Section 8

Reference Annexes

Standards, bodies and resources relevant for certification. Always purchase the standard from official sources.

ISO/IEC 27001:2022 — Information security management systems — Requirements
ISO; IPQ (Instituto Português da Qualidade)
The certifiable standard itself. Available for purchase from ISO and national standards bodies (in Portugal, IPQ).
ISO/IEC 27002:2022 — Information security controls
ISO; IPQ
Guidance for selecting, implementing and managing the controls listed in Annex A of ISO/IEC 27001:2022, including attributes and purpose statements.
ISO/IEC 27005 — Information security risk management
ISO; IPQ
Provides guidelines for information security risk management, aligned with ISO/IEC 27001's risk-based approach.
ENISA — European Union Agency for Cybersecurity
enisa.europa.eu
Publishes guidance on risk management, supply chain security, incident reporting and sector-specific cybersecurity, useful as supporting material for an ISMS.
BSI — British Standards Institution
bsigroup.com
Original convener of the BS 7799 series that became the ISO/IEC 27001 family. Publishes implementation guides and operates as a certification body.
IPAC — Instituto Português de Acreditação
ipac.pt
Portuguese national accreditation body. Maintains the list of certification bodies accredited to issue ISO/IEC 27001 certificates in Portugal — essential reference for organisations pursuing accredited certification locally.
IPQ — Instituto Português da Qualidade
ipq.pt
Portuguese national standards body. Distributes ISO/IEC standards in Portugal, including the official Portuguese-language adoptions where available (NP ISO/IEC).

ISO/IEC 27001:2022 — Information security management systems — Requirements

ISO/IEC 27002:2022 — Information security controls

ISO/IEC 27005 — Information security risk management

ENISA — European Union Agency for Cybersecurity

BSI — British Standards Institution

IPAC — Instituto Português de Acreditação

IPQ — Instituto Português da Qualidade