NIS-2 to ISO/IEC 27001:2022 Interactive Mapping

Complete mapping based on ENISA Implementation Guidance on EU Regulation 2024/2690

✓ 100% Coverage of ISO/IEC 27001:2022 Annex A Controls (93/93)

Contributor: Michael Mühlberger

Showing all requirements
1. POLICY ON THE SECURITY OF NETWORK AND INFORMATION
1.1 Policy on the Security of Network and Information Systems
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
1.1.1 4.4 4.4 Information security management system
1.1.1(a) 5.2 A.5.1 A.5.37 5.2 Policy
A.5.1 Policies for information security
A.5.37 Documented operating procedures
1.1.1(b) 5.2 A.5.1 A.5.8 5.2 Policy
A.5.1 Policies for information security
A.5.8 Information security in project management
1.1.1(c) 5.2 A.5.1 5.2 Policy
A.5.1 Policies for information security
1.1.1(d) 5.2 A.5.1 5.2 Policy
A.5.1 Policies for information security
1.1.1(e) 5.2 A.5.1 5.2 Policy
A.5.1 Policies for information security
1.1.1(f) A.5.1 A.5.36 A.6.6 A.5.1 Policies for information security
A.5.36 Compliance with policies, rules and standards for information security
A.6.6 Confidentiality or non-disclosure agreements
1.2 Roles, Responsibilities and Authorities
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
1.2.1 5.3 A.5.2 5.3 Organizational roles, responsibilities and authorities
A.5.2 Information security roles and responsibilities
1.2.2 A.5.3 A.5.3 Segregation of duties
1.2.3 5.3 A.5.2 A.5.4 5.3 Organizational roles, responsibilities and authorities
A.5.2 Information security roles and responsibilities
A.5.4 Management responsibilities
2. RISK MANAGEMENT POLICY
2.1 Risk Management Framework
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
2.1.1 6.1.2 6.1.2 Information security risk assessment
2.1.2(a) 6.1.2 A.5.7 6.1.2 Information security risk assessment
A.5.7 Threat intelligence
2.1.2(b) 6.1.2 A.5.19 6.1.2 Information security risk assessment
A.5.19 Information security in supplier relationships
2.1.2(c) 6.1.2 A.5.20 6.1.2 Information security risk assessment
A.5.20 Addressing information security within supplier agreements
2.1.2(d) 6.1.2 A.5.21 6.1.2 Information security risk assessment
A.5.21 Managing information security in the ICT supply chain
2.1.2(e) 6.1.2 8.2 6.1.2 Information security risk assessment
8.2 Information security risk assessment
2.1.2(f) 6.1.2 8.3 6.1.2 Information security risk assessment
8.3 Information security risk treatment
2.1.2(g) 6.1.3 6.1.3 Information security risk treatment
2.1.2(h) 8.2 8.3 8.2 Information security risk assessment
8.3 Information security risk treatment
2.1.2(i) 6.1.3 6.1.3 Information security risk treatment
2.1.2(j) 6.1.3 6.1.3 Information security risk treatment
2.1.3 6.1.3 6.1.3 Information security risk treatment
2.1.4 6.2 8.2 8.3 6.2 Information security objectives and planning to achieve them
8.2 Information security risk assessment
8.3 Information security risk treatment
2.2 Compliance Monitoring
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
2.2.1 9.2 A.5.31 9.2 Internal audit
A.5.31 Legal, statutory, regulatory and contractual requirements
2.2.2 A.5.35 A.5.36 A.5.35 Independent review of information security
A.5.36 Compliance with policies, rules and standards for information security
2.2.3 9.2 9.2 Internal audit
2.3 Independent Review of Information and Network Security
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
2.3.1 9.2 A.5.35 9.2 Internal audit
A.5.35 Independent review of information security
2.3.2 9.2 A.8.34 9.2 Internal audit
A.8.34 Protection of information systems during audit testing
2.3.3 10.1 A.5.35 10.1 Continual improvement
A.5.35 Independent review of information security
2.3.4 9.2 9.2 Internal audit
3. INCIDENT HANDLING
3.1 Incident Handling Policy
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.1.1 A.5.24 A.5.24 Information security incident management planning and preparation
3.1.2(a) A.5.24 A.5.24 Information security incident management planning and preparation
3.1.2(b) A.5.24 A.5.24 Information security incident management planning and preparation
3.1.2(c) A.5.24 A.5.24 Information security incident management planning and preparation
3.1.2(d) A.5.24 A.5.24 Information security incident management planning and preparation
3.1.3 A.5.24 A.5.24 Information security incident management planning and preparation
3.2 Monitoring and Logging
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.2.1 A.5.28 A.8.15 A.5.28 Collection of evidence
A.8.15 Logging
3.2.2 A.8.16 A.8.16 Monitoring activities
3.2.3 A.8.15 A.8.16 A.8.15 Logging
A.8.16 Monitoring activities
3.2.4 A.8.16 A.8.16 Monitoring activities
3.2.5 A.8.15 A.8.15 Logging
3.2.6 A.8.17 A.8.17 Clock synchronization
3.2.7 A.8.15 A.8.16 A.8.15 Logging
A.8.16 Monitoring activities
3.3 Event Reporting
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.3.1 A.6.8 A.6.8 Information security event reporting
3.3.2 A.6.8 A.6.8 Information security event reporting
3.4 Event Assessment and Classification
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.4.1 A.5.25 A.5.25 Assessment and decision on information security events
3.4.2(a) A.5.25 A.5.25 Assessment and decision on information security events
3.4.2(b) A.5.25 A.5.25 Assessment and decision on information security events
3.4.2(c) A.5.25 A.5.25 Assessment and decision on information security events
3.4.2(d) A.5.25 A.5.25 Assessment and decision on information security events
3.4.2(e) A.5.25 A.5.25 Assessment and decision on information security events
3.5 Incident Response
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.5.1 A.5.26 A.5.26 Response to information security incidents
3.5.2(a) A.5.26 A.5.26 Response to information security incidents
3.5.2(b) A.5.26 A.5.26 Response to information security incidents
3.5.2(c) A.5.26 A.5.26 Response to information security incidents
3.5.3(a) A.5.26 A.5.5 A.5.26 Response to information security incidents
A.5.5 Contact with authorities
3.5.3(b) A.5.26 A.5.26 Response to information security incidents
3.5.4 A.5.26 A.5.33 A.5.26 Response to information security incidents
A.5.33 Protection of records
3.5.5 A.5.26 A.5.26 Response to information security incidents
3.6 Post-Incident Reviews
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
3.6.1 A.5.27 A.5.27 Learning from information security incidents
3.6.2 A.5.27 A.5.27 Learning from information security incidents
3.6.3 A.5.27 A.5.27 Learning from information security incidents
4. BUSINESS CONTINUITY AND CRISIS MANAGEMENT
4.1 Business Continuity and Disaster Recovery Plan
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
4.1.1 A.5.29 A.5.30 A.5.29 Information security during disruption
A.5.30 ICT readiness for business continuity
4.1.2(a) A.5.29 A.5.29 Information security during disruption
4.1.2(b) A.5.29 A.5.29 Information security during disruption
4.1.2(c) A.5.29 A.5.29 Information security during disruption
4.1.2(d) A.5.29 A.5.29 Information security during disruption
4.1.2(e) A.5.29 A.5.29 Information security during disruption
4.1.2(f) A.5.29 A.5.29 Information security during disruption
4.1.2(g) A.5.29 A.5.29 Information security during disruption
4.1.2(h) A.5.29 A.5.29 Information security during disruption
4.1.3 A.5.30 A.8.6 A.5.30 ICT readiness for business continuity
A.8.6 Capacity management
4.1.4 A.5.29 A.5.30 A.5.29 Information security during disruption
A.5.30 ICT readiness for business continuity
4.2 Backup Management
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
4.2.1 A.8.13 A.8.13 Information backup
4.2.2(a) A.8.13 A.8.13 Information backup
4.2.2(b) A.8.13 A.8.13 Information backup
4.2.2(c) A.8.13 A.8.13 Information backup
4.2.2(d) A.8.13 A.8.13 Information backup
4.2.2(e) A.8.13 A.8.13 Information backup
4.2.2(f) A.8.13 A.8.13 Information backup
4.2.3 A.8.13 A.8.13 Information backup
4.2.4 A.8.14 A.8.14 Redundancy of information processing facilities
4.2.5 A.8.14 A.8.14 Redundancy of information processing facilities
4.2.6 A.8.13 A.8.14 A.8.13 Information backup
A.8.14 Redundancy of information processing facilities
4.3 Crisis Management
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
4.3.1 A.5.26 A.5.29 A.5.26 Response to information security incidents
A.5.29 Information security during disruption
4.3.2(a) A.5.30 A.5.30 ICT readiness for business continuity
4.3.2(b) A.5.26 A.5.5 A.5.26 Response to information security incidents
A.5.5 Contact with authorities
4.3.2(c) A.5.29 A.5.29 Information security during disruption
4.3.3 A.5.26 A.5.26 Response to information security incidents
4.3.4 A.5.30 A.5.30 ICT readiness for business continuity
5. SUPPLY CHAIN SECURITY
5.1 Supply Chain Security Policy
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
5.1.1 A.5.19 A.5.19 Information security in supplier relationships
5.1.2(a) A.5.20 A.5.20 Addressing information security within supplier agreements
5.1.2(b) A.5.20 A.5.20 Addressing information security within supplier agreements
5.1.2(c) A.5.21 A.5.21 Managing information security in the ICT supply chain
5.1.2(d) A.5.21 A.5.21 Managing information security in the ICT supply chain
5.1.3 A.5.19 A.5.19 Information security in supplier relationships
5.1.4 A.5.20 A.8.30 A.6.6 A.5.20 Addressing information security within supplier agreements
A.8.30 Outsourced development
A.6.6 Confidentiality or non-disclosure agreements
5.1.5 A.5.21 A.5.6 A.5.21 Managing information security in the ICT supply chain
A.5.6 Contact with special interest groups
5.1.6 A.5.19 A.5.19 Information security in supplier relationships
5.1.7(a) A.5.19 A.5.19 Information security in supplier relationships
5.1.7(b) A.5.19 A.5.19 Information security in supplier relationships
5.1.7(c) A.5.19 A.5.19 Information security in supplier relationships
5.1.7(d) A.5.19 A.5.19 Information security in supplier relationships
5.2 Directory of Suppliers and Service Providers
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
5.2(a) A.5.22 A.5.22 Monitoring, review and change management of supplier services
5.2(b) A.5.22 A.5.22 Monitoring, review and change management of supplier services
6. SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
6.1 Security in Acquisition of ICT Services, ICT Systems or ICT Products
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.1.1 A.5.21 A.5.8 A.8.26 A.5.21 Managing information security in the ICT supply chain
A.5.8 Information security in project management
A.8.26 Application security requirements
6.1.2(a) A.5.23 A.8.26 A.5.23 Information security for use of cloud services
A.8.26 Application security requirements
6.1.2(b) A.5.23 A.5.23 Information security for use of cloud services
6.1.2(c) A.5.23 A.5.23 Information security for use of cloud services
6.1.2(d) A.5.23 A.5.23 Information security for use of cloud services
6.1.2(e) A.5.23 A.5.23 Information security for use of cloud services
6.1.2(f) A.5.23 A.5.23 Information security for use of cloud services
6.1.3 A.5.21 A.5.23 A.5.21 Managing information security in the ICT supply chain
A.5.23 Information security for use of cloud services
6.2 Secure Development Life Cycle
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.2.1 A.8.25 A.8.25 Secure development life cycle
6.2.2(a) A.8.25 A.8.25 Secure development life cycle
6.2.2(b) A.8.25 A.8.27 A.8.28 A.8.25 Secure development life cycle
A.8.27 Secure system architecture and engineering principles
A.8.28 Secure coding
6.2.2(c) A.8.31 A.8.31 Separation of development, test and production environments
6.2.2(d) A.8.25 A.8.25 Secure development life cycle
6.2.2(e) A.8.31 A.8.31 Separation of development, test and production environments
6.2.2(f) A.8.31 A.8.11 A.8.31 Separation of development, test and production environments
A.8.11 Data masking
6.2.3 A.8.25 A.8.25 Secure development life cycle
6.2.4 A.8.25 A.8.25 Secure development life cycle
6.3 Configuration Management
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.3.1 A.8.9 A.5.37 A.8.9 Configuration management
A.5.37 Documented operating procedures
6.3.2(a) A.8.9 A.8.9 Configuration management
6.3.2(b) A.8.9 A.8.9 Configuration management
6.3.3 A.8.9 A.8.9 Configuration management
6.4 Change Management, Repairs and Maintenance
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.4.1 6.3 8.1 A.7.13 A.8.19 6.3 Planning of changes
8.1 Operational planning and control
A.7.13 Equipment maintenance
A.8.19 Installation of software on operational systems
6.4.2 A.8.32 A.7.8 A.8.32 Change management
A.7.8 Equipment siting and protection
6.4.3 A.8.32 A.8.32 Change management
6.4.4 6.3 8.1 6.3 Planning of changes
8.1 Operational planning and control
6.5 Security Testing
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.5.1 A.8.29 A.8.29 Security testing in development and acceptance
6.5.2(a) A.8.33 A.8.33 Test information
6.5.2(b) A.8.33 A.8.33 Test information
6.5.2(c) A.8.34 A.8.34 Protection of information systems during audit testing
6.5.2(d) A.8.34 A.8.34 Protection of information systems during audit testing
6.5.3 A.8.29 A.8.29 Security testing in development and acceptance
6.6 Security Patch Management
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.6.1(a) A.8.31 A.8.19 A.8.31 Separation of development, test and production environments
A.8.19 Installation of software on operational systems
6.6.1(b) A.8.32 A.8.32 Change management
6.6.1(c) A.8.31 A.8.31 Separation of development, test and production environments
6.6.1(d) A.8.31 A.8.31 Separation of development, test and production environments
6.6.2 A.8.32 A.8.32 Change management
6.7 Network Security
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.7.1 A.8.16 A.8.23 A.8.16 Monitoring activities
A.8.23 Web filtering
6.7.2(a) A.8.20 A.8.20 Networks security
6.7.2(b) A.8.20 A.8.20 Networks security
6.7.2(c) A.8.20 A.8.20 Networks security
6.7.2(d) A.8.20 A.6.7 A.8.20 Networks security
A.6.7 Remote working
6.7.2(e) A.8.20 A.8.20 Networks security
6.7.2(f) A.8.20 A.8.20 Networks security
6.7.2(g) A.8.20 A.8.20 Networks security
6.7.2(h) A.8.20 A.8.20 Networks security
6.7.2(i) A.8.20 A.8.20 Networks security
6.7.2(j) A.8.20 A.8.20 Networks security
6.7.2(k) A.8.20 A.8.20 Networks security
6.7.2(l) A.8.20 A.8.20 Networks security
6.7.3 A.8.16 A.8.20 A.8.16 Monitoring activities
A.8.20 Networks security
6.8 Network Segmentation
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.8.1 A.8.22 A.8.22 Segregation of networks
6.8.2(a) A.8.22 A.8.22 Segregation of networks
6.8.2(b) A.8.22 A.8.22 Segregation of networks
6.8.2(c) A.8.22 A.8.22 Segregation of networks
6.8.2(d) A.8.22 A.8.22 Segregation of networks
6.8.2(e) A.8.22 A.8.22 Segregation of networks
6.8.2(f) A.8.22 A.8.22 Segregation of networks
6.8.2(g) A.8.22 A.8.22 Segregation of networks
6.8.2(h) A.8.22 A.8.22 Segregation of networks
6.8.3 A.8.22 A.8.22 Segregation of networks
6.9 Protection Against Malicious and Unauthorised Software
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.9.1 A.5.32 A.8.7 A.8.12 A.8.23 A.5.32 Intellectual property rights
A.8.7 Protection against malware
A.8.12 Data leakage prevention
A.8.23 Web filtering
6.9.2 A.5.32 A.8.7 A.8.12 A.5.32 Intellectual property rights
A.8.7 Protection against malware
A.8.12 Data leakage prevention
6.10 Vulnerability Handling and Disclosure
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
6.10.1 A.8.8 A.8.8 Management of technical vulnerabilities
6.10.2(a) A.8.8 A.8.8 Management of technical vulnerabilities
6.10.2(b) A.8.8 A.8.8 Management of technical vulnerabilities
6.10.2(c) A.8.8 A.8.8 Management of technical vulnerabilities
6.10.2(d) A.8.8 A.8.8 Management of technical vulnerabilities
6.10.2(e) A.8.8 A.8.8 Management of technical vulnerabilities
6.10.3 A.8.8 A.8.8 Management of technical vulnerabilities
6.10.4 A.8.8 A.8.8 Management of technical vulnerabilities
7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
7.1 Autogenerated Section 7.1
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
7.1.1 6.2 9.1 6.2 Information security objectives and planning to achieve them
9.1 Monitoring, measurement, analysis and evaluation
7.1.2 7.4 7.5.1 7.4 Communication
7.5.1 Documented information - General
7.1.2(a) 9.3 9.3 Management review
7.1.2(b) 9.1 9.1 Monitoring, measurement, analysis and evaluation
7.1.2(c) 9.1 9.1 Monitoring, measurement, analysis and evaluation
7.1.2(d) 9.1 9.1 Monitoring, measurement, analysis and evaluation
7.1.2(e) 9.3 9.3 Management review
7.1.2(f) 9.3 9.3 Management review
7.1.3 6.2 9.1 9.3 7.5.2 7.5.3 6.2 Information security objectives and planning to achieve them
9.1 Monitoring, measurement, analysis and evaluation
9.3 Management review
7.5.2 Creating and updating
7.5.3 Control of documented information
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
8.1 Awareness Raising and Basic Cyber Hygiene Practices
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
8.1.1 7.3 A.6.3 7.3 Awareness
A.6.3 Information security awareness, education and training
8.1.2(a) 7.3 A.6.3 7.3 Awareness
A.6.3 Information security awareness, education and training
8.1.2(b) A.6.3 A.6.3 Information security awareness, education and training
8.1.2(c) A.6.3 A.8.7 A.5.6 A.6.3 Information security awareness, education and training
A.8.7 Protection against malware
A.5.6 Contact with special interest groups
8.1.3 7.3 A.6.3 7.3 Awareness
A.6.3 Information security awareness, education and training
8.2 Security Training
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
8.2.1 7.2 A.6.3 7.2 Competence
A.6.3 Information security awareness, education and training
8.2.2 7.2 A.6.3 7.2 Competence
A.6.3 Information security awareness, education and training
8.2.3(a) A.6.3 A.6.3 Information security awareness, education and training
8.2.3(b) A.6.3 A.6.3 Information security awareness, education and training
8.2.3(c) A.6.3 A.6.3 Information security awareness, education and training
8.2.4 7.2 A.6.3 7.2 Competence
A.6.3 Information security awareness, education and training
8.2.5 7.2 A.6.3 7.2 Competence
A.6.3 Information security awareness, education and training
9. CRYPTOGRAPHY
9.1 Autogenerated Section 9.1
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
9.1.1 A.5.31 A.8.24 A.5.31 Legal, statutory, regulatory and contractual requirements
A.8.24 Use of cryptography
9.1.2(a) A.8.24 A.5.34 A.8.24 Use of cryptography
A.5.34 Privacy and protection of PII
9.1.2(b) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(i) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(ii) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(iii) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(iv) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(v) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(vi) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(vii) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(viii) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(ix) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(x) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(xi) A.8.24 A.8.24 Use of cryptography
9.1.2(c)(xii) A.8.24 A.8.24 Use of cryptography
9.1.3 A.5.31 A.8.24 A.5.31 Legal, statutory, regulatory and contractual requirements
A.8.24 Use of cryptography
10. HUMAN RESOURCES SECURITY
10.1 Human Resources Security
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
10.1.1 7.1 7.2 A.6.2 7.1 Resources
7.2 Competence
A.6.2 Terms and conditions of employment
10.1.2(a) A.6.3 A.6.3 Information security awareness, education and training
10.1.2(b) A.6.3 A.6.3 Information security awareness, education and training
10.1.2(c) A.6.2 A.6.2 Terms and conditions of employment
10.1.2(d) A.6.2 A.6.2 Terms and conditions of employment
10.1.3 7.1 7.2 A.6.2 7.1 Resources
7.2 Competence
A.6.2 Terms and conditions of employment
10.2 Verification of Background
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
10.2.1 A.6.1 A.6.1 Screening
10.2.2(a) A.6.1 A.6.1 Screening
10.2.2(b) A.6.1 A.6.1 Screening
10.2.3 A.6.1 A.6.1 Screening
10.3 Termination or Change of Employment Procedures
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
10.3.1 A.6.5 A.6.6 A.5.11 A.6.5 Responsibilities after termination or change of employment
A.6.6 Confidentiality or non-disclosure agreements
A.5.11 Return of assets
10.3.2 A.6.5 A.6.5 Responsibilities after termination or change of employment
10.4 Disciplinary Process
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
10.4.1 A.6.4 A.6.4 Disciplinary process
10.4.2 A.6.4 A.6.4 Disciplinary process
11. ACCESS CONTROL
11.1 Access Control Policy
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.1.1 A.5.15 A.7.2 A.8.3 A.8.21 A.6.7 A.5.15 Access control
A.7.2 Physical entry
A.8.3 Information access restriction
A.8.21 Security of network services
A.6.7 Remote working
11.1.2(a) A.5.15 A.5.15 Access control
11.1.2(b) A.5.15 A.5.15 Access control
11.1.2(c) A.5.15 A.5.15 Access control
11.1.3 A.5.15 A.5.15 Access control
11.2 Management of Access Rights
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.2.1 A.5.18 A.5.18 Access rights
11.2.2(a) A.5.18 A.8.4 A.5.18 Access rights
A.8.4 Access to source code
11.2.2(b) A.5.18 A.5.18 Access rights
11.2.2(c) A.5.18 A.5.18 Access rights
11.2.2(d) A.5.18 A.5.18 Access rights
11.2.2(e) A.5.18 A.5.18 Access rights
11.2.2(f) A.5.18 A.5.18 Access rights
11.2.3 A.5.18 A.5.18 Access rights
11.3 Privileged Accounts and System Administration Accounts
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.3.1 A.8.2 A.8.18 A.8.2 Privileged access rights
A.8.18 Use of privileged utility programs
11.3.2(a) A.8.2 A.8.18 A.8.2 Privileged access rights
A.8.18 Use of privileged utility programs
11.3.2(b) A.8.2 A.8.2 Privileged access rights
11.3.2(c) A.8.2 A.8.2 Privileged access rights
11.3.2(d) A.8.2 A.8.2 Privileged access rights
11.3.3 A.8.2 A.8.18 A.8.2 Privileged access rights
A.8.18 Use of privileged utility programs
11.4 Administration Systems
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.4.1 A.8.2 A.8.18 A.8.2 Privileged access rights
A.8.18 Use of privileged utility programs
11.4.2(a) A.8.2 A.8.2 Privileged access rights
11.4.2(b) A.8.18 A.8.18 Use of privileged utility programs
11.4.2(c) A.8.2 A.8.18 A.8.2 Privileged access rights
A.8.18 Use of privileged utility programs
11.5 Identification
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.5.1 A.5.16 A.5.16 Identity management
11.5.2(a) A.5.16 A.5.16 Identity management
11.5.2(b) A.5.16 A.5.16 Identity management
11.5.2(c) A.5.16 A.5.16 Identity management
11.5.2(d) A.5.16 A.5.16 Identity management
11.5.3 A.5.16 A.5.16 Identity management
11.5.4 A.5.16 A.5.16 Identity management
11.6 Authentication
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.6.1 A.5.17 A.5.17 Authentication information
11.6.2(a) A.5.17 A.5.17 Authentication information
11.6.2(b) A.5.17 A.5.17 Authentication information
11.6.2(c) A.5.17 A.5.17 Authentication information
11.6.2(d) A.5.17 A.5.17 Authentication information
11.6.2(e) A.5.17 A.5.17 Authentication information
11.6.2(f) A.5.17 A.5.17 Authentication information
11.6.3 A.5.17 A.5.17 Authentication information
11.6.4 A.5.17 A.5.17 Authentication information
11.7 Multi-Factor Authentication
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
11.7.1 A.8.5 A.8.5 Secure authentication
11.7.2 A.8.5 A.8.5 Secure authentication
12. ASSET MANAGEMENT
12.1 Asset Classification
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
12.1.1 A.5.9 A.5.12 A.5.34 A.5.9 Inventory of information and other associated assets
A.5.12 Classification of information
A.5.34 Privacy and protection of PII
12.1.2(a) A.5.12 A.5.12 Classification of information
12.1.2(b) A.5.12 A.5.13 A.5.12 Classification of information
A.5.13 Labelling of information
12.1.2(c) A.5.13 A.5.13 Labelling of information
12.1.3 A.5.12 A.5.13 A.5.12 Classification of information
A.5.13 Labelling of information
12.2 Handling of Assets
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
12.2.1 A.5.9 A.5.10 A.5.9 Inventory of information and other associated assets
A.5.10 Acceptable use of information and other associated assets
12.2.2(a) A.5.14 A.5.14 Information transfer
12.2.2(b) A.5.14 A.7.10 A.7.9 A.7.14 A.8.10 A.5.14 Information transfer
A.7.10 Storage media
A.7.9 Security of assets off-premises
A.7.14 Secure disposal or re-use of equipment
A.8.10 Information deletion
12.2.2(c) A.7.10 A.7.10 Storage media
12.2.3 A.5.9 A.5.10 A.5.9 Inventory of information and other associated assets
A.5.10 Acceptable use of information and other associated assets
12.3 Removable Media Policy
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
12.3.1 A.7.7 A.7.7 Clear desk and clear screen
12.3.2(a) A.7.7 A.7.7 Clear desk and clear screen
12.3.2(b) A.7.7 A.7.7 Clear desk and clear screen
12.3.2(c) A.7.10 A.7.10 Storage media
12.3.2(d) A.7.10 A.7.10 Storage media
12.3.3 A.7.7 A.7.10 A.7.7 Clear desk and clear screen
A.7.10 Storage media
12.4 Asset Inventory
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
12.4.1 A.5.9 A.8.1 A.5.9 Inventory of information and other associated assets
A.8.1 User end point devices
12.4.2(a) A.5.9 A.5.9 Inventory of information and other associated assets
12.4.2(b) A.5.9 A.5.9 Inventory of information and other associated assets
12.4.3 A.5.9 A.5.9 Inventory of information and other associated assets
12.5 Deposit, Return or Deletion of Assets Upon Termination of Employment
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
12.5 A.5.11 A.5.18 A.8.24 A.7.9 A.7.14 A.8.10 A.5.11 Return of assets
A.5.18 Access rights
A.8.24 Use of cryptography
A.7.9 Security of assets off-premises
A.7.14 Secure disposal or re-use of equipment
A.8.10 Information deletion
13. ENVIRONMENTAL AND PHYSICAL SECURITY
13.1 Supporting Utilities
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
13.1.1 A.7.11 A.7.11 Supporting utilities
13.1.2(a) A.7.11 A.7.11 Supporting utilities
13.1.2(b) A.7.11 A.7.11 Supporting utilities
13.1.2(c) A.7.11 A.7.11 Supporting utilities
13.1.2(d) A.7.11 A.7.11 Supporting utilities
13.1.2(e) A.7.11 A.7.11 Supporting utilities
13.1.2(f) A.7.11 A.7.11 Supporting utilities
13.1.3 A.7.11 A.7.11 Supporting utilities
13.2 Protection Against Physical and Environmental Threats
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
13.2.1 A.7.3 A.7.5 A.7.6 A.7.3 Securing offices, rooms and facilities
A.7.5 Protecting against physical and environmental threats
A.7.6 Working in secure areas
13.2.2(a) A.7.3 A.7.6 A.7.3 Securing offices, rooms and facilities
A.7.6 Working in secure areas
13.2.2(b) A.7.5 A.7.5 Protecting against physical and environmental threats
13.2.2(c) A.7.5 A.7.5 Protecting against physical and environmental threats
13.2.3 A.7.3 A.7.5 A.7.6 A.7.3 Securing offices, rooms and facilities
A.7.5 Protecting against physical and environmental threats
A.7.6 Working in secure areas
13.3 Perimeter and Physical Access Control
Requirement ISO/IEC 27001:2022 Mapping Complete ISO/IEC 27001:2022 Chapter/Control Title
13.3.1 A.7.1 A.7.2 A.7.1 Physical security perimeters
A.7.2 Physical entry
13.3.2(a) A.7.1 A.7.1 Physical security perimeters
13.3.2(b) A.7.2 A.7.2 Physical entry
13.3.2(c) A.7.4 A.7.12 A.7.4 Physical security monitoring
A.7.12 Cabling security
13.3.2(d) A.7.4 A.7.4 Physical security monitoring
13.3.3 A.7.1 A.7.2 A.7.4 A.7.12 A.7.1 Physical security perimeters
A.7.2 Physical entry
A.7.4 Physical security monitoring
A.7.12 Cabling security