The Annex A of ISO 27001:2022 contains 93 controls in four categories. The Organizational Controls under A.5 has 37 sub Controls, People Controls under A.6 has 8 sub controls, Physical Controls under A.7 has 14 sub controls and Technology controls under A.8 contain 34 sub controls.
The earlier version of ISO 27001:2013 was unwieldy with 14 different types of controls.
When we look at the categorization adopted by PDPSI, there are 5 categories and it is based on the “Responsibility Centers” . The five responsibility centers used in PDPSI are Management (15 Model Implementation Specifications or MIS), DPO (9 MIS), Legal (2 MIS),HR (4 MIS) and IT (20 MIS).
The 8 people controls under ISO 27001:2022 can be compared directly with the 4 HR (MIS 27-30) controls under PDPSI. The 34 technology controls and 8 physical controls under ISO 27001:2022 can mapped with the 20 MIS of PDPSI (MIS 31-50). The 37 Organizational controls under ISO 27001 can be compared and mapped with the 15 Management level MIS (MIS 1-15), 9 DPO level MIS (16-24) and 2 Legal level MIS (25-26).
ISO 27701 provides a mapping of the guidelines with GDPR. However, PDPSI can be mapped with GDPR as well as DPDPB 2022.
It would be interesting to compare the different controls under ISO 27001:2022 with the corresponding MIS under PDPSI . In this comparison we may find that PDPSI may not only cover the entire ISO 27001:2022 and ISO 27701:2019 but add a few more implementation specifications making it more comprehensive.
We shall discuss these in the next few articles.
Naavi
