Is Not Simply IT Security – Here Is What You Need to Know

When people think of ISO 27001, they often imagine technical controls, firewalls, encryption antivirus software. While these are part of the picture, they only scratch the surface. ISO 27001:2022 is not simply IT security; it is a comprehensive, organisation-wide approach to protecting information assets.

This internationally recognised standard brings together people, processes, and technology to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). And here is the key point: half of the Annex A controls in ISO 27001:2022 are non-technical.

Let us unpack what that means, and why it matters.

ISO 27001:2022 – A Business-Wide Framework

ISO 27001:2022 is built on the understanding that information security is not only a technical challenge, it is a business risk. A robust ISMS helps safeguard the confidentiality, integrity, and availability of data, known as the CIA Triad. These principles apply across every department, not only the IT Team.

In ISO terms:

• Confidentiality ensures only authorised users can access information.
• Integrity protects the accuracy and completeness of data.
• Availability guarantees information is accessible when needed.

This risk-based framework enables organisations to align security with operations, strategy, compliance, and resilience.

The Management System

The Management system constitutes a set of 10 clauses which are mandatory to any size, type of an organisation. The complexity of the requirements being fulfilled is dependent on the businesses scope and its processes. The first 3 clauses of:

1. Introduction
2. Scope
3. Normative Reference
4. Terms and Definitions

are generic and provide context of why the standard was created and how the requirements provide confidence to interested parties on the preservation of confidential information with controls on reducing the risk of information being compromised.

The requirements of the Management clauses begin with Clause 4 to Clause 10:

Clause 4 – Context of the Organisation, this allows a business to identify its current issues using tools such as Strengths, Weaknesses, Opportunities and Threats (SWOT) and Political, Economic, Social, Technological, Environmental and Legal (PESTEL) from a strategic and operation perspective. These are coupled with identifying the needs and expectations of interested parties to best define the scope, its respective boundaries (geographical and process based) to allow the organisation to fulfil its objectives.

Clause 5 – Leadership, the business is only as good as its leaders who fully commit to the standards, its requirements by aligning their Key Performance Indicators and business Objectives to the risks associated with Information Security, Cyber Security and Protection of Personal Information, this is governed through an Information Security Policy and a robust roles, responsibility and authority matrix to allow the organisation the structure it required to add value of achieving its goals and objectives.

Clause 6 – Planning, the issues identified in clause 4 through the SWOT, PESTEL Analysis and any Needs and Expectations of interested parties that are not met are then documented into a baseline risk assessment. This includes the 93 Operational Controls from the Statement of Applicability, controls relevant are all assessed along with information bearing assets. Through a risk analysis and evaluation Risk Treatment or Mitigations are created following Simple, Measurable, Achievable, Realistic and Time Bound Objectives aligned to the Roles and responsibilities Natrix and Performance Indicators, which allow an organisation to mitigate risk, improve the business, fulfil its business objectives and continuously improve its cyber posture.

Clause 7 – Support, ensuring the correct competent resources are available to fulfil the requirements of delivering information security, with continuous proactive awareness programmes, communication plans (internal and External) and ensuring all documents are consistent, controlled and classified to prevent any data leakage.

Clause 8 – Operation, the execution of the day-to-day activities are conducted with tools such as Policies, process diagrams standard operating procedures, guidelines, standards, forms, templates, applications and systems that generate records. The risks associated with the data and information are to be managed with a detailed risk assessment, continuously updated and managed with the relevant risk treatment plans with mitigations.

Clause 9 – Performance Evaluation, this clause focusses on data analytics and ensures that all the key controls are statistically measured and objectives are being met, in an event the patch management cycle, vulnerabilities, threats, capacity, backup, email filtering and web filtering rules and objectives are not met they are addressed with a root cause analysis with a sole purpose of improving the process.  This is coupled with Internal audits and Management reviews as mechanisms to check the performance of the management systems objectives and risk mitigation status.

Clause 10 – Improvement, any deviation from the objectives, targets, policies and rules of the organisation a non-conformance is identified followed up with a focussed approach on root cause analysis to ensure continuous improvement with actions made the responsibility of management.

The management system for ISO/IEC 27001:2022 is incomplete without the focus areas of the 93 Controls within the Statement of Applicability defined in the scope of an organisation.

 The Four Control Categories in ISO/IEC 27001:2022

Understanding the four Annex A control types is crucial for effective ISO implementation:

1. Organisational Controls (A.5)

These define your governance structure and security expectations. Examples include Access Control Policies, Information Classification Policies, and Supplier Security Policies. They set the rules for secure behaviour and compliance. Focus is on tools and applications that are within the business capacity to ensure a robust cybersecurity posture.

2. People Controls (A.6)

Information security depends on awareness. This section includes staff training, secure development practices, phishing simulations, and ISO 27001:2022 internal auditor training. These controls ensure personnel can perform securely and confidently. The control ensures that all key suppliers, staff are screened prior to joining the organisation and continuously reviewed to reduce the risk of people compromising the integrity of the organisation, the rules of acceptance are determined by the organisation with the use of strict Non-disclosure agreements and Code of Conducts that the standard sets forward.

3. Physical Controls (A.7)

Security is not confined to the digital world. Physical controls cover measures such as CCTV, biometric access, secure cabinets, and fire suppression systems, all essential to protect physical assets and facilities. If you have an on-premises server room, or data centre managing your applications in the cloud, the access and asset management are the focus areas with ensuring redundancy in an event of disasters and unauthorized access.

4. Technological Controls (A.8)

These are the expected IT-based defences, firewalls, antivirus tools, encryption, patch management systems, and backup solutions. They provide the technical backbone of your ISMS.

Together, these categories create a holistic and flexible framework tailored to your organisation’s specific risks and operations.

The Risks of Ignoring ISO 27001:2022

Failing to implement ISO 27001:2022 does not mean an absence of security, it means an absence of structured, auditable, and resilient security.

Without a certified ISMS in place, businesses are more likely to experience:

• Data breaches and unauthorised access.
• Legal and regulatory penalties, including fines under laws such as the GDPR or Protection of Personal Information Act (POPIA).
• Loss of customer and stakeholder trust.
• Operational disruption from security incidents.
• Financial damage due to downtime, lost contracts, and remediation costs.

In contrast, ISO 27001:2022 provides a framework to pre-empt these risks with confidence.

The Business Case for ISO 27001:2022

ISO 27001:2022 is more than compliance. It delivers tangible business value across several key areas:

1. Regulatory and Legal Compliance

Certification supports adherence to global and local legal obligations, such as the GDPR, Protection of Personal Information Act 1988 (AU), and sector-specific regulations. This helps avoid fines, reputational damage, and loss of operating licences.

2. Reduced Risk and Incident Impact

An ISO 27001:2022-aligned ISMS helps proactively identify, assess, and treat information security risks, minimising the impact of cyberattacks, ransomware, and human error.

3. Increased Customer and Partner Trust

Certification demonstrates a mature, externally audited commitment to security, which can be beneficial in fostering new business, reassure clients, and strengthen supply chain relationships.

4. Competitive Advantage and Market Access

For many industries, ISO 27001:2022 is becoming a contractual requirement. Certification opens doors to tenders, government work, and regulated sectors that demand verifiable security credentials.

5. Reduction or Discount in Cyber Security Insurance Premiums

For many organisations cybersecurity is one of the top 10 enterprise risks and mitigated with cyber insurance, these premiums are in the millions of US Dollars and can be reduced when implementing and certifying with accredited certification body for ISO/IEC 27001:2022 Standard.

ISO Implementation: More Than a Checkbox

Achieving certification is only the beginning. The true strength of ISO 27001:2022 lies in its ongoing application (or should I say continual improvement clause 10.1?). Think of it like a gym membership, having the card proves your commitment, but you will not build resilience unless you use it consistently.

The ISMS must be monitored, reviewed, tested, and improved continuously. This is where the value compounds, helping your organisation evolve with emerging threats and shifting compliance landscapes. The standard does not guarantee prevention of a cyber-attack but certainly reduces the risk.

Lastly, information security is not IT’S responsibility. It is everyone’s responsibility.