ISO/IEC 27001:2022 Control Domains Explained

ISO/IEC 27001:2022 introduced a simplified structure for Annex A controls by grouping them into four control domains. This change makes information security controls easier to understand, manage, and audit. The Organizational domain focuses on governance and management processes such as policies, risk management, supplier security, and incident handling. People controls address human-related risks through awareness, roles, responsibilities, and screening. Physical controls protect facilities and equipment from unauthorized access or environmental threats. Technological controls cover technical safeguards like access control, encryption, network security, logging, and secure development. Together, these four domains—Organizational, People, Physical, and Technological—contain 93 controls and form the foundation of the ISO/IEC 27001:2022 information security management system.