ISO/IEC 27001:2022

ISO/IEC 27001:2022 overview

ISO/IEC 27000 family of standards provide a framework for policies and procedures that include legal, physical, and technical controls involved in an organization’s information risk management processes. ISO/IEC 27001:2022 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001:2022 helps organizations comply with numerous regulatory and legal requirements that relate to information security.

In Azure:

Why is ISO/IEC 27001 certification important? Compliance with ISO/IEC 27001, certified by an accredited auditor, demonstrates that Azure uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.

How can I get the Azure ISO/IEC 27001 audit documentation? For links to audit documentation, see Audit reports and certificates.

Can I use the Azure ISO/IEC 27001 compliance assurances in my organization’s certification process? Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you're responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.

In AWS:

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how AWS perpetually manages security in a holistic, comprehensive manner. This widely-recognized international security standard specifies that AWS do the following:

• We systematically evaluate our information security risks, taking into account the impact of threats and vulnerabilities.

• We design and implement a comprehensive suite of information security controls and other forms of risk management to address customer and architecture security risks.

• We have an overarching management process to ensure that the information security controls meet our needs on an ongoing basis.

AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2019. These certifications are performed by independent third-party auditors. Our compliance with these internationally-recognized standards and code of practice is evidence of our commitment to information security at every level of our organization, and that the AWS security program is in accordance with industry leading best practices.