The purpose of ISO/IEC 27001:2022, is to help organisations to establish and maintain an Information Security, Cybersecurity and Privacy Protection Management System; which is a set of interrelated elements that organisations use to manage and control Information Security, Cybersecurity and Privacy Protection risks. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information.
The adoption of an Information Security, Cybersecurity and Privacy Protection Management System is a strategic decision for an organisation to help consider the influences of its needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation. All of these influencing factors are expected to change over time.
The Information Security, Cybersecurity and Privacy Protection Management System focuses on preventing the confidentiality, integrity and availability of information by applying a risk management process and it gives confidence to interested parties that risks are adequately managed. This helps support the organisations strategic direction and performance.