ISO 27001: the standard for information security.

ISO/IEC 27001:2022

Direct answer

ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS). It gives organizations a risk-based framework, ten clauses and 93 Annex A controls across four themes, to govern the confidentiality, integrity, and availability of information. Accredited third-party bodies certify it. Certificates run three years with annual surveillance.

What ISO 27001 is

ISO/IEC 27001:2022 is the leading international standard for managing information security. It specifies the requirements for an Information Security Management System (ISMS): the combination of policies, procedures, processes, and controls an organization uses to protect its information assets. It is built on the same Annex SL Harmonized Structure as ISO 9001 and ISO 42001, which means clauses 4 through 10 follow an identical architecture across all three standards, making management-system integration straightforward.

It is certifiable by accredited third-party bodies, so an organization's security posture can be independently verified rather than self-attested. The standard does not prescribe a single security architecture. Instead, it requires that an organization identify its risks, select the controls appropriate to those risks, implement them, and improve continuously. The output is an ISMS sized to the organization's actual risk profile, not a generic checklist.

Who needs ISO 27001

ISO 27001 is not legally mandatory in most jurisdictions. Organizations pursue certification because customers, regulators, or the market require it. Common drivers:

  • Enterprise procurement: large customers in the EU, UK, and globally increasingly require ISO 27001 as a vendor security condition for any system handling sensitive data.
  • Regulated sectors: financial services, healthcare, critical infrastructure, and government suppliers face regulatory expectations that ISO 27001 satisfies or supports.
  • NIS2 compliance: entities in scope for the EU NIS2 Directive can use an ISO 27001 ISMS as a structured foundation for the Article 21 security measures. The frameworks cross-map closely.
  • GDPR Article 32: an ISMS evidences the "appropriate technical and organizational measures" GDPR requires. ISO 27001 is a recognized way to demonstrate this.
  • Global market access: organizations targeting US enterprise buyers may need both ISO 27001 and SOC 2. See the comparison section below.
  • Internal governance: organizations without a security framework use certification as the forcing function to build one.

There is no minimum organization size. Sole traders can certify, and multinationals do. Scope can be limited to a specific product, service line, or geography, which is how smaller organizations keep the certification tractable.

The ten clauses

ISO 27001 has ten clauses. Clauses 1 to 3 set scope, normative references, and terms. Clauses 4 to 10 are the auditable requirements; they follow the same Harmonized Structure as ISO 9001 and ISO 42001, which is what allows organizations to integrate multiple management systems without duplicating policies, risk processes, or internal audits. The information-security-specific demands concentrate in Clause 6 (risk assessment, risk treatment, and the Statement of Applicability) and Clause 8 (operating the ISMS and executing the risk treatment plan).

ISO 27001 clause summary
ClauseTitleRequirement in one line
4Context of the organizationIdentify internal and external issues, interested parties, and define the ISMS scope.
5LeadershipTop-management commitment, an information security policy, and assigned roles.
6PlanningRisk assessment, risk treatment plan, Statement of Applicability, and information security objectives.
7SupportResources, competence, awareness, communication, and documented information.
8OperationExecute the risk treatment plan and Annex A controls; maintain operational procedures.
9Performance evaluationMonitoring, measurement, internal audit, and management review.
10ImprovementNonconformity, corrective action, and continual improvement.

Annex A: 93 controls across 4 themes

Annex A in the 2022 edition organizes 93 controls into 4 themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). The controls are a reference set, not a mandatory checklist. The process is: identify your risks, determine which controls would treat those risks, include them in the Statement of Applicability with justification, and exclude the others with a documented reason. An exclusion is not a nonconformity; an unjustified exclusion is.

The 2022 restructuring introduced 11 new controls not present in the 2013 edition: threat intelligence (5.7), information security for use of cloud services (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), configuration management (8.9), information deletion (8.10), data masking (8.11), data leakage prevention (8.12), monitoring activities (8.16), web filtering (8.23), and secure coding (8.28).

The full control-by-control breakdown is on the Annex A controls spoke.

ISO 27001:2022 Annex A themes
ThemeControlsCoverage
Organizational (5.x)37Policies, roles, responsibilities, threat intelligence, asset management, supplier security, incident management, business continuity, compliance.
People (6.x)8Screening, employment terms, awareness, training, disciplinary process, post-employment, remote working, confidentiality agreements.
Physical (7.x)14Physical perimeters, entry controls, office and facility security, equipment protection, clear desk and screen, physical media handling.
Technological (8.x)34Endpoints, access control, cryptography, vulnerability management, configuration, logging, monitoring, web filtering, secure development, cloud security.
Total93

The Statement of Applicability

The Statement of Applicability (SoA) is the mandatory document at the heart of ISO 27001. Clause 6.1.3 requires it. It lists all 93 Annex A controls and for each states:

  • Whether the control is applicable or excluded.
  • The justification for the decision (risk treatment result, legal requirement, contractual obligation, or explicit exclusion rationale).
  • A cross-reference to where the control is implemented (policy, procedure, system, or record).
  • For excluded controls: a documented rationale confirming the risk has been treated another way or does not apply to the scope.

The SoA is the primary document a Stage 1 auditor reviews before the on-site audit. Common failures: excluding controls without documented risk justification, listing controls as applicable without evidence of implementation, and failing to update the SoA when scope or risks change.

A well-built SoA is not a one-time document. It should be version-controlled, reviewed as part of the annual management review, and updated whenever new risks are identified, scope changes, or control applicability changes. Auditors will look for version history and sign-off dates.

How to get ISO 27001 certified

Certification is awarded by an accredited third-party certification body after a two-stage audit. Stage 1 reviews documentation and ISMS readiness; Stage 2 tests the system in operation. Auditors sample evidence, interview staff, and assess whether the controls in the SoA are actually operating.

Certificates are valid for three years. Annual surveillance audits confirm continued conformity. A recertification audit occurs in year three. For accreditation, look for bodies accredited by UKAS (UK), ANAB or A2LA (US), DAkkS (Germany), COFRAC (France), or SAS (Switzerland). ISO itself does not certify organizations.

Most organizations take three to twelve months from gap analysis to certificate, depending on ISMS maturity, scope, and available resources.

ISO 27001 certification timeline
StageTypical durationWhat happens
Gap analysis2 to 4 weeksAssess current state against clauses 4 to 10 and all 93 Annex A controls.
ISMS implementation2 to 6 monthsBuild or close gaps: scope, risk assessment, SoA, policies, controls, and evidence.
Internal audit2 to 4 weeksIndependent internal review covers all clauses; findings addressed before Stage 1.
Management review1 to 2 weeksTop management reviews ISMS performance and approves for certification audit.
Stage 1 audit1 to 2 daysCertification body reviews documentation, SoA, and ISMS readiness.
Stage 1 remediation2 to 4 weeksAddress any findings raised before proceeding to Stage 2.
Stage 2 audit2 to 5+ daysControls sampled, staff interviewed, evidence reviewed against the SoA.
Certificate issued1 to 4 weeksValid 3 years once major nonconformities are closed.
Surveillance (years 1 and 2)1 to 3 days per yearConfirm continued conformity; partial scope reviewed each surveillance cycle.
Recertification (year 3)Full auditFull certification audit cycle repeats.

TRAIN TO CERTIFYAbilene Academy is the only PECB Titanium Partner in Switzerland, the highest accreditation tier in the industry, delivering certified ISO 27001 Lead Implementer and Lead Auditor training in classroom, online, and self-study formats. Also covers ISO 27005 risk management. Multilingual programmes in EN, FR, ES, DE, IT and more. 99% Exam pass rate · 2,500+ Professionals trained · 120+ Countries reached · Titanium Only PECB Titanium Partner in Switzerland.

ISO 27001 training courses

ISO 27001 certification cost

Certification costs depend on organization size, scope, and number of sites. The figures below are indicative estimates based on publicly available data. Swiss and EU pricing may differ from US figures. Request formal quotes from two or three accredited bodies before budgeting.

Costs fall into two categories: certification body fees (what you pay the auditor) and implementation effort (internal time, consultant fees, and tooling). Both are real, and most programs underestimate implementation effort. A GRC platform that maps ISO 27001 alongside existing frameworks reduces implementation cost significantly.

ISO 27001 certification cost estimates (indicative only; public data varies)
Organization sizeCert body fees (year 1)Implementation effortAnnual surveillance
Small (50 to 200 employees)USD 15,000 to 30,000USD 30,000 to 100,000USD 8,000 to 15,000
Mid (200 to 1,000 employees)USD 25,000 to 60,000USD 80,000 to 250,000USD 12,000 to 25,000
Large (1,000+ employees)USD 50,000+USD 200,000+USD 20,000+

ISO 27001 vs SOC 2

ISO 27001 and SOC 2 both address information security, but they are architecturally different. ISO 27001 is a management system standard that produces a certificate; SOC 2 is an attestation framework that produces an audit report. Many organizations operating in EU and US markets pursue both. See the full ISO 27001 vs SOC 2 comparison.

ISO 27001 vs SOC 2
DimensionISO/IEC 27001:2022SOC 2
PurposeISMS certificationService organization controls attestation
OutputCertificate (3-year validity)Type I (point-in-time) or Type II (period) report
Standard bodyISO and IECAICPA
GeographyGlobalPrimarily US; required by US enterprise customers globally
Audit modelAccredited certification body (e.g. UKAS, ANAB)Licensed CPA firm
Framework10 clauses and 93 Annex A controls5 Trust Services Criteria (Security mandatory; 4 optional)
ScopeISMS (policies, risks, controls, improvement)Selected TSC categories and in-scope systems
Audit cadenceStage 1 and 2 then annual surveillanceAnnual (Type II: 6 to 12 month observation period)
Who demands itEU procurement, regulated industries, global B2BUS enterprise customers, US SaaS buyers
Control overlapSignificant overlap with SOC 2 CC controlsSignificant overlap with ISO 27001 Annex A

What changed from 2013 to 2022

ISO/IEC 27001:2022 was published in October 2022. The clause structure (4 to 10) is unchanged; the major change was to Annex A. The 2013 edition had 114 controls across 14 domains. The 2022 edition restructured these into 93 controls across 4 themes, merging, renaming, and reorganizing existing controls and adding 11 new ones.

The transition deadline for organizations certified to the 2013 edition was 31 October 2025. Certificates issued under the 2013 edition that have not transitioned are no longer valid.

ISO 27001: 2013 edition vs 2022 edition
DimensionISO 27001:2013ISO 27001:2022
Annex A controls11493
Annex A structure14 domains (A.5 to A.18)4 themes (Organizational, People, Physical, Technological)
New controlsn/a11 new controls including threat intelligence, cloud security, secure coding, data masking, web filtering
Clause structureClauses 4 to 10Clauses 4 to 10 (unchanged)
Harmonized StructureAnnex SLAnnex SL (2022 alignment)
Current statusSuperseded; transition deadline 31 October 2025Current edition

How ISO 27001 maps to SOC 2, NIS2, ISO 42001, and GDPR

ISO 27001 is the backbone of most GRC programs because its controls map to virtually every adjacent framework. Organizations running ISO 27001 alongside SOC 2, NIS2, GDPR, or ISO 42001 do not need to rebuild controls for each framework. They map once and reuse. The table below shows selected control areas and their counterparts in each framework.

This is the practical argument for ISO 27001 as the first certification: it creates the control infrastructure every subsequent framework reuses. Acuna's cross-framework mapping engine manages these relationships automatically, so a team already running NIS2, GDPR, or SOC 2 extends into ISO 27001 without duplicating work.

ISO 27001 cross-framework control mapping (selected areas)
ISO 27001:2022 control areaSOC 2 TSCNIS2 Art. 21ISO 42001GDPR
Risk assessment (Clause 6.1)CC3.1 to CC3.4Art. 21(a)Clause 6.1Art. 35 (DPIA)
Access control (5.15 to 5.18)CC6.1, CC6.2, CC6.3Art. 21(i), (j)A.6.2Art. 32(1)(b)
Incident management (5.24 to 5.27)CC7.3, CC7.4, CC7.5Art. 21(b); Art. 23A.6.2Art. 33 to 34
Supplier security (5.19 to 5.22)CC9.2Art. 21(d)A.10Art. 28 (processors)
Business continuity (5.29, 5.30, 8.14)A1.1 to A1.3Art. 21(c)n/aArt. 32
Cryptography (8.24)CC6.7Art. 21(h)A.7Art. 32(1)(a)
Vulnerability management (8.8)CC7.1Art. 21(e)n/aArt. 32
Logging and monitoring (8.15 to 8.17)CC7.1, CC7.2Art. 21Clause 9Art. 32
Awareness and training (6.3)CC1.4, CC2.2Art. 21(g)Clause 7.2n/a
Asset management (5.9 to 5.14)CC6.1Art. 21(i)A.7Art. 5 (principles)

Running ISO 27001 in Acuna

Acuna lets you run ISO 27001 alongside your other frameworks rather than as an isolated project. It builds and scopes the ISMS, conducts risk assessments, generates and version-controls the Statement of Applicability, maps all 93 Annex A controls to owners and evidence, and keeps the ISMS current for annual surveillance. The five Annex A A.5.19–A.5.23 supplier-security controls are operationalised through supplier relationship management: vendor assessments, continuous security grading, and the evidence trail Article 28 DPA workflows need. Annex A A.5.15–A.5.18 access control requirements map to access management: role-based permissions, access review workflows, and the provisioning and de-provisioning record an auditor expects to sample. Cross-framework mapping is automatic: teams already running NIS2, GDPR, or SOC 2 reuse existing controls rather than rebuilding them from scratch. See how Acuna maps ISO 27001.

EXPLORE

ISO 27001

Statement of ApplicabilityComing soon

What the SoA is, how to build it, and the most common Stage 1 failures.

ISO 27001 vs SOC 2Coming soon

How they differ, when you need both, and how the controls overlap.

Certification cost and timelineComing soon

What to budget, who to engage, and how long Stage 1 and Stage 2 take.

The 93 Annex A controls explainedComing soon

All 93 controls across 4 themes, with auditor notes on what is sampled.

ISO 27001 audit: what to expectComing soon

Stage 1, Stage 2, surveillance, and the most common nonconformities.

Who needs ISO 27001 certificationComing soon

Applicability, scoping decisions, and how to decide whether to certify.

How to implement ISO 27001Coming soon

A phase-by-phase implementation guide from gap analysis to certificate.

ISO 27001 readiness checklistComing soon

A downloadable checklist from ISMS foundation to Stage 2 audit.

Cross-framework mapping: ISO 27001 to SOC 2, NIS2, GDPR, ISO 42001Coming soon

How ISO 27001 controls map to every adjacent framework Acuna supports.

ISO 27001 solutionSOLUTION

How Acuna maps and runs ISO 27001 alongside your other frameworks.

ISO 27001: common questions.

Related answers

Questions practitioners ask.

What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). Published by ISO/IEC, it defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. The 2022 revision includes 93 controls across four themes: organisational, people, physical, and technological. Certification requires an accredited external audit demonstrating that the ISMS meets all clause requirements and that selected Annex A controls are implemented and effective. Acuna supports the full ISO 27001 lifecycle from scoping through audit preparation.

What is the difference between GRC and ISMS?

GRC (Governance, Risk, and Compliance) is a broad management discipline covering how an organisation directs strategy, manages risk, and meets regulatory obligations across all domains. An ISMS (Information Security Management System) is a specific implementation of governance and risk management focused on information security, typically conforming to ISO 27001. An ISMS is one component within a wider GRC programme. Acuna is a GRC platform that supports ISMS management as one of its use cases alongside privacy, business continuity, supplier risk, and enterprise risk management.

What is a Statement of Applicability in ISO 27001?

The Statement of Applicability (SoA) is a mandatory document in ISO 27001 that lists all Annex A controls, states whether each is applicable or not applicable to the organisation's ISMS scope, provides justification for exclusions, and references the implementation status of each applicable control. The SoA is a key audit artefact — auditors use it to verify that control selection is risk-based and that excluded controls have documented rationale. In Acuna, the SoA is managed directly in the Comply pane with applicability markings and justification fields per control.

SOC 2 vs ISO 27001: what is the difference?

SOC 2 and ISO 27001 both address information security controls, but they are architecturally different. ISO 27001 produces a certificate: issued by an accredited certification body, three-year validity, globally recognized, and publicly verifiable. SOC 2 produces an attestation report: issued by a licensed CPA firm, privately distributed, renewed annually, and standard in US enterprise markets. ISO 27001 requires a formal Information Security Management System (ISMS) with documented scope, risk assessment, and a Statement of Applicability for 93 Annex A controls. SOC 2 is organized around the AICPA Trust Services Criteria — Security (CC) is mandatory, the other four categories are optional. The control overlap is significant: CC6 (logical access controls) maps closely to ISO 27001 A.5.15–A.5.18; CC9.2 (vendor monitoring) maps to A.5.19–A.5.23; CC7 (operations) maps to ISO 27001 A.8.x controls. Organizations running both frameworks map once and reuse evidence across both rather than maintaining parallel control sets. The choice depends on where your buyers are. ISO 27001 is the expectation in EU enterprise and global markets. SOC 2 is the US market standard and is frequently required by US enterprise procurement before a contract is signed. Many organizations operating across both markets pursue both.

How does applicability marking work for framework requirements?

In Comply, each requirement can be marked Applicable or Not Applicable with a mandatory justification field. For ISO 27001, this produces the Statement of Applicability (SoA). Applicability decisions propagate downstream: when a requirement is marked not applicable, its linked measures and controls are excluded from coverage calculations. Auditors can filter the requirement list by applicability status and export the SoA as a versioned artefact. Changing applicability after initial marking is tracked in the audit trail with the user, timestamp, and reason for change.

GET STARTED

See how Acuna runs ISO 27001.

Book a 30-minute demo scoped to your ISO 27001 program and the other frameworks you run alongside it.

Request a demoISO 27001 solution
Built for:CISOsCompliance LeadersMSSPs