Table of Contents

1.1 What is Information Security?

Information security is the practice of protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction. It is built on three foundational principles, collectively known as the CIA Triad:

Modern information security extends beyond the CIA Triad to also address authenticity (verifying that an entity is who it claims to be), accountability (ensuring actions can be traced to an entity), non-repudiation (preventing a party from denying an action), and reliability (consistent performance).

1.2 Why ISO 27001?

ISO/IEC 27001 is the world's most widely adopted international standard for Information Security Management Systems. It provides a systematic, risk-based framework for managing sensitive information across an organisation. Adoption delivers multiple benefits:

1.3 The ISO 27000 Family

1.4 Structure of ISO 27001:2022

ISO 27001:2022 follows the Annex SL harmonised high-level structure used by all modern ISO management system standards (ISO 9001, ISO 14001, ISO 45001, ISO 55001). This makes integration with other management systems straightforward.

1.5 The 2022 Revision — What Changed

ISO 27001 was significantly revised in 2022 (from the 2013 version). Key changes include:

• Annex A restructured from 14 clauses and 114 controls to 4 themes and 93 controls
• 11 new controls added — many addressing cloud, threat intelligence, and ICT supply chain
• 58 controls merged (reducing redundancy); 1 control deleted
• Introduction of 5 control attributes: type (preventive/detective/corrective), information security properties (CIA), cybersecurity concepts (NIST CSF alignment), operational capabilities, and security domains
• Strengthened requirements for planning and preparing for information security incidents
• New clause text on threat intelligence and ICT supply chain security

2.1 The Foundation: Understanding Context

Clause 4 is the foundation of the entire ISMS. You cannot design an effective information security management system without first understanding the organisation's environment, its stakeholders, and the boundaries within which the ISMS will operate. An ISMS designed without proper context analysis will inevitably have blind spots — areas of significant risk that were never considered.

2.2 Clause 4.1 — Understanding the Organisation and its Context

2.2.1 External Issues

2.2.2 Internal Issues

• Organisational structure — how information flows, who has authority, how decisions are made
• Culture — is security seen as an enabler or a barrier? Is there psychological safety for reporting incidents?
• Strategy and objectives — what is the organisation trying to achieve, and how does information security enable that?
• Information assets — what information does the organisation hold, process, and transmit?
• Technology environment — existing IT infrastructure, legacy systems, cloud services, operational technology
• Human factors — workforce size, remote working arrangements, contractor usage, third-party access
• Existing security controls — what is already in place, and how effective is it?
• Past incidents — what security failures has the organisation experienced, and what was learned?

2.3 Clause 4.2 — Understanding Needs and Expectations of Interested Parties

2.4 Clause 4.3 — Determining the Scope of the ISMS

2.4.1 Scope Decisions

• A narrow scope reduces the certification effort but also reduces its value to customers who need assurance across broader operations
• A broad scope requires more rigorous implementation but provides stronger assurance and is often required by major enterprise customers
• Interfaces and dependencies must be considered — an ISMS scope that excludes a critical supplier or cloud provider may leave significant risk unaddressed

2.4.2 Typical Scope Elements

• Organisational units: Which business units, departments, or legal entities are in scope
• Locations: Which physical sites, including remote working arrangements and cloud infrastructure
• Information assets: Which information types, systems, and processes are covered
• Technology: Which IT systems, applications, networks, and devices are in scope
• Interfaces: How the scoped area interacts with out-of-scope areas and third parties

2.5 Clause 4.4 — Information Security Management System

This clause establishes the core obligation: the ISMS must be established (documented and designed), implemented (actually operating in practice), maintained (kept current and effective), and continually improved. The four-word sequence — establish, implement, maintain, improve — maps directly to the Plan-Do-Check-Act (PDCA) cycle that underpins all ISO management systems.

3.1 Clause 5 — Leadership

3.1.1 Clause 5.1 — Leadership and Commitment

Information security failures are frequently attributed to a lack of genuine leadership commitment. When senior leaders treat security as an IT problem rather than a business risk, security teams lack the authority, resources, and organisational backing to implement effective controls.

3.1.2 Evidence of Leadership Commitment

3.1.3 Clause 5.2 — Policy

A conforming IS policy must: be approved and signed by top management; reference commitment to confidentiality, integrity, and availability; state the ISMS scope; commit to risk-based security management; commit to meeting regulatory and contractual requirements; and commit to continual improvement.

3.1.4 Clause 5.3 — Roles, Responsibilities and Authorities

3.2 Clause 6 — Planning

3.2.2 Clause 6.1.2 — Information Security Risk Assessment

3.2.3 Risk Assessment Methodology

1. Establish risk criteria: Define what constitutes risk acceptance — what likelihood × impact threshold requires treatment.
2. Asset/scenario identification: Identify information assets and scenarios (threat × vulnerability combinations) that could compromise CIA.
3. Threat identification: What threat actors and events are relevant? (External attackers, malicious insiders, accidental actions, natural events, system failures)
4. Vulnerability identification: What weaknesses exist that could be exploited? (Unpatched software, weak passwords, inadequate physical security, untrained staff)
5. Consequence assessment: If a threat exploits a vulnerability, what is the impact on CIA? Assess financial, reputational, legal, and operational consequences.
6. Likelihood assessment: How probable is the threat event, considering existing controls?
7. Risk level calculation: Combine likelihood and consequence to produce a risk level using a risk matrix.
8. Risk evaluation: Compare risk levels against criteria. Determine which risks require treatment.

3.2.4 Clause 6.1.3 — Information Security Risk Treatment

Risk treatment options: Avoid (eliminate the risk source entirely); Reduce/Modify (apply Annex A controls); Share/Transfer (cyber insurance, outsourcing, contractual transfer); Accept/Retain (documented conscious decision that residual risk is within criteria).

3.2.5 Clause 6.2 — Information Security Objectives

4.1 Clause 7 — Support

4.1.2 Clause 7.2 — Competence

4.1.3 Clause 7.3 — Awareness

Effective awareness programs include:

• Annual all-staff security awareness training (mandatory, tracked to completion)
• Regular phishing simulations with targeted training for those who fall for simulations
• Role-specific training for higher-risk roles (finance, HR, executives, IT administrators)
• Security communications — monthly security tips, incident alerts, policy reminders
• New joiner induction — security awareness as part of onboarding
• Targeted briefings when new threats emerge

4.1.5 Clause 7.5 — Documented Information (Mandatory Documents)

4.2 Clause 8 — Operation

4.2.1 Clause 8.1 — Operational Planning and Control

This requires: documented procedures for all key security processes; technical configuration standards for systems, networks, and devices; process controls built into workflows; and evidence retention through logs, reports, and records demonstrating controls are operating.

4.2.2 Clause 8.2 — Information Security Risk Assessment (Operational)

The organisation must perform IS risk assessments at planned intervals or when significant changes occur. Triggers for reassessment include: significant changes to IT systems; new business activities or services; following a significant security incident; changes in the regulatory environment; and major changes to the threat landscape.

4.2.3 Clause 8.3 — Information Security Risk Treatment

This clause requires that the risk treatment plan is actually implemented. Every risk treatment action agreed in Clause 6.1.3 must be executed, tracked, and evidenced. The most common failure mode: organisations conduct excellent risk assessments and produce detailed treatment plans, then fail to implement the treatments due to resource constraints or lack of accountability.

5.1 Clause 9.1 — Monitoring, Measurement, Analysis and Evaluation

5.1.3 Clause 9.2 — Internal Audit

5.1.4 Clause 9.3 — Management Review

5.2 Clause 10 — Improvement

5.2.2 Root Cause Analysis for IS Nonconformities

6.1 Overview of Organisational Controls

Annex A Theme 1 contains 37 controls addressing the governance, policy, and process dimensions of information security. Your demo2 ES ERP Compliance Framework record contains three implemented controls from this theme: A.5.1 (Information Security Policy), A.5.2 (IS Roles and Responsibilities), and A.5.3 (Segregation of Duties) — all with implementation status: Implemented.

6.2 A.5.1 — Information Security Policies (Implemented)

6.2.1 Policy Architecture

ISO 27001:2022 distinguishes between the overarching IS policy (Clause 5.2) and topic-specific policies (Annex A). Topic-specific policies include:

• Access control policy — who can access what, under what conditions
• Acceptable use policy — how staff may use IT systems and information
• Information classification policy — how information is categorised and handled by classification level
• Cryptography policy — when and how encryption is used
• Incident management policy — how security incidents are reported and managed
• Remote access and working policy — security requirements for remote and hybrid work
• Supplier security policy — minimum security requirements for third-party suppliers

6.3 A.5.2 — Information Security Roles and Responsibilities (Implemented)

Role allocation must cover: ownership of the ISMS as a whole; ownership of each information asset; responsibility for each Annex A control area; incident response roles (Incident Manager, Technical Lead, Communications, Legal/Compliance); audit responsibilities; and supplier relationship management from an IS perspective.

6.4 A.5.3 — Segregation of Duties (Implemented)

6.5 Selected Additional A.5 Controls

6.5.1 A.5.7 — Threat Intelligence (New in 2022)

Organisations must collect and analyse information about information security threats to produce actionable threat intelligence. Sources include: vendor security advisories, CERT/CISA bulletins, industry ISACs, commercial threat intelligence feeds, and dark web monitoring.

6.5.2 A.5.19–A.5.22 — ICT Supply Chain Security (Enhanced in 2022)

Supply chain security has been significantly strengthened in 2022. Controls cover: identifying and managing IS risks in ICT supply chains; defining security requirements for supplier agreements; managing and monitoring supplier service delivery; and addressing security in cloud service agreements. This reflects the growing recognition of supply chain attacks (SolarWinds, Kaseya) as a major threat vector.

6.5.3 A.5.23 — IS for Cloud Services (New in 2022)

A new control specifically addressing information security in cloud computing. Organisations must establish processes for acquisition, use, management, and exit from cloud services. This includes: cloud provider security assessment; contractual security requirements; data classification in cloud environments; and cloud exit strategies.

7.1 Why People Controls Matter

People are simultaneously the most important security asset and the most significant security vulnerability in any organisation. Technical controls can be bypassed, defeated, or rendered ineffective by human behaviour — whether through mistakes, negligence, deliberate action, or social engineering. Theme 2 addresses information security throughout the employment lifecycle and into the remote working environment.

7.2 A.6.1 — Screening

7.4 A.6.3 — Information Security Awareness, Education and Training

• Annual mandatory IS awareness training — foundational content for all staff, with completion tracked
• Role-specific training — deeper training for IT, finance, HR, and executive staff
• Phishing simulations — regular simulated phishing; staff who click receive immediate targeted education
• Micro-learning — short, regular security messages, security newsletter
• Security champions program — IS-aware individuals embedded in business units
• Effectiveness measurement — tracking behaviour change, not just training completion

7.5 A.6.5 — Responsibilities After Termination or Change of Employment

7.6 A.6.7 — Remote Working

8.1 Why Physical Security Underpins Information Security

Physical security is often treated as an IT afterthought, but it is foundational to information security. All logical security controls can be defeated if an attacker can gain physical access to servers, network equipment, or workstations. A technically sophisticated cyber defence is rendered meaningless if someone can walk into the server room and remove a hard drive.

8.2 A.7.1 — Physical Security Perimeters

8.4 A.7.7 — Clear Desk and Clear Screen

• Sensitive documents secured in locked drawers or cabinets when not in use — not left on desks overnight
• Screen lock activated when leaving workstation (maximum timeout: 10–15 minutes)
• Printers checked and cleared — sensitive documents not left in printer output trays
• Whiteboards and meeting room screens cleared of sensitive information after use

8.6 A.7.14 — Secure Disposal or Re-use of Equipment

• Documented disposal procedure for all equipment containing storage
• Secure erasure using DoD 5220.22-M or equivalent overwriting standard, or physical destruction for highly sensitive media
• Certificate of destruction for third-party disposal services
• Asset register updated on disposal

9.1 Overview of Technological Controls

Annex A Theme 4 contains 34 controls. Your ES ERP Compliance Framework record contains 9 controls from this theme:

9.2 A.8.1 — User Endpoint Devices (Partially Implemented)

9.3 A.8.2 — Privileged Access Rights (Implemented)

• Privileged account inventory: All privileged accounts documented — who has them, what they access, why
• Least privilege principle: Privileged access granted only to the minimum scope required
• Separate privileged accounts: Administrators use a standard account for routine tasks; separate privileged account for administrative tasks
• PAM solution: Vaulting of privileged credentials, just-in-time access, session recording and monitoring
• Regular review: Privileged access reviewed at least quarterly
• Shared account prohibition: Generic shared administrator accounts prohibited

9.5 A.8.4 — Access to Source Code (Implemented)

• Source code repository access controlled — only developers working on a project can access its code
• Branch protection — production branches require pull request approval; no direct commits to main/master
• Code review requirement — all code changes reviewed by a second developer before merge
• Audit log — all access to and changes in the repository logged and retained

9.6 A.8.5 — Secure Authentication (Partially Implemented)

9.8 A.8.11 — Data Masking (Not Implemented)

Data masking techniques include: Static data masking (creates a masked copy for non-production use); Dynamic data masking (masks data at the presentation layer in real-time); Tokenisation (replaces sensitive data with a non-sensitive token); and Pseudonymisation (replaces identifying information with artificial identifiers — recognised by GDPR as a privacy-enhancing technique).

9.10 A.8.28 — Secure Coding (Partially Implemented)

9.10.2 OWASP Top 10

• A01: Broken Access Control — users can act outside their intended permissions
• A02: Cryptographic Failures — sensitive data exposed due to weak or absent encryption
• A03: Injection — SQL injection, command injection, LDAP injection
• A04: Insecure Design — security not considered in architecture decisions
• A05: Security Misconfiguration — default credentials, unnecessary features enabled
• A06: Vulnerable and Outdated Components — using libraries with known vulnerabilities
• A07: Identification and Authentication Failures — weak passwords, missing MFA
• A08: Software and Data Integrity Failures — insecure CI/CD pipelines
• A09: Security Logging and Monitoring Failures — insufficient logging to detect breaches
• A10: Server-Side Request Forgery — forcing servers to make unintended requests

10.1 The Statement of Applicability (SoA)

The Statement of Applicability (SoA) is one of the most important — and most distinctive — documents in ISO 27001. It declares, for each of the 93 Annex A controls, whether the control is applicable to the organisation, whether it is implemented, and the justification for inclusion or exclusion.

10.1.2 Your ES ERP SoA — Current Status

10.3 The Certification Process

10.5 Connecting ISO 27001 to Other Frameworks

Assessment Overview

This Certificate program uses a blended assessment approach testing both theoretical understanding of ISO 27001:2022 requirements and the practical ability to design, assess, and improve an ISMS.

Key Study Areas

• The CIA Triad — definition and examples of controls for each property
• The 2022 Annex A restructure — 4 themes, 93 controls, 11 new controls
• The Statement of Applicability — what it must contain, and why exclusions must be justified
• The risk assessment process (Clause 6.1.2) — all steps from criteria to evaluation
• Risk treatment options — avoid, reduce, share, accept — and when each is appropriate
• Mandatory documented information — know the full list (Module 4 table)
• The 9 controls from your ES ERP record — understand each at implementation depth
• MFA types and why phishing-resistant MFA is the gold standard
• Segregation of duties examples — be able to identify conflicting duty pairs
• The certification process — Stage 1 and Stage 2 audits, surveillance, recertification
• How ISO 27001 relates to GDPR, NIST CSF, SOC 2, and Australian regulations (APRA CPS 234, Essential Eight)