verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/IEC 27001:2022
ActiveInternational Standardupdate Standard Updated: Oct 2022fact_check Fact checked: Jun 28, 2026

ISO/IEC 27001:2022

Information security, cybersecurity and privacy protection — Information security management systems — Requirements

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines the requirements an ISMS must meet to protect sensitive information.

Adopting this standard demonstrates an organization's commitment to managing information security risks effectively. It helps protect assets, ensures compliance with legal obligations, and builds trust with stakeholders and customers globally.

security

Annex A Controls

Provides 93 reference controls across 4 themes — organizational, people, physical, and technological — to systematically reduce information security risks.

manage_search

Risk Assessment

Mandates a formal risk assessment process to identify threats, vulnerabilities, and impacts, then select proportionate controls.

verified_user

Continuous Monitoring

Requires ongoing measurement, analysis, and evaluation of ISMS performance through internal audits and management reviews.

list_alt Key Control Themes

  • Organizational controls (policies, roles, asset management)
  • People controls (screening, awareness, training)
  • Physical controls (perimeters, equipment, media)
  • Technological controls (access, cryptography, logging)
  • Risk assessment & treatment methodology
  • Statement of Applicability (SoA)
  • Incident management & business continuity

Who Needs to Comply?

groups

Organizations of any size that handle sensitive information — particularly technology companies, financial services, healthcare providers, and government contractors.

Key Requirements

1

Information Security Policy

Establish and maintain an information security policy approved by top management, communicated to all employees, and available to interested parties.

2

Risk Assessment & Treatment

Implement a repeatable risk assessment process. Produce a risk treatment plan and Statement of Applicability mapping selected Annex A controls to identified risks.

3

Access Control

Ensure only authorized users can access information and systems. Implement identity management, authentication, and access rights provisioning aligned with business needs.

4

Incident Response

Establish procedures to detect, report, assess, and respond to information security incidents. Learn from incidents to prevent recurrence.

5

Internal Audit Program

Conduct internal audits at planned intervals to verify the ISMS conforms to requirements and is effectively implemented and maintained.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare, define scope and secure leadership commitment

Obtain top-management sponsorship and appoint an ISMS owner, then define the ISMS scope by identifying the business units, locations, information assets and legal or contractual obligations in play. Establish the information security policy, objectives and the resourcing needed to run the programme.

2
Phase 2schedule Duration: 4-8 weeks

Perform risk assessment, treatment and build the SoA

Choose a documented risk methodology, identify and evaluate risks to confidentiality, integrity and availability, then select treatment options and the Annex A controls that mitigate them. Produce the Statement of Applicability (SoA) justifying which of the 93 controls are included or excluded and record the risk treatment plan.

3
Phase 3schedule Duration: 3-6 months

Implement controls and ISMS documentation

Deploy the selected organizational, people, physical and technological controls and write the supporting policies, procedures and records required by the standard. Roll out awareness training so staff understand their responsibilities and the ISMS begins operating in practice.

4
Phase 4schedule Duration: 3-5 weeks

Run internal audit and management review

Conduct an internal audit against ISO 27001 requirements and your own controls to surface nonconformities, then log corrective actions. Hold a formal management review so leadership evaluates ISMS performance, resources and improvement opportunities before external assessment.

5
Phase 5schedule Duration: 6-12 weeks plus ongoing

Complete Stage 1 and Stage 2 certification and maintain surveillance

An accredited certification body performs the Stage 1 documentation review followed by the Stage 2 on-site assessment of ISMS effectiveness, leading to certification once major nonconformities are cleared. Maintain the certificate through annual surveillance audits and full recertification every three years.

Compliance Checklist

0 / 22

checklist Organizational controls

checklist People controls

checklist Physical controls

checklist Technological controls

ISO 27001 vs SOC 2

Both demonstrate strong information security to customers, but they differ in format, governance and geographic reach.

AspectISO 27001SOC 2
TypeCertification against a formal standardAttestation report on controls
Governing bodyISO and accredited certification bodiesAICPA, issued by a licensed CPA firm
Geographic reachGlobally recognizedNorth America-centric, widely used with US customers
ScopeFull ISMS covering risk management and Annex A controlsTrust Services Criteria selected by the organization
ValidityThree-year cycle with annual surveillance auditsPoint-in-time (Type I) or period-of-time (Type II) report
Best forOrganizations wanting a globally accepted certificate and structured ISMSSaaS and service providers assuring mainly US enterprise customers
How they overlapControls map closely, so shared evidence can support bothMany SOC 2 criteria align with Annex A controls and ISMS practices

Common Misconceptions

cancel
Myth

ISO 27001 certification means our systems can never be breached.

check_circle
Reality

Certification shows you have a risk-based management system and controls in place, not a guarantee of immunity. The standard is about managing risk to acceptable levels and improving continually, so incidents can still occur and must be handled through your ISMS.

cancel
Myth

ISO 27001 is purely an IT project owned by the security team.

check_circle
Reality

ISO 27001 is a management system requiring leadership commitment, business context and organization-wide participation. Clauses on leadership, resources and awareness make clear that HR, legal, facilities and top management all have defined roles.

cancel
Myth

You must implement every control in Annex A to be certified.

check_circle
Reality

Annex A is a reference set, and controls are selected based on your risk assessment and documented in the SoA. Irrelevant controls can be excluded with justification, so certification reflects your risks rather than a fixed checklist.

cancel
Myth

Once certified, the work is done for three years.

check_circle
Reality

Certification is the start of an ongoing cycle, not the finish line. Annual surveillance audits, continual improvement and recertification at year three all require the ISMS to keep operating and evolving with new risks.

Penalties & Enforcement

warning

No direct legal penalties for non-certification. However, many procurement processes and regulations (e.g., GDPR, NIS2) effectively require ISO 27001 or equivalent controls. Loss of certification can disqualify organizations from contracts.

Frequently Asked Questions

What is Annex A and how are the 93 controls grouped in the 2022 version?

expand_more

Annex A is the reference set of information security controls that organizations draw on to treat their risks. The 2022 revision restructured Annex A into 93 controls organized under four themes: Organizational (37), People (8), Physical (14) and Technological (34). This replaced the 14 control domains used in the 2013 version and consolidated overlapping controls.

What is a Statement of Applicability (SoA) and what goes in it?

expand_more

The SoA is a mandatory document that lists all Annex A controls and states whether each is applicable, with justification for inclusion or exclusion. For applicable controls it records their implementation status and links them back to the risk treatment plan. Auditors treat the SoA as the central map of your ISMS and review it closely during certification.

What risk assessment methodology should I use: asset-based or scenario-based?

expand_more

ISO 27001 does not mandate a specific method, only that it is documented, consistent and repeatable. Asset-based approaches enumerate assets and threats against each, which suits organizations with well-defined inventories, while scenario-based approaches model plausible risk events, which can be faster and more business-focused. Many organizations blend the two, and either is acceptable provided results are comparable over time.

What changed in the 2022 revision compared to 2013?

expand_more

The 2022 revision restructured Annex A from 114 controls in 14 domains into 93 controls across 4 themes, and added 11 new controls. The new controls include Threat intelligence, Information security for cloud services, Data leakage prevention and Secure coding, reflecting modern cloud and threat realities. Controls also gained attributes to help tagging and filtering, though the core clauses 4 to 10 saw only minor changes.

How long does certification take and what does it cost roughly?

expand_more

For many small and mid-sized organizations the journey from kickoff to certification takes roughly six to twelve months, depending on scope, maturity and resourcing. Costs vary widely by organization size and region and typically include internal effort, optional consultancy, and certification body audit fees. Larger or more complex scopes lengthen timelines and increase audit days and cost.

What is the difference between ISO 27001 and ISO 27002?

expand_more

ISO 27001 is the certifiable standard that specifies the requirements for an ISMS, including risk management and mandatory clauses. ISO 27002 is a guidance document that gives detailed implementation advice for the Annex A controls but is not itself certifiable. In practice you certify against ISO 27001 and use ISO 27002 as the how-to reference for the controls.

Do I need to implement all 93 controls?

expand_more

No. Annex A is a reference set, and the controls you apply are driven by your risk assessment and treatment decisions. You may exclude controls that are not relevant to your scope and risks, provided you justify each exclusion in the SoA. What you cannot do is ignore a relevant risk, and auditors will challenge exclusions that leave real risks untreated.

What are Stage 1 and Stage 2 audits?

expand_more

Stage 1 is a readiness or documentation review where the certification body checks that your ISMS documentation, scope and SoA are in place and you are ready to proceed. Stage 2 is the main assessment where auditors evaluate whether controls are implemented and operating effectively through evidence and interviews. Passing both, after closing any major nonconformities, results in certification.

How often are surveillance and recertification audits?

expand_more

ISO 27001 certification runs on a three-year cycle. The certification body conducts annual surveillance audits, typically in years one and two, to confirm the ISMS remains effective. A full recertification audit takes place before the certificate expires at the end of the three years.

Can a small company get certified?

expand_more

Yes. ISO 27001 is scalable and is regularly achieved by startups and small teams, because requirements are applied proportionately to the size, complexity and risk of the organization. A small company can define a tight scope, implement a lean set of relevant controls and document its ISMS pragmatically. The effort is smaller, but the same clauses and audit stages still apply.

How does ISO 27001 relate to SOC 2, GDPR and NIS2?

expand_more

ISO 27001 is an internationally recognized ISMS certification, while SOC 2 is a North American attestation report against Trust Services Criteria; the two overlap substantially and controls can be mapped to reduce duplicate effort. GDPR is a data protection law and NIS2 a cybersecurity directive, and a well-run ISMS provides much of the governance and control evidence they expect. However, ISO 27001 certification does not by itself prove legal compliance with GDPR or NIS2.

What is the ISMS scope?

expand_more

The ISMS scope defines the boundaries of what your management system covers, including the business processes, locations, assets, people and technologies that fall under it. It is set by considering internal and external issues, interested parties and interfaces with other organizations. A clear, well-bounded scope keeps the programme manageable and directly shapes what auditors will assess.

Official Documentation

View All

Related Categories