ISO 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements is a unique standard.
ISO defines an ISMS as a systematic approach to managing sensitive company information so that it remains secure. While it includes the common management system benefits of an ISO management system for leadership, resources and improvement, it also requires the planning and the actions for identification and remediation of risk to the business, the information being protected, the people, processes and technology. At Radian Compliance, we say that the ISMS begins and ends with risk.
What makes this standard unique is the inclusion of an Annex A. Annex A is a set of security controls that, based on the classification of data, a risk assessment is performed. Based on risk assessments, controls can be implemented to mitigate one or more risks. ISO 27001:2022 has four (4) distinct security control clauses and associated controls:
• Annex A: Clause 5: Organizational (37 security controls).
• Annex A: Clause 6: People (8 security controls).
• Annex A: Clause 7: Physical (14 security controls).
• Annex A: Clause 8: Technological (34 security controls).
The Annex A table is further supported by ISO 27002:2022. This document provides extensive guidance on interpretation and implementation of the control with examples for different industry or risk level. Both the requirements (ISO 27001) and the guidance (27002) documents should be purchased together to maximize the value of information.
Benefits
• Create a governance structure that includes all key areas of the organization.
• Provide assurance that information is properly protected based on risk.
• Build confidence with customers and interested parties of your security posture.
• Respond to the numerous security questionnaires of clients and partners with a standardized set of information security controls.
Why Implement ISMS
• Identify risks and create effective risk treatment plans.
• Engage the entire organization in the practice of information security with ownership and responsibility of process, risks, and monitoring of controls.
• Reduce risk to third party/hosted services by creating a structured supplier risk management program.
• Become rapidly compliant with new information security regulations/mandates by having an ISMS that is continually monitored and reviewed for effectiveness and sustainability.
• Be proactive instead of reactive to potential threats and vulnerabilities.
• Provide additional privacy and cloud controls to meet evolving regulatory requirements by including ISO 27701*, 27017**, and 27018** to the ISMS.
The Radian Team supports additional ISO standards and guidance within the ISO 27000 family.
• ISO 27701:2025, Information security, cybersecurity and privacy protection – Privacy information management system – Requirements and Guidance.
This Privacy Information Management System (PIMS) provides a framework which supports an organization’s ability to protect personally identifiable information (PII) and meet ever evolving regulatory requirements.
• ISO 27017:2015, Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
This guidance document provides for additional cloud-based security controls to add to the ISO 27001 statement of applicability. A registrar may provide a recognition of these additional controls within the existing ISO 27001 certificate, but this is not a separate certification.
Please note that a revised version is forthcoming in 2026.
• ISO 27018:2025, Information security, cybersecurity and privacy protection – Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors.
In lieu of implementing ISO 27701, if you are a data processor, these additional controls support an organization’s risks as a data processor. A registrar may provide a recognition of these additional controls within the existing ISO 27001 certificate, but this is not a separate certification.
The Radian ISMS Difference
Radian team members’ experiences are deeply rooted in information security, cybersecurity and privacy. Not only are we experts in the ISO process, but we have the up-to-date technical expertise to support the wide array of ISMS/PIMS requirements, including risk management, physical security assessments, cloud services, penetration testing, and business continuity. Our team is constantly studying updates and providing relevant information about persistent and new threats to our customers. We are active in security organizations, including ASIS International, (ISC)2, ISACA, WiCys, IAPP, PMI, ASQ, and AITP–Chicago.
Connect with us now to learn how Radian Compliance can support your ISMS requirements.