ISO/IEC 27001:2022
Direct answer
ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS). It gives organizations a risk-based framework, ten clauses and 93 Annex A controls across four themes, to govern the confidentiality, integrity, and availability of information. Accredited third-party bodies certify it. Certificates run three years with annual surveillance.
ISO/IEC 27001:2022 is the leading international standard for managing information security. It specifies the requirements for an Information Security Management System (ISMS): the combination of policies, procedures, processes, and controls an organization uses to protect its information assets. It is built on the same Annex SL Harmonized Structure as ISO 9001 and ISO 42001, which means clauses 4 through 10 follow an identical architecture across all three standards, making management-system integration straightforward.
It is certifiable by accredited third-party bodies, so an organization's security posture can be independently verified rather than self-attested. The standard does not prescribe a single security architecture. Instead, it requires that an organization identify its risks, select the controls appropriate to those risks, implement them, and improve continuously. The output is an ISMS sized to the organization's actual risk profile, not a generic checklist.
ISO 27001 is not legally mandatory in most jurisdictions. Organizations pursue certification because customers, regulators, or the market require it. Common drivers:
There is no minimum organization size. Sole traders can certify, and multinationals do. Scope can be limited to a specific product, service line, or geography, which is how smaller organizations keep the certification tractable.
ISO 27001 has ten clauses. Clauses 1 to 3 set scope, normative references, and terms. Clauses 4 to 10 are the auditable requirements; they follow the same Harmonized Structure as ISO 9001 and ISO 42001, which is what allows organizations to integrate multiple management systems without duplicating policies, risk processes, or internal audits. The information-security-specific demands concentrate in Clause 6 (risk assessment, risk treatment, and the Statement of Applicability) and Clause 8 (operating the ISMS and executing the risk treatment plan).
| Clause | Title | Requirement in one line |
|---|---|---|
| 4 | Context of the organization | Identify internal and external issues, interested parties, and define the ISMS scope. |
| 5 | Leadership | Top-management commitment, an information security policy, and assigned roles. |
| 6 | Planning | Risk assessment, risk treatment plan, Statement of Applicability, and information security objectives. |
| 7 | Support | Resources, competence, awareness, communication, and documented information. |
| 8 | Operation | Execute the risk treatment plan and Annex A controls; maintain operational procedures. |
| 9 | Performance evaluation | Monitoring, measurement, internal audit, and management review. |
| 10 | Improvement | Nonconformity, corrective action, and continual improvement. |
Annex A in the 2022 edition organizes 93 controls into 4 themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). The controls are a reference set, not a mandatory checklist. The process is: identify your risks, determine which controls would treat those risks, include them in the Statement of Applicability with justification, and exclude the others with a documented reason. An exclusion is not a nonconformity; an unjustified exclusion is.
The 2022 restructuring introduced 11 new controls not present in the 2013 edition: threat intelligence (5.7), information security for use of cloud services (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), configuration management (8.9), information deletion (8.10), data masking (8.11), data leakage prevention (8.12), monitoring activities (8.16), web filtering (8.23), and secure coding (8.28).
The full control-by-control breakdown is on the Annex A controls spoke.
| Theme | Controls | Coverage |
|---|---|---|
| Organizational (5.x) | 37 | Policies, roles, responsibilities, threat intelligence, asset management, supplier security, incident management, business continuity, compliance. |
| People (6.x) | 8 | Screening, employment terms, awareness, training, disciplinary process, post-employment, remote working, confidentiality agreements. |
| Physical (7.x) | 14 | Physical perimeters, entry controls, office and facility security, equipment protection, clear desk and screen, physical media handling. |
| Technological (8.x) | 34 | Endpoints, access control, cryptography, vulnerability management, configuration, logging, monitoring, web filtering, secure development, cloud security. |
| Total | 93 |
The Statement of Applicability (SoA) is the mandatory document at the heart of ISO 27001. Clause 6.1.3 requires it. It lists all 93 Annex A controls and for each states:
The SoA is the primary document a Stage 1 auditor reviews before the on-site audit. Common failures: excluding controls without documented risk justification, listing controls as applicable without evidence of implementation, and failing to update the SoA when scope or risks change.
A well-built SoA is not a one-time document. It should be version-controlled, reviewed as part of the annual management review, and updated whenever new risks are identified, scope changes, or control applicability changes. Auditors will look for version history and sign-off dates.
Certification is awarded by an accredited third-party certification body after a two-stage audit. Stage 1 reviews documentation and ISMS readiness; Stage 2 tests the system in operation. Auditors sample evidence, interview staff, and assess whether the controls in the SoA are actually operating.
Certificates are valid for three years. Annual surveillance audits confirm continued conformity. A recertification audit occurs in year three. For accreditation, look for bodies accredited by UKAS (UK), ANAB or A2LA (US), DAkkS (Germany), COFRAC (France), or SAS (Switzerland). ISO itself does not certify organizations.
Most organizations take three to twelve months from gap analysis to certificate, depending on ISMS maturity, scope, and available resources.
| Stage | Typical duration | What happens |
|---|---|---|
| Gap analysis | 2 to 4 weeks | Assess current state against clauses 4 to 10 and all 93 Annex A controls. |
| ISMS implementation | 2 to 6 months | Build or close gaps: scope, risk assessment, SoA, policies, controls, and evidence. |
| Internal audit | 2 to 4 weeks | Independent internal review covers all clauses; findings addressed before Stage 1. |
| Management review | 1 to 2 weeks | Top management reviews ISMS performance and approves for certification audit. |
| Stage 1 audit | 1 to 2 days | Certification body reviews documentation, SoA, and ISMS readiness. |
| Stage 1 remediation | 2 to 4 weeks | Address any findings raised before proceeding to Stage 2. |
| Stage 2 audit | 2 to 5+ days | Controls sampled, staff interviewed, evidence reviewed against the SoA. |
| Certificate issued | 1 to 4 weeks | Valid 3 years once major nonconformities are closed. |
| Surveillance (years 1 and 2) | 1 to 3 days per year | Confirm continued conformity; partial scope reviewed each surveillance cycle. |
| Recertification (year 3) | Full audit | Full certification audit cycle repeats. |
TRAIN TO CERTIFYAbilene Academy is the only PECB Titanium Partner in Switzerland, the highest accreditation tier in the industry, delivering certified ISO 27001 Lead Implementer and Lead Auditor training in classroom, online, and self-study formats. Also covers ISO 27005 risk management. Multilingual programmes in EN, FR, ES, DE, IT and more. 99% Exam pass rate · 2,500+ Professionals trained · 120+ Countries reached · Titanium Only PECB Titanium Partner in Switzerland.
ISO 27001 training courses →Certification costs depend on organization size, scope, and number of sites. The figures below are indicative estimates based on publicly available data. Swiss and EU pricing may differ from US figures. Request formal quotes from two or three accredited bodies before budgeting.
Costs fall into two categories: certification body fees (what you pay the auditor) and implementation effort (internal time, consultant fees, and tooling). Both are real, and most programs underestimate implementation effort. A GRC platform that maps ISO 27001 alongside existing frameworks reduces implementation cost significantly.
| Organization size | Cert body fees (year 1) | Implementation effort | Annual surveillance |
|---|---|---|---|
| Small (50 to 200 employees) | USD 15,000 to 30,000 | USD 30,000 to 100,000 | USD 8,000 to 15,000 |
| Mid (200 to 1,000 employees) | USD 25,000 to 60,000 | USD 80,000 to 250,000 | USD 12,000 to 25,000 |
| Large (1,000+ employees) | USD 50,000+ | USD 200,000+ | USD 20,000+ |
ISO 27001 and SOC 2 both address information security, but they are architecturally different. ISO 27001 is a management system standard that produces a certificate; SOC 2 is an attestation framework that produces an audit report. Many organizations operating in EU and US markets pursue both. See the full ISO 27001 vs SOC 2 comparison.
| Dimension | ISO/IEC 27001:2022 | SOC 2 |
|---|---|---|
| Purpose | ISMS certification | Service organization controls attestation |
| Output | Certificate (3-year validity) | Type I (point-in-time) or Type II (period) report |
| Standard body | ISO and IEC | AICPA |
| Geography | Global | Primarily US; required by US enterprise customers globally |
| Audit model | Accredited certification body (e.g. UKAS, ANAB) | Licensed CPA firm |
| Framework | 10 clauses and 93 Annex A controls | 5 Trust Services Criteria (Security mandatory; 4 optional) |
| Scope | ISMS (policies, risks, controls, improvement) | Selected TSC categories and in-scope systems |
| Audit cadence | Stage 1 and 2 then annual surveillance | Annual (Type II: 6 to 12 month observation period) |
| Who demands it | EU procurement, regulated industries, global B2B | US enterprise customers, US SaaS buyers |
| Control overlap | Significant overlap with SOC 2 CC controls | Significant overlap with ISO 27001 Annex A |
ISO/IEC 27001:2022 was published in October 2022. The clause structure (4 to 10) is unchanged; the major change was to Annex A. The 2013 edition had 114 controls across 14 domains. The 2022 edition restructured these into 93 controls across 4 themes, merging, renaming, and reorganizing existing controls and adding 11 new ones.
The transition deadline for organizations certified to the 2013 edition was 31 October 2025. Certificates issued under the 2013 edition that have not transitioned are no longer valid.
| Dimension | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Annex A controls | 114 | 93 |
| Annex A structure | 14 domains (A.5 to A.18) | 4 themes (Organizational, People, Physical, Technological) |
| New controls | n/a | 11 new controls including threat intelligence, cloud security, secure coding, data masking, web filtering |
| Clause structure | Clauses 4 to 10 | Clauses 4 to 10 (unchanged) |
| Harmonized Structure | Annex SL | Annex SL (2022 alignment) |
| Current status | Superseded; transition deadline 31 October 2025 | Current edition |
ISO 27001 is the backbone of most GRC programs because its controls map to virtually every adjacent framework. Organizations running ISO 27001 alongside SOC 2, NIS2, GDPR, or ISO 42001 do not need to rebuild controls for each framework. They map once and reuse. The table below shows selected control areas and their counterparts in each framework.
This is the practical argument for ISO 27001 as the first certification: it creates the control infrastructure every subsequent framework reuses. Acuna's cross-framework mapping engine manages these relationships automatically, so a team already running NIS2, GDPR, or SOC 2 extends into ISO 27001 without duplicating work.
| ISO 27001:2022 control area | SOC 2 TSC | NIS2 Art. 21 | ISO 42001 | GDPR |
|---|---|---|---|---|
| Risk assessment (Clause 6.1) | CC3.1 to CC3.4 | Art. 21(a) | Clause 6.1 | Art. 35 (DPIA) |
| Access control (5.15 to 5.18) | CC6.1, CC6.2, CC6.3 | Art. 21(i), (j) | A.6.2 | Art. 32(1)(b) |
| Incident management (5.24 to 5.27) | CC7.3, CC7.4, CC7.5 | Art. 21(b); Art. 23 | A.6.2 | Art. 33 to 34 |
| Supplier security (5.19 to 5.22) | CC9.2 | Art. 21(d) | A.10 | Art. 28 (processors) |
| Business continuity (5.29, 5.30, 8.14) | A1.1 to A1.3 | Art. 21(c) | n/a | Art. 32 |
| Cryptography (8.24) | CC6.7 | Art. 21(h) | A.7 | Art. 32(1)(a) |
| Vulnerability management (8.8) | CC7.1 | Art. 21(e) | n/a | Art. 32 |
| Logging and monitoring (8.15 to 8.17) | CC7.1, CC7.2 | Art. 21 | Clause 9 | Art. 32 |
| Awareness and training (6.3) | CC1.4, CC2.2 | Art. 21(g) | Clause 7.2 | n/a |
| Asset management (5.9 to 5.14) | CC6.1 | Art. 21(i) | A.7 | Art. 5 (principles) |
Acuna lets you run ISO 27001 alongside your other frameworks rather than as an isolated project. It builds and scopes the ISMS, conducts risk assessments, generates and version-controls the Statement of Applicability, maps all 93 Annex A controls to owners and evidence, and keeps the ISMS current for annual surveillance. The five Annex A A.5.19–A.5.23 supplier-security controls are operationalised through supplier relationship management: vendor assessments, continuous security grading, and the evidence trail Article 28 DPA workflows need. Annex A A.5.15–A.5.18 access control requirements map to access management: role-based permissions, access review workflows, and the provisioning and de-provisioning record an auditor expects to sample. Cross-framework mapping is automatic: teams already running NIS2, GDPR, or SOC 2 reuse existing controls rather than rebuilding them from scratch. See how Acuna maps ISO 27001.
EXPLORE
What the SoA is, how to build it, and the most common Stage 1 failures.
How they differ, when you need both, and how the controls overlap.
What to budget, who to engage, and how long Stage 1 and Stage 2 take.
All 93 controls across 4 themes, with auditor notes on what is sampled.
Stage 1, Stage 2, surveillance, and the most common nonconformities.
Applicability, scoping decisions, and how to decide whether to certify.
A phase-by-phase implementation guide from gap analysis to certificate.
A downloadable checklist from ISMS foundation to Stage 2 audit.
How ISO 27001 controls map to every adjacent framework Acuna supports.
How Acuna maps and runs ISO 27001 alongside your other frameworks.
Related answers
ISO 27001 is the international standard for information security management systems (ISMS). Published by ISO/IEC, it defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. The 2022 revision includes 93 controls across four themes: organisational, people, physical, and technological. Certification requires an accredited external audit demonstrating that the ISMS meets all clause requirements and that selected Annex A controls are implemented and effective. Acuna supports the full ISO 27001 lifecycle from scoping through audit preparation.
GRC (Governance, Risk, and Compliance) is a broad management discipline covering how an organisation directs strategy, manages risk, and meets regulatory obligations across all domains. An ISMS (Information Security Management System) is a specific implementation of governance and risk management focused on information security, typically conforming to ISO 27001. An ISMS is one component within a wider GRC programme. Acuna is a GRC platform that supports ISMS management as one of its use cases alongside privacy, business continuity, supplier risk, and enterprise risk management.
The Statement of Applicability (SoA) is a mandatory document in ISO 27001 that lists all Annex A controls, states whether each is applicable or not applicable to the organisation's ISMS scope, provides justification for exclusions, and references the implementation status of each applicable control. The SoA is a key audit artefact — auditors use it to verify that control selection is risk-based and that excluded controls have documented rationale. In Acuna, the SoA is managed directly in the Comply pane with applicability markings and justification fields per control.
SOC 2 and ISO 27001 both address information security controls, but they are architecturally different. ISO 27001 produces a certificate: issued by an accredited certification body, three-year validity, globally recognized, and publicly verifiable. SOC 2 produces an attestation report: issued by a licensed CPA firm, privately distributed, renewed annually, and standard in US enterprise markets. ISO 27001 requires a formal Information Security Management System (ISMS) with documented scope, risk assessment, and a Statement of Applicability for 93 Annex A controls. SOC 2 is organized around the AICPA Trust Services Criteria — Security (CC) is mandatory, the other four categories are optional. The control overlap is significant: CC6 (logical access controls) maps closely to ISO 27001 A.5.15–A.5.18; CC9.2 (vendor monitoring) maps to A.5.19–A.5.23; CC7 (operations) maps to ISO 27001 A.8.x controls. Organizations running both frameworks map once and reuse evidence across both rather than maintaining parallel control sets. The choice depends on where your buyers are. ISO 27001 is the expectation in EU enterprise and global markets. SOC 2 is the US market standard and is frequently required by US enterprise procurement before a contract is signed. Many organizations operating across both markets pursue both.
In Comply, each requirement can be marked Applicable or Not Applicable with a mandatory justification field. For ISO 27001, this produces the Statement of Applicability (SoA). Applicability decisions propagate downstream: when a requirement is marked not applicable, its linked measures and controls are excluded from coverage calculations. Auditors can filter the requirement list by applicability status and export the SoA as a versioned artefact. Changing applicability after initial marking is tracked in the audit trail with the user, timestamp, and reason for change.
GET STARTED
Book a 30-minute demo scoped to your ISO 27001 program and the other frameworks you run alongside it.