Information security, cybersecurity and privacy protection — Information security management systems — Requirements Sécurité de l'information, cybersécurité et protection de la vie privée — Systèmes de management de la sécurité de l'information — ExigencesINTERNATIONAL STANDARDISO/IEC 27001 Third edition 2022-10 Reference number ISO/IEC 27001:2022(E) © ISO/IEC 2022iiISO/IEC 27001:2022(E) COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: copyright@iso.org Website: www.iso.org Published in Switzerland © ISO/IEC 2022 – All rights reserved ISO/IEC 27001:2022(E) Foreword ........................................................................................................................................................................................................................................ iv Introduction ................................................................................................................................................................................................................................. v 1 Scope ................................................................................................................................................................................................................................. 1 2 Normative references ..................................................................................................................................................................................... 1 3 Terms and definitions .................................................................................................................................................................................... 1 4 Context of the organization ........................................................................................................................................... ........................... 1 4.1 Understanding the organization and its context ..................................................................................................... 1 4.2 Understanding the needs and expectations of interested parties ........................................................... 1 4.3 Determining the scope of the information security management system ....................................... 2 4.4 Information security management system ................................................................................................................... 2 5 Leadership .................................................................................................................................................................................................................. 2 5.1 Leadership and commitment ..................................................................................................................................................... 2 5 . 2 P o l i c y ............................................................................................................................................................................................................... 3 5.3 Organizational roles, responsibilities and authorities ....................................................................................... 3 6 Planning ..........................................................................................................................................................