ISO/IEC 27001:2022 Compliance Guide
The globally-recognised standard for Information Security Management Systems. ISO 27001:2022 restructured Annex A into 93 controls across 4 themes, aligned with Saudi enterprise requirements, NCA ECC, and SAMA CSF. This guide covers every control, management clause, certification path, and Saudi relevance.
Policies, roles, supplier relationships, incident management, business continuity, legal/regulatory compliance, IP, asset management, data classification, and threat intelligence.
Screening, employment terms, disciplinary process, security awareness and training, confidentiality agreements, remote working, and information security event reporting.
Physical security perimeters, entry controls, securing offices, physical threat monitoring, working in secure areas, clear desk and clear screen, equipment maintenance, disposal, utilities, cabling, and CCTV.
Authentication, access rights, privileged access, cryptography, secure development lifecycle, system configuration, monitoring, network filtering, web filtering, DLP, backup, logging, vulnerability management, and network segmentation.
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS) published jointly by the International Organization for Standardization and the International Electrotechnical Commission. It defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization, and specifies requirements for the assessment and treatment of information security risks tailored to the organization's needs.
The 2022 revision replaced ISO 27001:2013. The core management system clauses (4–10) follow the harmonized structure (Annex SL / Annex L), while Annex A was substantially restructured from 114 controls in 14 domains to 93 controls in 4 themes: Organizational, People, Physical, and Technological. Eleven new controls were introduced, including threat intelligence, cloud security, data masking, web filtering, and data leakage prevention.
Certification is awarded by accredited third-party certification bodies (such as UKAS, DAkkS, or SAS-accredited auditors) following a two-stage audit process, and is valid for three years subject to annual surveillance audits. Saudi organizations increasingly pursue ISO 27001:2022 to satisfy enterprise client requirements, NCA ECC partial evidence expectations, and SAMA CSF alignment.
93 controls across 4 themes
Organizational controls
37 controls- Information security policies and review
- Information security roles and responsibilities
- Segregation of duties
- Management responsibilities
- Contact with authorities and special interest groups
- Threat intelligence
- Information security in project management
- Inventory of information and other associated assets
- Acceptable use of information and associated assets
- Return of assets
- Classification of information
- Labelling of information
- Information transfer
- Access control policy
- Identity management; Authentication information
- Access rights management
- Supplier relationships security
- Supplier service management
- Information security in ICT supply chain
- Cloud services — acquisition, use, management, exit
- Incident management planning and preparation
- Assessment and decision on information security events
- Response to information security incidents
- Learning from information security incidents
- Collection of evidence
- ICT readiness for business continuity
- Legal, statutory, regulatory and contractual requirements
- Intellectual property rights
- Protection of records
- Privacy and protection of PII
- Independent review of information security
- Compliance with policies, rules, and standards
- Documented operating procedures
People controls
8 controls- Screening
- Terms and conditions of employment
- Information security awareness, education, and training
- Disciplinary process
- Responsibilities after termination or change of employment
- Confidentiality or non-disclosure agreements
- Remote working
- Information security event reporting
Physical controls
14 controls- Physical security perimeters
- Physical entry
- Securing offices, rooms, and facilities
- Physical security monitoring
- Protecting against physical and environmental threats
- Working in secure areas
- Clear desk and clear screen
- Equipment siting and protection
- Security of assets off-premises
- Storage media
- Supporting utilities
- Cabling security
- Equipment maintenance
- Secure disposal or reuse of equipment
Technological controls
34 controls- User endpoint devices
- Privileged access rights
- Information access restriction
- Access to source code
- Secure authentication
- Capacity management
- Protection against malware
- Management of technical vulnerabilities
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Information backup
- Redundancy of information processing facilities
- Logging
- Monitoring activities
- Clock synchronization
- Use of privileged utility programs
- Installation of software on operational systems
- Networks security
- Security of network services
- Segregation of networks
- Web filtering
- Use of cryptography
- Secure development life cycle
- Application security requirements
- Secure system architecture and engineering principles
- Secure coding
- Security testing in development and acceptance
- Outsourced development
- Separation of development, test, and production
- Change management
- Test information
- Protection of information systems during audit testing
Management system clauses 4–10
Beyond Annex A controls, ISO 27001 requires organizations to implement a management system across clauses 4–10, following the Plan-Do-Check-Act (PDCA) cycle. These clauses are not optional — conformance with all applicable requirements is mandatory for certification.
Context of the organization
Understand the organization, its context, interested parties, and define the ISMS scope.
Leadership
Top management commitment, information security policy, and assignment of roles and responsibilities.
Planning
Risk assessment, risk treatment, Statement of Applicability, and information security objectives.
Support
Resources, competence, awareness, communication, and documented information management.
Operation
Operational planning, risk assessment execution, and risk treatment implementation.
Performance evaluation
Monitoring, measurement, internal audit programme, and management review.
Improvement
Nonconformity and corrective action, and continual improvement of the ISMS.
ISO 27001 certification path
Documentation review
The certification body reviews the ISMS scope, Statement of Applicability, risk assessment, and key documented information. Gaps are identified before on-site assessment.
On-site controls assessment
Auditors assess whether the ISMS controls are implemented and operating effectively. Interviews, observations, and evidence sampling confirm conformance.
Certificate issued
Following successful Stage 2, the accredited certification body issues an ISO 27001:2022 certificate valid for 3 years, subject to satisfactory surveillance audits.
Annual surveillance audits
Annual audits verify the ISMS continues to conform and improve. A full recertification audit is conducted at the end of the 3-year cycle.
Certification bodies must be accredited by a member of the International Accreditation Forum (IAF) — such as UKAS (UK), DAkkS (Germany), or SAS (Switzerland). Saudi organizations certified through internationally accredited bodies hold globally-portable certification.
Who pursues ISO 27001 certification in Saudi Arabia
Saudi enterprises seeking global certification
Organizations pursuing international business or export contracts increasingly require ISO 27001 to satisfy partner and customer due diligence requirements.
Data centre operators
Colocation and managed hosting providers serving enterprise tenants widely require ISO 27001:2022 certification as a baseline.
Cloud and SaaS companies
Technology companies supplying cloud platforms or SaaS products to regulated sectors use ISO 27001 as the foundation for customer security assurance.
Financial services and SAMA-regulated entities
SAMA CSF aligns significantly with ISO 27001 Annex A. Many SAMA-regulated entities pursue ISO 27001 certification as complementary evidence.
Government contractors and CNI suppliers
NCA accepts ISO 27001 certification as partial evidence for NCA ECC compliance, benefiting government and critical infrastructure supply chain organizations.
Healthcare and critical sector operators
Healthcare providers, pharma, and utilities use ISO 27001 to demonstrate information security management to regulators and enterprise partners.
ISO 27001 vs NCA ECC
Many Saudi organizations must navigate both ISO 27001 and NCA ECC. Understanding the differences helps teams structure a single evidence programme that satisfies both.
| Topic | ISO/IEC 27001:2022 | NCA ECC 2:2024 |
|---|---|---|
| Full name | ISO/IEC 27001:2022 — Information Security Management Systems | NCA Essential Cybersecurity Controls (ECC – 2:2024) |
| Issuer | International Organization for Standardization (ISO) / IEC | National Cybersecurity Authority (NCA), Saudi Arabia |
| Nature | Voluntary international standard | Mandatory Saudi national framework |
| Controls | 93 Annex A controls across 4 themes | 108 controls across 4 domains, 92 sub-controls |
| Assessment type | Third-party certification audit by accredited certification body | Structured self-assessment submitted to NCA |
| Output | ISO 27001 Certificate (3-year with annual surveillance) | Compliance assessment report filed with NCA |
| Validity period | 3-year certification cycle, annual surveillance audits | Annual reassessment required |
| Saudi recognition | NCA accepts as partial evidence for NCA ECC; widely required by enterprise and export markets | Primary Saudi government cybersecurity obligation for in-scope entities |
How GRC Vantage accelerates ISO 27001 certification
GRC Vantage ships a pre-built ISO 27001:2022 programme — all 93 Annex A controls, ISMS clause workflows, risk register, and evidence collection — so your team reaches Stage 1 audit-ready faster without building from scratch.
Pre-mapped Annex A control library
All 93 ISO 27001:2022 Annex A controls are pre-loaded with descriptions, evidence templates, and ownership workflows. Your team starts implementation immediately without building the control library from scratch.
ISMS clause management (4–10)
Structured workflows for each management system clause — scope definition, Statement of Applicability, risk register, internal audit programme, and management review records — all linked to Annex A controls.
Risk register and treatment plans
ISO 27001-aligned risk assessment methodology with asset-threat-vulnerability modelling, inherent and residual risk scoring, treatment plan tracking, and risk acceptance workflows.
Internal audit management
Plan, execute, and record internal ISMS audits with finding management, corrective action tracking, and audit programme scheduling to maintain certification readiness year-round.
Evidence collection workflows
Scheduled evidence requests, automated document collection, version control, and certification-body-ready evidence packages reduce the overhead of Stage 1 and Stage 2 audit preparation.
Multi-framework mapping (ISO ↔ NCA ECC ↔ SAMA CSF)
GRC Vantage cross-maps ISO 27001 Annex A controls to NCA ECC and SAMA CSF so a single control or evidence item satisfies multiple frameworks simultaneously — eliminating duplicated effort.
Frequently asked questions
- What is ISO/IEC 27001:2022?
- ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS) published by ISO and IEC. It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS and provides a framework for protecting information assets through risk-based controls. The 2022 revision replaced ISO 27001:2013 with a restructured 93-control Annex A organized into 4 themes.
- How many controls are in ISO 27001:2022?
- ISO 27001:2022 contains 93 Annex A controls organized across 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This is a reduction from 114 controls in 14 domains in ISO 27001:2013, though 11 new controls were introduced in 2022.
- What changed between ISO 27001:2013 and ISO 27001:2022?
- ISO 27001:2022 restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes. Eleven new controls were added including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, web filtering, secure coding, and data leakage prevention. Many existing controls were merged or renamed.
- Is ISO 27001 mandatory in Saudi Arabia?
- ISO 27001 is not mandated by Saudi law, but it is widely required in practice. NCA accepts ISO 27001 certification as partial evidence for NCA ECC compliance. SAMA CSF aligns significantly with ISO 27001 Annex A. Enterprise clients and data centre operators increasingly require ISO 27001:2022 as a condition of doing business.
- How long does ISO 27001 certification take?
- Achieving ISO 27001 certification typically takes 3–12 months depending on organization size, complexity, and baseline maturity. Small organizations with a focused scope can complete Stage 1 and Stage 2 audits in 3–6 months. Larger enterprises with complex environments typically require 9–12 months. After initial certification, a 3-year certification cycle applies with annual surveillance audits.
- How does ISO 27001 map to NCA ECC and SAMA CSF?
- ISO 27001 Annex A controls map strongly to both NCA ECC and SAMA CSF. NCA ECC domain 2 (Cybersecurity Defence) aligns closely with ISO 27001 Technological and Organizational controls. SAMA CSF domains on cybersecurity operations, risk management, and third-party security overlap significantly with ISO 27001 Annex A. GRC Vantage maintains a cross-mapping so a single control or evidence item can satisfy requirements across all three frameworks simultaneously.
Build your ISO 27001:2022 programme with GRC Vantage
The complete ISO 27001:2022 control library, ISMS clause workflows, risk register, internal audit management, and multi-framework mapping to NCA ECC and SAMA CSF are pre-loaded in GRC Vantage. Book a demo to see how Saudi organizations achieve certification faster.