ISO 27022 is a technical specification that provides guidance on information security management system processes. It defines a process reference model (PRM) for the domain of information security management using the management clauses in ISO 27001, which is meeting the criteria defined in ISO/IEC 33004 for process reference models.
ISO 27022 is designed to assist with the incorporation of the process approach into an information security management system (ISMS).
This document is intended to guide users of ISO 27001 to incorporate the process approach as described by ISO 27000:2018, 4.3, within the ISMS.
It is also aligned to all the work done within ISO 27001 & ISO 27003 from the perspective of the operation of ISMS process.
The document is complementing the requirements-oriented perspective of ISO 27003 with an operational, process-oriented point of view. Presenting an ISMS process reference model (PRM), this new technical standard is designed to complement the requirements-orientated perspective within existing ISO 27000 series standards by providing an operational, process-orientated point of view.
ISO 27022 defines three types of processes: management, core and support.
📌 Clause 6 concentrates on management processes. These are processes “that define the objectives of the management system” and include IS governance and management interface processes.
📌 Clause 7 focuses on core processes. These represent the major elements of the ISMS. ISMS core processes include (but are not limited to) security policy management processes, information security (IS) risk assessment processes, IS risk treatment processes, processes to control outsourced services and IS improvement processes.The Clause 7 processes are aligned to the clauses of ISO 27001/ISO 27002.
📌 Clause 8 deals with support processes “support core processes by providing and managing necessary resources without delivering direct customer value”. Examples include record control processes, resource management processes, communication processes and IS customer relation processes.The Clause 8 processes are not aligned to the clauses of ISO 27001.
Each ISMS process is then described in terms of:
🔸 process category
🔸 a brief description
🔸 objectives/purposes
🔸 its inputs
🔸 its results
🔸 activities/functions
🔸 references (to other ISMS standards/clauses).
The PRM in ISO 27022 is applicable to all organisations operating ISO 27001 ISMS.