8.6 | A.8.6 - Capacity Management Capacity Management |
Ungrouped 56 controls
| Control ID | Name |
|---|---|
| ISO-A.12.4 | Logging and monitoring ISO ref: A.12.4 |
| ISO-A.5.1 | Policies for information security ISO ref: A.5.1 |
| ISO-A.5.10 | Acceptable use of assets ISO ref: A.5.10 |
| ISO-A.5.15 | Access control ISO ref: A.5.15 |
| ISO-A.5.16 | Identity management ISO ref: A.5.16 |
| ISO-A.5.17 | Authentication information ISO ref: A.5.17 |
| ISO-A.5.18 | Access rights ISO ref: A.5.18 |
| ISO-A.5.19 | InfoSec in supplier relationships ISO ref: A.5.19 |
| ISO-A.5.2 | Information security roles and responsibilities ISO ref: A.5.2 |
| ISO-A.5.20 | Addressing InfoSec in supplier agreements ISO ref: A.5.20 |
| ISO-A.5.21 | Managing ICT supply chain ISO ref: A.5.21 |
| ISO-A.5.25 | Assessment and decision on information security events ISO ref: A.5.25 |
| ISO-A.5.26 | Response to information security incidents ISO ref: A.5.26 |
| ISO-A.5.27 | Learning from incidents ISO ref: A.5.27 |
| ISO-A.5.28 | Collection of evidence ISO ref: A.5.28 |
| ISO-A.5.29 | Information security during disruption ISO ref: A.5.29 |
| ISO-A.5.30 | ICT readiness for business continuity ISO ref: A.5.30 |
| ISO-A.5.31 | Legal/regulatory requirements ISO ref: A.5.31 |
| ISO-A.5.33 | Protection of records ISO ref: A.5.33 |
| ISO-A.5.36 | Compliance with policies ISO ref: A.5.36 |
| ISO-A.5.7 | Threat intelligence ISO ref: A.5.7 |
| ISO-A.5.8 | InfoSec in project management ISO ref: A.5.8 |
| ISO-A.5.9 | Inventory of information and assets ISO ref: A.5.9 |
| ISO-A.6.1 | Screening ISO ref: A.6.1 |
| ISO-A.6.3 | Information security awareness, education and training ISO ref: A.6.3 |
| ISO-A.6.8 | Information security event reporting ISO ref: A.6.8 |
| ISO-A.8.1 | User endpoint devices ISO ref: A.8.1 |
| ISO-A.8.10 | Information deletion ISO ref: A.8.10 |
| ISO-A.8.11 | Data masking ISO ref: A.8.11 |
| ISO-A.8.12 | Data leakage prevention ISO ref: A.8.12 |
| ISO-A.8.15 | Logging ISO ref: A.8.15 |
| ISO-A.8.16 | Monitoring activities ISO ref: A.8.16 |
| ISO-A.8.17 | Clock synchronization ISO ref: A.8.17 |
| ISO-A.8.19 | Installation of software on operational systems ISO ref: A.8.19 |
| ISO-A.8.2 | Privileged access rights ISO ref: A.8.2 |
| ISO-A.8.20 | Networks security ISO ref: A.8.20 |
| ISO-A.8.21 | Security of network services ISO ref: A.8.21 |
| ISO-A.8.24 | Use of cryptography ISO ref: A.8.24 |
| ISO-A.8.5 | Secure authentication ISO ref: A.8.5 |
| ISO-A.8.7 | Protection against malware ISO ref: A.8.7 |
| ISO-A.8.8 | Management of technical vulnerabilities ISO ref: A.8.8 |
| ISO-A.8.9 | Configuration management ISO ref: A.8.9 |
| ISO-Clause-10.1 | Continual improvement ISO ref: Clause 10.1 |
| ISO-Clause-10.2 | Nonconformity and corrective action ISO ref: Clause 10.2 |
| ISO-Clause-4.1 | Understanding the organization ISO ref: Clause 4.1 |
| ISO-Clause-4.2 | Understanding needs of interested parties ISO ref: Clause 4.2 |
| ISO-Clause-5.2 | Policy ISO ref: Clause 5.2 |
| ISO-Clause-5.3 | Organizational roles ISO ref: Clause 5.3 |
| ISO-Clause-6.1 | Actions to address risks ISO ref: Clause 6.1 |
| ISO-Clause-6.1.2 | Information security risk assessment ISO ref: Clause 6.1.2 |
| ISO-Clause-6.1.3 | Risk treatment plan ISO ref: Clause 6.1.3 |
| ISO-Clause-7.4 | Communication ISO ref: Clause 7.4 |
| ISO-Clause-8.3 | Information security risk treatment ISO ref: Clause 8.3 |
| ISO-Clause-8.4 | Business continuity planning ISO ref: Clause 8.4 |
| ISO-Clause-9.1 | Monitoring, measurement, analysis ISO ref: Clause 9.1 |
| ISO-Clause-9.3 | Management review ISO ref: Clause 9.3 |
Crosswalk density to NIST CSF 2.0
Top 12 NIST CSF categories by number of ISO 27001:2022 controls mapped. The distribution tells you where the framework's emphasis sits against NIST's six functions.
| NIST category | Controls mapped |
|---|---|
| PR.AA | 8 |
| PR.PS | 7 |
| PR.IR | 7 |
| PR.DS | 6 |
| GV.OC | 6 |
| RC.CO | 5 |
| RC.RP | 5 |
| GV.OV | 5 |
| ID.IM | 5 |
| GV.RM | 5 |
| DE.CM | 5 |
| GV.PO | 4 |
Frequently asked questions
What changed between ISO 27001:2013 and 2022?
The main body clauses (4-10) are largely unchanged. Annex A was significantly restructured: 114 controls in 14 domains became 93 controls in 4 themes (Organizational, People, Physical, Technological). Eleven controls are new, including explicit controls for cloud services, data masking, threat intelligence, and configuration management.
Do I need both ISO 27001 and SOC 2?
Not necessarily, but many SaaS vendors get both. ISO 27001 is stronger internationally; SOC 2 is the de facto expectation for U.S. buyers. The underlying controls overlap substantially — maintaining both is roughly 1.3× the effort of maintaining one, not 2×.
How long does certification take?
From a standing start, 12–18 months is typical. The work splits roughly into ISMS documentation (3–6 months), control implementation and evidence gathering (6–9 months), and formal certification audit (Stage 1 + Stage 2 over ~2 months). Organizations with an existing security program can compress this significantly.
Next
See your stack against ISO 27001:2022
Start a free assessment, select ISO 27001:2022 as a required framework, and see which controls your current tools already cover — and which gaps need new investment.