What Is ISO 27001? The Complete Guide to the World's Leading Information Security Standard
Alexander Sverdlov
Security Analyst
Key Takeaways
- ISO 27001 is the international standard for building and certifying an Information Security Management System (ISMS)
- The 2022 revision reorganized Annex A into 93 controls across 4 categories: Organizational, People, Physical, and Technological
- Certification requires passing a two-stage external audit by an accredited certification body
- ISO 27001 is risk-based and flexible — you select controls based on your specific risk assessment, not a one-size-fits-all checklist
- It complements (but differs significantly from) SOC 2 — many organizations pursue both depending on customer requirements
- Common implementation mistakes include treating it as an IT-only project, over-documenting policies, and neglecting management commitment
Table of Contents
The Opening
A Story About a Missing Padlock
When I was 14, I decided to build a “security system” for my bedroom. I had just read a spy novel — cannot remember which one, probably something embarrassingly pulpy — and became convinced that my younger brother was raiding my desk drawers for candy. So I rigged a fishing line across the doorframe, balanced a cup of dried pasta on the door handle (the “alarm”), and taped a sign to my door that said “AUTHORIZED PERSONNEL ONLY.”
My brother walked in through the window.
I tell this story at the beginning of almost every ISO 27001 engagement because it captures the exact failure mode I see in organizations that approach information security without a proper management system. They install firewalls but forget about social engineering training. They encrypt databases but leave API keys in public Git repositories. They write 200-page security policies that nobody reads, then act surprised when a contractor plugs an infected USB into a production server.
The fishing-line-and-pasta approach to security doesn’t scale. It never did. And that, in the most reductive way possible, is why ISO 27001 exists: to give organizations a systematic, repeatable, auditable framework for protecting information — one that accounts for the windows, not just the doors.
I have spent over a decade helping companies implement and certify against ISO 27001, and I still think it is the single most underappreciated framework in our industry. Not because it is glamorous — it is decidedly not — but because when done right, it transforms security from a collection of ad-hoc tools into an actual system that leadership can measure, govern, and continuously improve.
Let me walk you through everything you need to know.
The Standard
What Is ISO 27001, Exactly?
ISO/IEC 27001 is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
In plain language: ISO 27001 gives you a blueprint for managing information security across your entire organization — not just in the server room, not just in the IT department, but across every business unit, process, and person that touches sensitive data.
The Core Promise of ISO 27001
ISO 27001 is built around three security objectives, often called the CIA triad:
- Confidentiality — Information is accessible only to authorized individuals
- Integrity — Information is accurate, complete, and protected from unauthorized modification
- Availability — Information and associated systems are accessible when needed
The current version is ISO/IEC 27001:2022, which replaced the 2013 edition. The 2022 update restructured the Annex A controls significantly (more on that below) and added 11 new controls to address modern threats like cloud security, threat intelligence, and data masking.
One crucial distinction: ISO 27001 is certifiable. Unlike many frameworks that are self-assessed or advisory, an accredited third-party certification body can audit your ISMS and issue a formal certificate. That certificate is recognized globally and is increasingly a non-negotiable requirement in enterprise procurement, government contracting, and regulated industries.
“ISO 27001 doesn’t tell you which lock to put on the door. It tells you to figure out which doors need locks, how good those locks need to be, who holds the keys, and what happens when someone loses one.”
Core Framework
The ISMS Concept: How ISO 27001 Actually Works
The heart of ISO 27001 is the Information Security Management System (ISMS). An ISMS is not a product you install or a document you write. It is a management system — a set of interrelated policies, processes, procedures, organizational structures, and resources that work together to protect information assets.
Think of it this way: if ISO 27001 is the building code, the ISMS is the actual building. The standard tells you what the building needs to withstand; you design, construct, and maintain the building based on your specific environment, risks, and requirements.
The ISMS follows the classic Plan-Do-Check-Act (PDCA) cycle, ensuring continuous improvement:
Plan
Define the ISMS scope, conduct risk assessment, select controls, draft the Statement of Applicability, and get management buy-in. This is where 80% of the strategic work happens.
Do
Implement the controls, roll out policies, train employees, deploy technical measures, and establish operational processes. Execution requires cross-functional collaboration.
Check
Monitor and measure the ISMS performance through internal audits, management reviews, incident analysis, and KPI tracking. Identify what is working and what is not.
Act
Take corrective actions on nonconformities, update risk assessments based on new threats, refine controls and processes, and feed lessons learned back into the next cycle.
The standard’s mandatory clauses (Clauses 4 through 10) define the management system requirements:
| Clause | Title | What It Requires |
|---|---|---|
| Clause 4 | Context of the Organization | Understand internal/external issues, interested parties, and define the ISMS scope |
| Clause 5 | Leadership | Top management commitment, information security policy, roles and responsibilities |
| Clause 6 | Planning | Risk assessment and treatment methodology, information security objectives, Statement of Applicability |
| Clause 7 | Support | Resources, competence, awareness, communication, and documented information requirements |
| Clause 8 | Operation | Implement risk treatment plans and operational controls on a day-to-day basis |
| Clause 9 | Performance Evaluation | Monitoring, measurement, analysis, internal audits, and management reviews |
| Clause 10 | Improvement | Nonconformity management, corrective actions, and continual improvement of the ISMS |
A critical document in any ISMS is the Statement of Applicability (SoA). This document lists all 93 Annex A controls, states whether each is applicable or not, provides justification for exclusions, and describes how applicable controls are implemented. Auditors treat the SoA as the master reference for your security program. If you need help structuring your ISMS or conducting the initial risk assessment, our IT security audit services can provide an objective baseline evaluation.
Control Framework
Annex A: 93 Controls in 4 Categories
If the ISMS clauses are the engine, Annex A is the toolkit. ISO 27001:2022 organizes 93 security controls into four thematic categories — a major simplification from the 2013 version, which spread 114 controls across 14 domains. The restructuring makes it significantly easier to map controls to real organizational functions.
| Category | Controls | What It Covers |
|---|---|---|
| A.5 Organizational | 37 | Policies, roles, responsibilities, asset management, access control, supplier relationships, incident management, business continuity, compliance |
| A.6 People | 8 | Screening, employment terms, security awareness training, disciplinary process, post-employment responsibilities, remote working, event reporting |
| A.7 Physical | 14 | Physical security perimeters, entry controls, securing offices/rooms, physical security monitoring, protection against environmental threats, equipment siting and protection, secure disposal, clear desk/screen |
| A.8 Technological | 34 | User endpoint devices, privileged access, access restriction, secure authentication, capacity management, malware protection, vulnerability management, logging, network security, cryptography, secure development, data masking, DLP, cloud services |
The 2022 revision introduced 11 brand-new controls that reflect the modern threat landscape:
New Controls in ISO 27001:2022
- A.5.7 — Threat intelligence
- A.5.23 — Information security for use of cloud services
- A.5.30 — ICT readiness for business continuity
- A.7.4 — Physical security monitoring
- A.8.9 — Configuration management
- A.8.10 — Information deletion
- A.8.11 — Data masking
- A.8.12 — Data leakage prevention
- A.8.16 — Monitoring activities
- A.8.23 — Web filtering
- A.8.28 — Secure coding
One of the most important things to understand about Annex A: you do not have to implement every control. ISO 27001 is risk-based. You conduct a risk assessment, identify the risks relevant to your organization, and then select the controls that mitigate those risks. Controls that are not applicable are excluded — but you must justify every exclusion in your Statement of Applicability.
This flexibility is one of ISO 27001’s greatest strengths. A 30-person SaaS startup will have a very different control set than a 5,000-employee hospital system. Both can be ISO 27001 certified. The standard meets you where you are — as long as you can demonstrate that your risk assessment is thorough and your controls are proportionate.
Getting Certified
The Certification Process: From Zero to Certified
ISO 27001 certification is not something you achieve overnight. For most mid-sized organizations, the journey from “we should probably do this” to “here is our certificate” takes 6 to 18 months, depending on organizational maturity, scope, and resource allocation.
Here is the typical path:
The ISO 27001 Implementation Roadmap
Phase 1: Gap Analysis & Scoping (Weeks 1–4)
Assess your current security posture against ISO 27001 requirements, define the ISMS scope (which business units, locations, and systems are included), and identify the delta between where you are and where you need to be.
Phase 2: Risk Assessment & Treatment (Weeks 4–10)
Develop your risk assessment methodology, identify information assets, assess threats and vulnerabilities, evaluate risk levels, and define a risk treatment plan. Produce the Statement of Applicability.
Phase 3: Policy & Control Implementation (Weeks 8–24)
Write or update security policies, implement technical controls, establish operational procedures, deploy monitoring tools, and run security awareness training. This is the longest and most labor-intensive phase.
Phase 4: Internal Audit & Management Review (Weeks 20–28)
Conduct a full internal audit of the ISMS against ISO 27001 requirements, hold a formal management review meeting, and address any nonconformities found.
Phase 5: Certification Audit (Weeks 26–36)
Engage an accredited certification body to conduct the two-stage external audit. Resolve any findings. Receive your certificate.
A common question we get at Atlant Security: “Can we do this ourselves, or do we need a consultant?” The honest answer is that organizations with mature security programs and dedicated compliance staff can absolutely self-implement. But for companies tackling ISO 27001 for the first time, working with an experienced partner typically cuts the timeline by 30–40% and significantly reduces the risk of audit failures. Our virtual CISO services are specifically designed to guide organizations through this process without the overhead of a full-time hire.
The Audit
Stages of the ISO 27001 Certification Audit
The certification audit is conducted by an external, accredited certification body (think companies like BSI, Bureau Veritas, TUV, Schellman, or A-LIGN). It happens in two stages, each with a distinct purpose:
Stage 1: Documentation Review
Duration: 1–3 days on-site or remote
The auditor reviews your ISMS documentation to confirm it meets the standard’s requirements. Key documents reviewed:
- ISMS scope statement
- Information security policy
- Risk assessment methodology and results
- Risk treatment plan
- Statement of Applicability
- Internal audit report
- Management review minutes
Outcome: The auditor identifies any gaps that must be resolved before Stage 2. Stage 1 is essentially a readiness check.
Stage 2: Implementation Audit
Duration: 3–10 days depending on scope
The auditor verifies that your ISMS is actually implemented, operational, and effective. They will:
- Interview staff across departments
- Review evidence of control implementation
- Test a sample of Annex A controls
- Verify risk treatment effectiveness
- Examine incident and change records
- Assess management engagement
- Evaluate continual improvement evidence
Outcome: The auditor issues findings categorized as major nonconformities, minor nonconformities, or opportunities for improvement.
What Happens If You Fail?
A major nonconformity means certification cannot be granted until the issue is resolved. You typically get 90 days to remediate and provide evidence. A minor nonconformity must be addressed within a defined timeframe but will not block initial certification. Most organizations receive a handful of minor nonconformities — that is completely normal and expected. Zero findings is rare and, frankly, can make auditors suspicious.
After initial certification, the cycle continues with annual surveillance audits (smaller in scope, verifying continued compliance) in years two and three, followed by a full recertification audit every three years. The certificate itself is valid for three years, provided you pass the surveillance audits.
| Audit Type | Frequency | Typical Duration | Purpose |
|---|---|---|---|
| Stage 1 + Stage 2 | Once (initial) | 4–13 days total | Initial certification — documentation review + implementation verification |
| Surveillance Audit | Annually (Yr 2 & 3) | 2–5 days | Verify continued compliance and continual improvement |
| Recertification Audit | Every 3 years | 3–8 days | Full reassessment of the entire ISMS — essentially a new Stage 1 + Stage 2 |
Applicability
Who Needs ISO 27001?
The short answer: any organization that handles sensitive information and wants to prove it. But some industries and business models make ISO 27001 particularly valuable — or outright necessary.
SaaS & Technology Companies
Enterprise buyers increasingly require ISO 27001 as a baseline for vendor selection. If you sell B2B software, certification removes one of the biggest friction points in the sales cycle.
Financial Services
Banks, payment processors, fintechs, and insurers operate under heavy regulatory scrutiny. ISO 27001 maps well to requirements like PCI DSS, MAS TRM, CPS 234, and NIS2.
Healthcare & Life Sciences
Organizations handling patient data, clinical trials, or medical devices use ISO 27001 to complement HIPAA, GDPR, and FDA cybersecurity requirements.
Government Contractors
Many government procurement frameworks reference ISO 27001 or accept it as evidence of a mature security program. In the EU, it is closely tied to NIS2 compliance.
Other industries where ISO 27001 is commonly pursued include managed service providers, legal firms handling privileged communications, manufacturing companies protecting trade secrets and IP, and any organization expanding into European or Asia-Pacific markets where ISO 27001 is the dominant security standard.
“In North America, your prospects ask for SOC 2. In Europe and APAC, they ask for ISO 27001. If you serve global customers, you will eventually need both.”
Business Impact
Benefits of ISO 27001 Certification
I am going to be honest: the “benefits of ISO 27001” section in most articles reads like a marketing brochure. So let me skip the generic list and focus on the outcomes I have actually seen across dozens of implementations.
| Benefit | What Actually Happens | Real-World Impact |
|---|---|---|
| Shortened sales cycles | Enterprise prospects accept your ISO 27001 certificate instead of conducting lengthy vendor security assessments | Clients report 2–6 week reductions in procurement timelines |
| Reduced breach risk | Systematic risk management catches vulnerabilities before attackers do — not through luck, but through process | Organizations with certified ISMS report fewer and less severe security incidents |
| Lower insurance premiums | Cyber insurance underwriters recognize ISO 27001 as evidence of mature risk management | Premium reductions of 10–25% are common with certified status |
| Regulatory alignment | ISO 27001 maps to GDPR, NIS2, HIPAA, PCI DSS, and most industry regulations | One ISMS can satisfy multiple compliance requirements simultaneously |
| Operational clarity | Roles, responsibilities, and processes are documented and accountable | Faster incident response, clearer escalation paths, fewer “who handles this?” moments |
| Competitive differentiation | In crowded markets, certification signals maturity and professionalism | Particularly impactful for mid-market companies competing against larger, established players |
The benefit I personally find most underrated is the internal culture shift. Going through the ISO 27001 process forces every department — HR, legal, finance, product, operations — to take ownership of information security. It stops being “the IT team’s problem” and becomes an organizational capability. That cultural transformation outlasts any individual control.
Comparison
ISO 27001 vs. SOC 2: How They Compare
This is one of the most common questions we field: “Do we need ISO 27001, SOC 2, or both?” They are fundamentally different in structure, geography, and purpose — but they share a lot of common ground in terms of actual security controls. Here is a head-to-head comparison:
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Governing body | ISO/IEC (international) | AICPA (United States) |
| Output | Certificate (pass/fail) | Attestation report from CPA firm |
| Geographic preference | Global, especially Europe & APAC | Primarily North America |
| Scope | Entire organization (or defined ISMS scope) | Specific system or service |
| Framework approach | Risk-based, prescriptive management system | Criteria-based (5 Trust Services Criteria) |
| Validity | 3 years with annual surveillance audits | 12 months (Type II observation period) |
| Cost (mid-size org) | $30,000–$100,000+ for implementation + audit | $20,000–$80,000+ for readiness + audit |
The practical takeaway: if your customers are primarily in North America, start with SOC 2. If they are in Europe or Asia-Pacific, prioritize ISO 27001. If you serve global customers, plan for both — and design your control framework to satisfy both simultaneously, which is very achievable with proper planning. For a deeper exploration of SOC 2 requirements and the audit process, see our complete guide to SOC 2 readiness.
Pitfalls
Common Mistakes That Derail ISO 27001 Projects
After guiding organizations through ISO 27001 for years, I have developed a running list of failure patterns. These are the mistakes I see over and over again — and every single one is preventable.
Mistake 1: Treating It as an IT-Only Project
ISO 27001 is a management system standard, not a technical standard. It requires involvement from HR (screening, training, offboarding), legal (contracts, compliance), facilities (physical security), procurement (vendor management), and executive leadership (governance, risk appetite). When IT tries to own it alone, critical controls get missed and the management review process becomes a formality rather than a genuine governance mechanism.
Mistake 2: Over-Documenting Everything
First-timers frequently create 300-page policy documents that nobody reads. ISO 27001 requires documented information, not bureaucracy. A 5-page access control policy that people actually follow is infinitely more valuable than a 50-page one that sits in SharePoint collecting dust. Write policies at the level of detail your organization actually needs and can maintain.
Mistake 3: Conducting a Shallow Risk Assessment
The risk assessment is the foundation of your entire ISMS. If it is superficial — generic risks, arbitrary scores, no real analysis — everything built on top of it is flawed. Auditors will probe your risk assessment methodology extensively. They want to see that you identified risks specific to your business, evaluated them consistently, and made defensible treatment decisions.
Mistake 4: Ignoring Management Commitment
Clause 5 requires demonstrable management commitment. This is not a checkbox — auditors will verify that leadership participates in management reviews, approves the information security policy, allocates budget and resources, and understands the key risks. When the CEO cannot articulate why the organization pursued ISO 27001 beyond “the sales team asked for it,” auditors notice.
Mistake 5: Forgetting About Continual Improvement
Getting certified is not the finish line. Organizations that treat the certificate as a trophy and let the ISMS stagnate will struggle at their first surveillance audit. The standard explicitly requires continual improvement — updated risk assessments, corrective actions from internal audits, evolved controls as threats change. Build ISMS maintenance into your operational rhythm from day one.
Mistake 6: Choosing the Wrong Scope
Scope too broad, and you overwhelm your team with controls across the entire organization when a phased approach would be smarter. Scope too narrow, and customers question why their specific service is not covered. The right scope balances operational feasibility with commercial requirements. Start with the business units and systems that your customers actually care about.
What Successful Organizations Do
- Assign an ISMS owner with cross-functional authority
- Get executive sponsor before starting
- Keep policies concise and actionable
- Integrate security into existing business processes
- Run internal audits as genuine improvement exercises
What Struggling Organizations Do
- Delegate everything to IT with no executive involvement
- Copy-paste policy templates without customization
- Use generic risk assessments from the internet
- Treat certification as a one-time project
- Conduct internal audits as a compliance theatre exercise
Questions Answered
Frequently Asked Questions About ISO 27001
How much does ISO 27001 certification cost?
Costs vary significantly by organization size, scope, and existing maturity. For a mid-sized company (100–500 employees), expect $30,000–$60,000 for implementation consulting, $10,000–$30,000 for the certification audit itself, and ongoing costs of $10,000–$20,000 per year for surveillance audits and ISMS maintenance. Organizations with existing SOC 2 programs or mature security practices will be at the lower end.
How long does it take to get ISO 27001 certified?
Typically 6–18 months from project kickoff to certificate in hand. Smaller organizations with strong security foundations can achieve it in 6–9 months. Larger organizations with complex environments or minimal existing controls should plan for 12–18 months. The biggest variable is usually the time needed to implement controls and collect evidence of operational effectiveness.
Is ISO 27001 mandatory?
ISO 27001 is not legally mandatory in most jurisdictions. However, it is increasingly a de facto requirement in certain contexts: EU government contracts, enterprise vendor procurement, regulated industries (via regulations that reference ISO 27001 controls), and insurance underwriting. The NIS2 Directive in the EU explicitly references ISO 27001 as a recognized approach to meeting its security requirements.
Can a small company (under 50 employees) get certified?
Absolutely. ISO 27001 is designed to be scalable. The scope, complexity of controls, and documentation can all be proportionate to the organization’s size and risk profile. Many startups and small companies achieve certification with a focused scope covering their core product or service. The audit is also shorter and less expensive for smaller organizations.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 specifies the requirements for an ISMS and is the standard you certify against. ISO 27002 is a guidance document that provides detailed implementation advice for each of the Annex A controls. Think of 27001 as the “what” and 27002 as the “how.” You cannot certify against ISO 27002 — it is a supporting reference.
Do we need to implement all 93 Annex A controls?
No. You only need to implement controls that are relevant to the risks you identified in your risk assessment. Controls that are not applicable can be excluded, but you must document the justification for each exclusion in your Statement of Applicability. In practice, most organizations implement 70–85 of the 93 controls, excluding those related to environments they do not have (e.g., physical controls for a fully remote company).
Can we pursue ISO 27001 and SOC 2 at the same time?
Yes, and many organizations do. There is roughly 70–80% overlap in the underlying controls. The key is to design a unified control framework from the start that satisfies both standards, rather than building two separate compliance programs. A virtual CISO can help architect a single program that maps to both ISO 27001 Annex A controls and SOC 2 Trust Services Criteria.
What is the transition deadline for ISO 27001:2022?
Organizations certified under ISO 27001:2013 had until October 31, 2025 to transition to the 2022 version. As of 2026, all new certifications and recertifications must be against ISO 27001:2022. If you are starting fresh, you will be implementing the 2022 version from day one, which is actually simpler thanks to the reorganized Annex A structure.
Published: March 2026 · Author: Alexander Sverdlov
This article is for informational purposes only and does not constitute legal or professional advice. ISO 27001 certification requirements and costs vary based on organization size, industry, scope, and geographic location. Organizations should consult with an accredited certification body and qualified security professionals before making compliance decisions.
Alexander Sverdlov
Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.