Knowledge Center / ISO 27001
ISO / IEC · Global

ISO/IEC 27001

The international standard for an Information Security Management System (ISMS).

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) — a risk-based system of governance, processes and controls for protecting information. The current version is ISO/IEC 27001:2022. This guide explains the management-system clauses, the Annex A controls and the certification journey; it does not reproduce the ISO copyrighted standard text.

How ISO 27001 is structured

ISO 27001 has two parts: the management-system requirements (Clauses 4–10), which are mandatory, and Annex A, a reference set of controls you select from based on your risk assessment.

ClauseRequirementWhat it means
4 ContextUnderstand the organisation and define ISMS scopeInterested parties, internal/external issues, scope boundaries
5 LeadershipLeadership, policy and rolesTop-management commitment, information security policy, responsibilities
6 PlanningRisk assessment, risk treatment, objectivesRisk methodology, treatment plan, Statement of Applicability, security objectives
7 SupportResources, competence, awareness, documentationPeople, training, communication, documented information control
8 OperationOperate the ISMS and treat riskExecute the risk treatment plan; operational control
9 Performance evaluationMonitor, internal audit, management reviewMetrics, internal audit programme, management review
10 ImprovementNonconformity and continual improvementCorrective actions and ongoing improvement

Annex A controls (2022): 4 themes, 93 controls

The 2022 revision reorganised Annex A from 114 controls in 14 domains into 93 controls across 4 themes, and introduced 11 new controls. Each control is tagged with attributes (e.g., control type, security property).

Theme (Annex A)ControlsExamples
A.5 Organisational37Policies, roles, threat intelligence, supplier & cloud security, incident management
A.6 People8Screening, awareness, disciplinary process, remote working, confidentiality
A.7 Physical14Secure areas, equipment, media, clear desk, physical monitoring
A.8 Technological34Access control, cryptography, secure development, logging, malware, data leakage prevention

New controls introduced in 2022

  • Threat intelligence; information security for use of cloud services; ICT readiness for business continuity.
  • Physical security monitoring; configuration management; information deletion; data masking; data leakage prevention.
  • Monitoring activities; web filtering; secure coding.

Risk assessment and the Statement of Applicability

  1. Define a repeatable risk-assessment methodology (criteria for likelihood and impact).
  2. Identify risks to the confidentiality, integrity and availability of information in scope.
  3. Analyse and evaluate risks against your acceptance criteria.
  4. Decide treatment for each risk: mitigate, transfer, accept or avoid.
  5. Select Annex A controls (and any additional controls) to treat the risks.
  6. Document the Statement of Applicability (SoA): which controls apply, justification, and implementation status — the central artefact auditors scrutinise.
  7. Produce the Risk Treatment Plan with owners and timelines.

The certification journey

StageWhat happens
Gap assessment (optional)Baseline current state against the standard; plan remediation
ImplementationBuild the ISMS: policies, risk assessment, controls, records
Internal auditIndependent internal check of the ISMS against the standard (mandatory)
Management reviewLeadership reviews ISMS performance and decides improvements (mandatory)
Stage 1 auditCertification body reviews documentation and readiness
Stage 2 auditCertification body tests that controls operate effectively
CertificationCertificate issued (valid 3 years) after any nonconformities are closed
Surveillance & recertificationAnnual surveillance audits; full recertification at 3 years

Implementation roadmap (typical 3–6 months)

  1. Month 1: secure leadership commitment; define scope and the ISMS policy.
  2. Month 1–2: risk assessment methodology and first risk assessment.
  3. Month 2–3: risk treatment plan, control selection and SoA.
  4. Month 2–4: implement policies, processes and technical controls; run awareness training.
  5. Month 4–5: operate the ISMS and collect records (access reviews, incidents, changes).
  6. Month 5: internal audit and management review; close gaps.
  7. Month 5–6: Stage 1 and Stage 2 certification audits; certificate issued.

Readiness checklist

  • ISMS scope and boundaries are documented and justified.
  • Information security policy is approved by top management.
  • A risk-assessment methodology exists and a risk assessment is complete.
  • A Risk Treatment Plan and Statement of Applicability are approved.
  • Annex A controls are implemented and evidenced (not just documented).
  • Core policies exist: access control, cryptography, supplier security, incident response, secure development, acceptable use.
  • Access reviews, logging, backups and vulnerability management are operating.
  • Security objectives and metrics are defined and measured.
  • An internal audit and a management review have been completed.
  • Corrective actions are tracked to closure.

Evidence auditors expect

  • ISMS scope, policy, risk methodology, risk assessment and SoA.
  • Risk Treatment Plan with owners and status.
  • Records of operating controls: access reviews, change approvals, backups, patching, vulnerability scans, incidents.
  • Awareness-training completion and supplier assessments.
  • Internal audit reports, management-review minutes and corrective-action records.
  • Metrics/KPIs against security objectives.

Common nonconformities

  • A polished SoA with no evidence the controls actually operate.
  • Risk assessment not linked to control selection.
  • Internal audit or management review missing or superficial.
  • Corrective actions raised but not closed.
  • Supplier/cloud security controls (new in 2022) not addressed.
  • Scope drawn too broadly, making the ISMS hard to sustain.

ISO 27001 mapped to other frameworks

FrameworkRelationship
SOC 2Heavy control overlap; ISO certifies a management system, SOC 2 is an attestation report
NIST CSFComplementary; controls map closely, work is reusable
PCI DSSISO provides the governance layer; PCI is prescriptive for card data
COBITCOBIT governs security alignment and accountability above the ISMS
ISO 27701Privacy extension (PIMS) built on top of ISO 27001
How CyberSigma helps
We guide organisations end to end — scoping, risk assessment, control implementation, internal audit and certification-audit support — so you reach ISO 27001:2022 certification without false starts, and sustain it through surveillance audits.

Frequently asked questions

What changed in ISO 27001:2022?
Annex A was restructured into four themes with 93 controls (including new ones like threat intelligence and secure coding). Existing certified organisations transition to the 2022 version.
How long does ISO 27001 take?
Typically 3–6 months to first certification for a mid-sized organisation, driven by scope and how mature your controls already are.
Is ISO 27001 mandatory?
It is voluntary, but often contractually required by enterprise customers and a strong differentiator in sales.

Need help with ISO 27001?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.