ISO 27001
International standard specifying the requirements for an Information Security Management System (ISMS). The current revision is ISO/IEC 27001:2022, defining 93 controls across organizational, people, physical, and technological categories.
ISO/IEC 27001 is the leading international standard for information security management. It defines how an organization establishes, operates, monitors, and continually improves an Information Security Management System (ISMS).
The 2022 revision restructured the control set into 93 controls across four themes:
- Organizational (A.5) — policies, roles, supplier relationships, incident management.
- People (A.6) — screening, awareness training, disciplinary processes.
- Physical (A.7) — secure areas, equipment, clear desk policy.
- Technological (A.8) — access control, cryptography, secure development, logging.
Certification is performed by an accredited third-party auditor and is valid for three years, with annual surveillance audits.
For most Thai organizations the typical path is: scope definition → Statement of Applicability → policy authoring → internal audit (AI-assisted is fine here) → external Stage 1 audit → external Stage 2 audit.
Sources
- [1]International Organization for Standardization. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. ISO, 2022. https://www.iso.org/standard/27001