ISO 27001:2022 Controls Made Easy - Part 2

Control Control Real Life Example Implementation

Number Name Guidance
6.1 Screening Schools conduct background • Create screening policy
checks before hiring teachers, and procedures
administrative staff, or support • Define verification
staff. Just like how they verify requirements by role
teaching credentials, past • Conduct background
employment, and criminal checks
records to ensure student safety, • Verify professional
qualifications
they also check references to
• Check employment
confirm the person's reliability
history
and trustworthiness.
• Document screening
Information Security results
Connection: • Handle screening failures
Organizations must verify • Regular screening
potential employees' reviews
backgrounds before giving them
access to sensitive information.
Like schools protecting students
through staff screening,
companies need thorough
verification processes to prevent
security risks from inappropriate
hires.

6.2 Terms and Schools include clear security • Define security

conditions responsibilities in teacher responsibilities
of contracts - maintaining student • Include in employment
employment confidentiality, protecting exam contracts
materials, proper handling of • Explain security
student records. These terms are obligations
explained and agreed upon • Get signed
before starting employment. acknowledgment
• Maintain documentation
Information Security • Update terms when
Connection: needed
Organizations must clearly • Review compliance
define security responsibilities in regularly
employment terms. Like schools • Handle violations
making teachers understand appropriately
their obligations to protect
student information, companies
need clear security expectations
in employment agreements.
6.3 Information Schools regularly train teachers • Create security
security and staff on various aspects - awareness program
awareness, from new teaching methods to • Develop training
education emergency procedures, child materials
and training psychology to first aid. New • Conduct regular sessions
teachers undergo orientation • Track participation
 ISO 27001:2022 Controls Made Easy - Part 2

programs, while existing staff • Test understanding

attend regular workshops to stay • Update training content
updated. When new smart • Measure effectiveness
boards are installed, teachers • Document completion
receive training on their proper
use and maintenance.

Information Security
Connection:
Similarly, organizations must
provide regular security
awareness and training to
employees. Like schools ensuring
teachers are competent through
ongoing training, companies
need comprehensive security
training programs to keep staff
updated on security threats,
proper information handling,
and security procedures.
6.4 Disciplinary Schools maintain clear • stablish disciplinary
process disciplinary procedures for all procedures
staff - from being late to classes, • Define violation
improper behavior, or not categories
following school policies. Each • Document
violation has defined consequences
consequences and fair hearing • Ensure fair process
processes, ensuring consistent • Maintain violation
handling of all cases, just like records
how student disciplinary issues • Communicate
are handled systematically. procedures
• Train managers
Information Security • Review effectiveness
Connection:
Organizations need similar
formal processes for handling
security violations. Like schools
managing policy breaches fairly
and consistently, companies
must have clear procedures for
addressing security violations,
ensuring fair treatment while
maintaining accountability.
6.5 Responsibili When teachers leave or change • Create
ties after roles within school - like moving termination/change
termination from class teacher to checklist
or change of department head - schools • Document handover
employment ensure proper handover. requirements
Departing teachers return all • Manage access right
materials, hand over student changes
records, provide status of • Collect organization
ongoing projects, and transfer assets
responsibilities. Their access to • Update security records
 ISO 27001:2022 Controls Made Easy - Part 2

school resources is adjusted or • Brief on ongoing

removed based on their new obligations
situation. • Verify completion of
process
Information Security • Archive relevant
Connection: documentation
Organizations must manage
security responsibilities during
role changes or exits. Like
schools ensuring proper
handover of teaching materials,
companies need procedures to
handle access rights, return of
assets, and transfer of
responsibilities when employees
change roles or leave.
6.6 Confidential Schools have staff sign • Develop standard NDAs
ity or non- agreements about maintaining • Define signing
disclosure confidentiality - protecting requirements
agreements student personal information, • Maintain signed
internal school matters, or agreements
sensitive situations like student • Review agreements
counselling cases. Even periodically
temporary staff and volunteers • Train on confidentiality
sign these agreements before obligations
working with students. • Track agreement expiry
• Update when
Information Security requirements change
Connection: • Monitor compliance
Organizations need binding
agreements to protect sensitive
information. Like schools
ensuring staff maintain student
confidentiality, companies must
have formal agreements
preventing unauthorized
disclosure of business
information by employees and
contractors.
6.7 Remote During situations like snow days • Create remote working
working or teacher conferences, schools policy
manage remote teaching. • Define security
Teachers follow guidelines for requirements
conducting online classes, • Implement remote
accessing school systems from access controls
home, and protecting student • Provide secure
information while working equipment
remotely. Like having rules for • Train on remote security
field trips, remote work has • Monitor remote access
specific safety protocols. • Review security
measures
Information Security • Document approved
Connection: arrangements
 ISO 27001:2022 Controls Made Easy - Part 2

Organizations must secure

remote work environments. Like
schools managing remote
teaching safely, companies need
policies and controls to protect
information when employees
work outside office premises.
6.8 Information Schools have clear reporting • Establish reporting
security procedures for various incidents - procedures
event from missing attendance • Create reporting
reporting registers to unauthorized visitors channels
on campus. Staff know exactly • Define incident
whom to inform, like reporting to categories
the nurse for health issues or to • Train staff on reporting
the principal for serious • Track reported events
disciplinary cases. • Provide feedback
mechanisms
Information Security • Review reporting
Connection: effectiveness
Organizations need clear security • Document all reports
incident reporting procedures.
Like schools having defined
reporting channels for different
situations, companies must
establish how employees report
security concerns or incidents.
7.1 Physical Schools have multiple security • Define security
security layers - boundary walls, security perimeters clearly
perimeters gates, locked building entrances, • Implement physical
and restricted areas like staff barriers
rooms and labs. Each layer adds • Install appropriate
protection, just like an onion's entry controls
layers, ensuring students and • Secure all access
assets remain safe from points
unauthorized access. • Monitor perimeter
breaches
Information Security • Regular perimeter
Connection: inspections
Organizations must establish • Document security
clear physical security measures
boundaries. Like schools • Review effectiveness
protecting their premises regularly
through multiple barriers,
companies need defined security
perimeters to protect their
information assets and systems.
7.2 Physical Schools control who enters their • Establish entry
entry premises - visitors sign in at control procedures
reception, wear badges, parents • Implement visitor
need appointments, and delivery management
personnel have designated areas. • Create access
Different areas have different authorization
access levels, like how science process
 ISO 27001:2022 Controls Made Easy - Part 2

labs are only accessible during • Maintain access logs

class hours with teacher • Monitor entry points
supervision. • Regular access
Information Security reviews
Connection: • Train security
Organizations must control personnel
physical access to facilities. Like • Document
schools managing visitors and unauthorized
access to different areas, attempts
companies need proper entry
controls to protect areas
containing sensitive information
and systems.
7.3 Securing Schools secure different areas • Identify sensitive
offices, based on their purpose - areas
rooms and principal's office for confidential • Implement
facilities meetings, examination room for appropriate security
storing question papers, server • Control access
room for IT equipment. Each permissions
room has specific security needs, • Monitor secured
like keeping the chemistry lab areas
locked when not in use for safety. • Maintain security
records
Information Security • Regular security
Connection: checks
Organizations must implement • Document security
appropriate physical security for measures
different areas. Like schools • Review protection
having extra locks for the exam levels
room, companies must apply
stronger security for server
rooms, R&D labs, and areas
containing sensitive documents.
This includes special locks,
restricted access lists, and proper
monitoring of these secure
spaces.
7.4 Physical Schools monitor their premises • Install appropriate
security through various methods - monitoring systems
monitoring security guards patrolling, CCTV • Define monitoring
cameras covering key areas, schedules and
motion sensors after hours. Like procedures
a watchful eye, these systems • Train security
help detect and respond to personnel on
unauthorized activities, just as monitoring
teachers monitor hallways • Maintain monitoring
during breaks. logs and reports
• Regular system
Information Security maintenance
Connection: • Document and
Organizations must implement investigate alerts
continuous monitoring of secure • Review monitoring
areas. Like schools using CCTV effectiveness
 ISO 27001:2022 Controls Made Easy - Part 2

for campus security, companies • Update systems as

need surveillance systems, needed
security patrols, and alarm
systems to protect data centres,
document storage rooms, and
other sensitive areas from
unauthorized access.
7.5 Protecting Schools protect against various • Identify potential
against threats - fire alarms and threats
physical and extinguishers for fire safety, • Install protective
environmen lightning rods for storms, proper measures
tal threats drainage for floods, and • Create emergency
earthquake protocols. Like procedures
having a school nurse for health • Regular equipment
emergencies, they prepare for maintenance
different physical threats. • Test protection
systems
Information Security • Train staff on
Connection: procedures
Organizations must protect • Document incidents
information assets from and responses
environmental threats. Like • Review protection
schools safeguarding against effectiveness
natural disasters, companies
need protection against fire,
flood, power issues, and other
physical threats that could
damage IT equipment or
sensitive information.
7.6 Working in Schools have specific procedures • Define secure work
secure areas Schools manage work in procedures
sensitive areas - maintenance • Establish supervision
staff supervised in server rooms, requirements
cleaners given specific times for • Control contractor
exam storage areas, contractors access
escorted in administrative • Document all work
offices. Like having teachers activities
present during lab sessions, work • Monitor secure area
in secure areas needs activities
supervision. • Train supervisory
staff
Information Security • Regular procedure
Connection: reviews
Organizations must control • Maintain work
activities in secure areas. Like records
schools supervising maintenance
work in sensitive areas,
companies need procedures for
supervising contractors, cleaning
staff, and visitors in areas
containing sensitive information
or critical systems.
 ISO 27001:2022 Controls Made Easy - Part 2

7.7 Clear desk Schools practice tidiness - • Create clear desk

and clear teachers secure student records policy
screen after use, clear their desks before • Set screen locking
leaving, lock computer screens requirements
when stepping away. Like • Provide secure
keeping exam papers secure storage options
when not in use, sensitive • Regular compliance
materials are never left checks
unattended. • Train staff on
procedures
Information Security • Monitor policy
Connection: adherence
Organizations need clear desk • Document violations
and screen policies. Like schools • Review effectiveness
securing student information,
companies must ensure sensitive
documents aren't left on desks
and computer screens are locked
when unattended to prevent
unauthorized viewing.
7.8 Equipment Schools carefully place their • Assess equipment
siting and equipment - computers away placement needs
protection from windows to prevent rain • Implement
damage, servers in temperature- protection measures
controlled rooms, projectors • Control
securely mounted. Like placing environmental
science equipment in proper conditions
storage cabinets, each device • Regular equipment
needs appropriate placement checks
and protection. • Document
protection measures
Information Security • Monitor equipment
Connection: status
Organizations must carefully • Update protection as
position and protect equipment. needed
Like schools protecting their • Maintain protection
educational equipment, records
companies need to properly
locate servers, workstations, and
network equipment to protect
from environmental threats,
unauthorized access, and
accidental damage.
7.9 Security of Schools protect assets taken • Create off-site asset
assets off- outside - laptops for field trips, policy
premises sports equipment for • Track asset
tournaments, student records for movement
external exams. Like tracking • Define protection
library books borrowed by requirements
students, all assets leaving school • Train users on
premises are monitored. security
• Regular asset checks
 ISO 27001:2022 Controls Made Easy - Part 2

Information Security • Document asset

Connection: location
Organizations must secure • Monitor asset usage
assets used outside office • Review security
premises. Like schools tracking measures
equipment on field trips,
companies need procedures for
protecting laptops, mobile
devices, and documents when
used off-site.
7.10 Storage Schools manage various storage • Create media
media devices - USB drives with handling procedures
teaching materials, CDs with • Implement secure
student performances, external storage
hard drives with school records. • Track media
Like organizing the school library movement
books, each storage media is • Label media
labelled, tracked, and stored appropriately
properly. • Control media access
• Secure media
Information Security disposal
Connection: • Document media
Organizations must protect all inventory
storage media. Like schools • Regular storage
managing educational material audits
storage, companies need
procedures for handling USB
drives, hard disks, and other
media containing sensitive
information, including proper
labelling, secure storage, and
safe disposal.
7.11 Supporting Schools maintain essential • Identify critical
utilities utilities - backup generators for utilities
power cuts, water tanks for • Install backup
supply issues, multiple internet systems
connections. Like having backup • Regular
bells for power failures, schools maintenance checks
ensure critical services continue • Test backup systems
working. • Monitor utility
performance
Information Security • Document failures
Connection: • Update support
Organizations must ensure systems
supporting utilities are reliable. • Review effectiveness
Like schools maintaining backup
power, companies need
redundant utilities to protect
information processing facilities
from failures in power, cooling, or
network connectivity.
7.12 Cabling Schools protect their cables and • Plan cable
security wiring - computer lab cables installations
 ISO 27001:2022 Controls Made Easy - Part 2

properly organized, PA system • Protect cable routes

wiring secured, science lab • Label cables clearly
connections safely installed. Like • Separate power and
having properly labelled data cables
electrical connections in labs, all • Regular cable
cables are protected and inspection
identifiable. • Document cable
layouts
Information Security • Control access to
Connection: cable areas
Organizations must secure • Maintain cable
network and power cabling. Like records
schools protecting lab
equipment connections,
companies need to protect data
and power cables from damage,
interference, or interception
through proper installation and
physical protection.
7.13 Equipment Schools regularly maintain their • Create maintenance
maintenanc equipment - servicing laboratory schedules
e instruments, maintaining • Authorize
computers, checking projectors. maintenance
Like scheduled maintenance of personnel
school buses, all equipment • Document all
follows service schedules to keep maintenance
working properly. • Check equipment
after service
Information Security • Keep maintenance
Connection: logs
Organizations must maintain • Monitor equipment
information processing performance
equipment. Like schools • Update maintenance
maintaining educational plans
equipment, companies need • Review service
regular maintenance of servers, effectiveness
computers, and network devices
to ensure availability and
integrity of information systems.
7.14 Secure Schools handle old equipment • Define disposal
disposal or carefully - wiping computers procedures
re-use of before disposal, shredding old • Verify data removal
equipment record books, proper disposal of • Document disposal
storage devices. Like cleaning actions
student lockers at year-end, all • Control disposal
equipment is cleared before process
disposal or reuse. • Train disposal staff
• Check cleared
Information Security equipment
Connection: • Maintain disposal
Organizations must securely records
dispose of or repurpose • Review disposal
equipment. Like schools clearing methods
ISO 27001:2022 Controls Made Easy - Part 2

old computers, companies need

procedures to ensure no
sensitive information remains on
equipment before disposal, sale,
or reuse.
ISO 27001:2022 Controls Made Easy - Part 2