IEC ISO/IEC 27001:2022 Information Security Management Systems A practical guide for SMEs iec.ch Advice from ISO/IEC JTC 1/SC 27 iso.org 2 SO/lEC27001:2022-Apracticalguide Foreword Cybercrime is on the rise, growing increasingly severe and sophisticated as hackers develop ever more advanced techniques. In this fast-changing landscape, it can seem difficult or even impossible to keep track of cyber-risks. At isO, we are ready with support and solutions to help small and medium- sized enterprises (SMEs) safely navigate this process. This handbook focuses on guiding SMEs in developing and implementing an information security management system (isMs) in accordance with ISO/lEC27001,inordertohelpprotectyourselvesfromcyber-risks. SMEsaccountforthevastmajorityofbusinessesworldwideandoftenhave specific needs.International Standards helpyouto compete on a levelplaying field with bigger enterprises, gaining access to global markets, reducing costs and building customer confidence that your products are safe and reliable. We understand the uniquechallengesyoufaceasSMEs-whetherdueto lack of money, resources or a full understanding of the issues -that can lead toyoursecuritybeingcompromised. ISO/IEC27001istheworld'sleading standardforISMSs,providing organizations with guidance on establishing,implementing, maintaining and continually improving an iSMS.It defines requirements for an ISMS and helps organizations secure their information assets by identifying and managing risks-something which is vital in today's digital world. The requirements that IsO/lEc 27001 describes are generic and are designed to be both scalable and flexible,and hence applyto all types of organization,regardless of their size orthe nature of their business activities or sector. handled by the company, and that this system respects all the best practices and principles enshrined in the standard. IS0/IEC 27001:2022-Apractical guide ByusingisO/lEc27001,youdemonstratetostakeholdersandcustomers that you are committed to managing information securely and safely. It is a unique way topromote your organization,celebrate your achievements and prove that you can be trusted. In addition, the holistic approach of ISO/IEC 27001 means that the entire organization is covered, not just IT. People, technology and processes all benefit. Thishandbookwasdevelopedbyexpertsfromthe jointisOand IEctechnical community on information security,cybersecurity and privacy protection.I sincerely hope it will support your enterprise's efforts in developing an isMs that acts as a tool for risk management cyber-resilience and operational excellence.By doing so, we hope industry. Sergio Mujica IsOSecretary-General IS0/IEC27001:2022-Apractical guide Contents Foreword 3 About this handbook 6 Information security management systems 8 Using the handbook 10 Guidance on what IS0/IEC 27001 means to SMEs 13 Terminology 14 The Foreword of ISO/IEC 27001 16 Introduction 17 1. Scope 18 2. Normative references 19 19 3. Terms and definitions 4. Context of the organization 20 5. Leadership 28 6. Planning 36 7. Support 63 75 8.Operations 9. Performance evaluation 79 10.Improvement 85 90 Annex A-Frequently askedquestions 95 Annex B - Certification Annex C - Websites and International Standards 104 ISO/IEC 27001:2022-Apractical guide About this handbook The aim of this handbook is to guide small and medium-sized enterprises (sMEs)ondevelopingand implementinganinformationsecuritymanagement system (iSMS),based ontheInternationalStandardiSO/lIEC27001:2022, Informationsecurity,cybersecurityandprivacyprotectionInformation securitymanagementsystemsRequirement. The remainderof this handbook will refer to this standard as ISO/IEC 27001 for brevity.The requirements that IsO/lEC 27001describes are generic and are designed to be both scalable and flexible,and hence applyto all types of organization, regardless of their size or the nature of their business activities orthesector.Thishandbookfocusesonguiding SMEs. Strictly speaking