You’ve recently joined an international software firm as part of the cybersecurity governance team.

ISO/IEC 27001:2022 is the correct choice because it is the core standard that defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). In CEH-aligned governance and security management concepts, an ISMS is the overarching management framework that ensures information security is handled systematically through policy, defined roles, risk-driven planning, implementation of controls, monitoring, internal audits, and continual improvement. ISO/IEC 27001 is the “structure” standard—meaning it specifies what an organization must do to run an information security program end-to-end and is the primary standard against which organizations can be formally certified.

The other standards are supporting standards rather than the overarching framework. ISO/IEC 27002:2022 provides guidance and best practices for information security controls (the “control catalog” and implementation guidance), but it does not define ISMS requirements. ISO/IEC 27005:2022 focuses on information security risk management—how to identify, analyze, evaluate, and treat risks—supporting the risk-based approach used by an ISMS, but it is not the ISMS framework itself. ISO/IEC 27701:2019 extends ISO/IEC 27001 and 27002 for privacy information management (PIMS), helping organizations manage personally identifiable information, but it is an extension, not the foundational ISMS standard.

Therefore, when asked for the standard that defines the overarching structure for managing information security across the organization, CEH governance principles align with selecting ISO/IEC 27001:2022.