ISO/IEC 27001:2022 does not prescribe a specific set of security controls that must be implemented by all organizations. Instead, it allows organizations to select and implement the controls that are appropriate for their context, based on the results of a risk assessment and a risk treatment plan. The risk treatment plan is a document that specifies the actions to be taken to address the identified risks, including the selection of controls from Annex A or other sources, the allocation of responsibilities, the expected outcomes, the priorities and the resources. Therefore, the security controls that must be implemented to comply with ISO/IEC 27001 are those that are included in the risk treatment plan, which may vary from one organization to another.
References:
ISO/IEC 27001:2022, clause 6.1.3
PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit