ISO/IEC 27001:2022

ISO/IEC 27001:2022 is the 2022 edition of the international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a structured framework for managing information security risks for all types of organizations, including manufacturers operating regulated production and OT/IT environments.

The standard covers how an organization defines the scope of its ISMS, assesses information security risks, selects and applies controls, and monitors performance and improvement. It is technology neutral and can be applied to on-premises systems, cloud services, operational technology (OT), and integrated IT/OT architectures.

Key elements

ISO/IEC 27001:2022 commonly refers to:

• ISMS requirements: Clauses that define management-system practices such as context, leadership, planning, support, operation, performance evaluation, and improvement.
• Annex A reference controls: A catalog of information security controls organized into themes such as organizational, people, physical, and technological controls. These are references for risk treatment, not a mandatory checklist.
• Risk-based approach: The requirement to identify information security risks, define risk criteria, choose treatments, and document decisions in a statement of applicability.
• Continuous improvement: Expectations for monitoring, internal audits, management review, and corrective actions to keep the ISMS effective and up to date.

Use in industrial and regulated manufacturing environments

In manufacturing, ISO/IEC 27001:2022 is commonly used to structure information security around systems such as MES, ERP, historians, lab systems, and OT networks. Typical applications include:

• Defining how access to production and quality systems is governed and logged.
• Aligning network segregation, remote access, and patching practices for OT assets with formal risk assessments.
• Coordinating information security with quality management, document control, and audit readiness processes.
• Supporting supplier and customer expectations around information security governance, without implying any specific certification outcome.

Relation to other ISO/IEC 27000-series documents

ISO/IEC 27001:2022 sits within the broader ISO/IEC 27000 family of information security standards. For example:

• ISO/IEC 27002 provides guidance on implementing controls conceptually aligned with the Annex A controls of ISO/IEC 27001:2022.
• Other 27000-series documents address topics such as OT security, incident management, and sector-specific guidance.

Organizations often use 27001 as the management-system core and reference additional 27000-series standards for more detailed practices.

Common confusion

• Standard vs. certification: ISO/IEC 27001:2022 is a written standard. Certification is a separate process conducted by external bodies. The term “ISO 27001” is often used loosely to mean both, which can cause misunderstanding.
• “Four categories” of controls: Training materials sometimes group Annex A controls into a small number of categories for teaching purposes. ISO/IEC 27001:2022 itself defines its own control structure and naming; it does not formally define a “four category” model.
• 27001 vs. 27002: ISO/IEC 27001:2022 defines ISMS requirements and references control themes. ISO/IEC 27002 provides detailed implementation guidance for controls. They are related but not interchangeable.

Context of the 2022 edition

The 2022 edition updates and replaces earlier editions of ISO/IEC 27001. It aligns its Annex A controls with the revised ISO/IEC 27002 structure, streamlines and renames several controls, and reflects current practices in areas such as cloud services and modern networked environments. When organizations refer to “ISO 27001” in current projects or contracts, they often mean ISO/IEC 27001:2022 unless an earlier edition is explicitly specified.