Why It Matters
ISO 27001 is the gold standard for information security. Certification demonstrates to customers, regulators, and partners that your organization takes security seriously. It's increasingly required in procurement processes, regulatory frameworks (NIS2 references it), and contractual obligations. Advisera reports that over 70,000 organizations worldwide are certified.
How It Works
ISO 27001 follows a Plan-Do-Check-Act (PDCA) cycle:
- Plan — establish the ISMS, assess risks, define controls
- Do — implement the controls and processes
- Check — monitor, measure, and audit performance
- Act — improve based on findings, correct non-conformities
Key Requirements (Clauses 4–10)
- Context of the organization — understand internal/external issues and interested parties
- Leadership — top management commitment, information security policy
- Planning — risk assessment and risk treatment methodology
- Support — resources, competence, awareness, documentation
- Operation — implement risk treatment plan and security controls
- Performance evaluation — monitoring, internal audit, management review
- Improvement — non-conformity management, continual improvement
Annex A Controls
ISO 27001:2022 includes 93 controls organized into four themes:
| Theme | Controls | Examples |
|---|---|---|
| Organizational | 37 | Policies, roles, asset management, supplier security |
| People | 8 | Screening, training, disciplinary process, remote work |
| Physical | 14 | Perimeters, entry controls, equipment security, clean desk |
| Technological | 34 | Access rights, encryption, logging, malware protection, backups |
Organizations select applicable controls based on their risk assessment — not all 93 are mandatory, but exclusions must be justified.
Certification Process
- Gap analysis — assess current state against ISO 27001 requirements
- Implementation — build the ISMS, implement controls, train staff
- Internal audit — verify the system works before certification
- Stage 1 audit — certification body reviews documentation
- Stage 2 audit — on-site assessment of implementation effectiveness
- Certification — 3-year certificate with annual surveillance audits
- Recertification — full audit every 3 years
ISO 27001 and Other Frameworks
- NIS2 — references ISO 27001 as a way to demonstrate compliance with security requirements
- GDPR Article 32 — ISO 27001 helps demonstrate "appropriate technical and organizational measures"
- SOC 2 — significant overlap; many organizations pursue both
- NIST CSF — complementary; NIST for strategy, ISO 27001 for certifiable management system
Key Standard
- ISO/IEC 27001:2022 — current version (replaced 2013 edition)
- ISO/IEC 27002:2022 — detailed guidance on implementing Annex A controls
- ISO/IEC 27005 — information security risk management