4 · Context
Understand the organisation, interested parties, and the scope of the ISMS.
Framework guide · ~11 min read · Updated June 2026
What is ISO 27001?
ISO/IEC 27001 is the leading international standard for information security management. It defines the requirements for an information security management system (ISMS): a risk-based, documented framework for protecting information. It is certifiable, so an accredited body can audit you and issue a globally recognised certificate. The current version is ISO 27001:2022.
- Body
- ISO / IEC
- Latest
- 2022
- Controls
- 93 (Annex A)
- Certifiable
- Yes
01 · Definition
What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management systems, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It sets out what an organisation must do to manage information security in a systematic, risk-based way.
What makes ISO 27001 distinctive is that it is certifiable. An accredited certification body can audit your information security management system and, if it conforms, issue a certificate that is recognised around the world. That makes it a powerful way to prove security to customers, partners, and regulators. The current version is the 2022 edition, which replaced the 2013 edition.
"ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology."
02 · The core idea
The ISMS at the core
At the heart of ISO 27001 is the information security management system (ISMS): the framework of policies, processes, people, and controls that an organisation uses to manage information security risk. The standard does not hand you a fixed checklist of technology; it requires you to build and run a system that fits your risks.
That distinction matters. ISO 27001 is risk-based and built around continual improvement, so it expects you to assess your risks, select and justify controls, monitor how well they work, and improve over time. Security becomes an ongoing management system, not a one-off project that finishes when the audit ends.
03 · The requirements
The requirements: clauses 4 to 10
The mandatory requirements of ISO 27001 live in clauses 4 through 10. These are what an auditor certifies against; Annex A controls support them.
5 · Leadership
Top-management commitment, the information security policy, and roles and responsibilities.
6 · Planning
Risk assessment and risk treatment, the Statement of Applicability, and security objectives.
7 · Support
Resources, competence, awareness, communication, and documented information.
8 · Operation
Run the processes, perform the risk assessment and treatment in practice.
9 · Performance evaluation
Monitoring, measurement, internal audit, and management review.
10 · Improvement
Nonconformity, corrective action, and continual improvement of the ISMS.
04 · The controls
The 93 Annex A controls
ISO 27001:2022 lists 93 controls in Annex A, grouped into four themes. You select the controls relevant to your risks and record the decisions in your Statement of Applicability.
Organizational
37 controls
Policies, roles, supplier and information security in projects, incident management, and more.
People
8 controls
Screening, terms of employment, awareness and training, and disciplinary processes.
Physical
14 controls
Secure areas, equipment protection, clear desk and screen, and secure disposal.
Technological
34 controls
Access control, cryptography, secure development, logging, and network security.
The 2022 edition reorganised the previous 114 controls and 14 domains into these 93 controls and four themes, and added new controls for areas such as threat intelligence, information security for cloud services, and secure coding.
05 · Certification
How ISO 27001 certification works
Certification is carried out by an accredited certification body, an independent third party, in two stages. Stage 1 is a review of your ISMS documentation and readiness. Stage 2 is a deeper audit of whether the system is actually implemented and effective. Clear any nonconformities and the body issues your certificate.
The certificate then runs on a three-year cycle: surveillance audits in years one and two confirm the ISMS is still operating, and a full recertification audit takes place in year three. The takeaway is that ISO 27001 is a living commitment, the ISMS has to keep running and improving, not just pass once.
A certificate, not a report
Unlike SOC 2, which produces a detailed report, ISO 27001 produces an internationally recognised certificate from an accredited body.
06 · Comparison
ISO 27001 vs SOC 2
The two most common security assurances are often weighed against each other. ISO 27001 is a certifiable, internationally recognised management-system standard. SOC 2 is an AICPA attestation report from a CPA firm, popular with North American and SaaS buyers.
ISO 27001 gives customers a globally recognised certificate; SOC 2 gives them a detailed report to review. Their controls overlap heavily, so many organisations pursue both and reuse most of the same evidence. For the full breakdown see ISO 27001 vs SOC 2 and our guide to what SOC 2 is.
07 · Implementation
How to get ISO 27001 certified
Six steps from scope to certificate. The risk assessment and the Statement of Applicability (step 2) are the spine of the whole project.
- 1
Define scope and context
Decide what the ISMS covers, the systems, locations, and information, and identify the interested parties and requirements that shape it.
- 2
Run a risk assessment and treatment
Identify information security risks, evaluate them, and choose treatments. The Annex A controls you select and justify become your Statement of Applicability.
- 3
Build the ISMS
Implement the management-system requirements in clauses 4-10 and the chosen controls: policies, processes, awareness, and documented information.
- 4
Operate and gather evidence
Run the ISMS for long enough to generate records, then complete an internal audit and a management review. Certification bodies want to see it working, not just designed.
- 5
Stage 1 and Stage 2 audits
An accredited certification body reviews your documentation (Stage 1), then audits implementation and effectiveness (Stage 2). Close any nonconformities to earn the certificate.
- 6
Surveillance and recertification
The certificate runs on a three-year cycle with surveillance audits in years one and two and a full recertification in year three. The ISMS must keep operating throughout.
Build the ISMS faster
Run ISO 27001 as a scored, evidenced assessment.
RiskWatch maps the clause 4-10 requirements and the 93 Annex A controls to a shared control library, runs the risk assessment, generates your Statement of Applicability, tracks remediation to closure, and keeps the evidence your certification body expects.
08 · Frequently asked
ISO 27001, answered
The questions teams ask most on the road to certification.
What is ISO 27001?
ISO/IEC 27001 is the leading international standard for information security management. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS): a risk-based, documented framework for managing the security of information. Published jointly by ISO and the IEC, it is certifiable, meaning an accredited body can audit an organisation and issue an internationally recognised certificate.
What is an ISMS?
An ISMS, or information security management system, is the set of policies, processes, people, and controls an organisation uses to manage information security risk systematically. ISO 27001 is the standard that defines what an ISMS must include. The key idea is that security is managed as an ongoing system, with risk assessment, controls, monitoring, and continual improvement, rather than as a one-time project.
What is ISO 27001:2022?
ISO/IEC 27001:2022 is the current version of the standard, published in October 2022, replacing the 2013 edition. Its most visible change is in Annex A: the controls were restructured from 114 controls in 14 domains into 93 controls grouped under four themes (Organizational, People, Physical, and Technological), with several new controls covering areas like threat intelligence, cloud services, and secure coding. Organisations on the 2013 version were given a transition period to move to 2022.
How many controls are in ISO 27001?
ISO 27001:2022 lists 93 controls in Annex A, grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). These are not all mandatory; an organisation selects the controls relevant to its risks and documents the decision in its Statement of Applicability. The 2013 version had 114 controls across 14 domains.
Is ISO 27001 mandatory?
ISO 27001 is voluntary, not a law. However, it is frequently required commercially: enterprise customers, partners, and tenders increasingly ask for it, and in some sectors and regions it is effectively expected. Many organisations pursue certification because it is a globally recognised, independent way to prove a managed approach to information security.
How long does ISO 27001 certification take?
For most organisations, building the ISMS and reaching certification takes somewhere between 6 and 12 months, depending on size, complexity, and how mature security already is. The standard then runs on a three-year certification cycle, with surveillance audits in years one and two and a full recertification audit in year three, so it is an ongoing commitment rather than a one-time milestone.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international, certifiable management-system standard that produces a certificate recognised worldwide. SOC 2 is an AICPA attestation report, prepared by a CPA firm and popular with North American and SaaS buyers, that produces a detailed report rather than a certificate. They overlap heavily on controls, so many organisations pursue both and reuse most of the same evidence. See our ISO 27001 vs SOC 2 comparison for the detail.
What is the Statement of Applicability?
The Statement of Applicability (SoA) is a core ISO 27001 document that lists the Annex A controls, states whether each is applicable, explains why it is included or excluded, and records its implementation status. It is the bridge between your risk assessment and your controls, and auditors rely on it heavily, so it must accurately reflect what you actually do.
From the standard to a certificate
Build your ISO 27001 ISMS as a scored assessment.
Clause 4-10 requirements and the 93 Annex A controls on a shared control library, a generated Statement of Applicability, risk assessment, and remediation tracking. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime