ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) — a risk-based system of governance, processes and controls for protecting information. The current version is ISO/IEC 27001:2022. This guide explains the management-system clauses, the Annex A controls and the certification journey; it does not reproduce the ISO copyrighted standard text.
How ISO 27001 is structured
ISO 27001 has two parts: the management-system requirements (Clauses 4–10), which are mandatory, and Annex A, a reference set of controls you select from based on your risk assessment.
| Clause | Requirement | What it means |
|---|---|---|
| 4 Context | Understand the organisation and define ISMS scope | Interested parties, internal/external issues, scope boundaries |
| 5 Leadership | Leadership, policy and roles | Top-management commitment, information security policy, responsibilities |
| 6 Planning | Risk assessment, risk treatment, objectives | Risk methodology, treatment plan, Statement of Applicability, security objectives |
| 7 Support | Resources, competence, awareness, documentation | People, training, communication, documented information control |
| 8 Operation | Operate the ISMS and treat risk | Execute the risk treatment plan; operational control |
| 9 Performance evaluation | Monitor, internal audit, management review | Metrics, internal audit programme, management review |
| 10 Improvement | Nonconformity and continual improvement | Corrective actions and ongoing improvement |
Annex A controls (2022): 4 themes, 93 controls
The 2022 revision reorganised Annex A from 114 controls in 14 domains into 93 controls across 4 themes, and introduced 11 new controls. Each control is tagged with attributes (e.g., control type, security property).
| Theme (Annex A) | Controls | Examples |
|---|---|---|
| A.5 Organisational | 37 | Policies, roles, threat intelligence, supplier & cloud security, incident management |
| A.6 People | 8 | Screening, awareness, disciplinary process, remote working, confidentiality |
| A.7 Physical | 14 | Secure areas, equipment, media, clear desk, physical monitoring |
| A.8 Technological | 34 | Access control, cryptography, secure development, logging, malware, data leakage prevention |
New controls introduced in 2022
- Threat intelligence; information security for use of cloud services; ICT readiness for business continuity.
- Physical security monitoring; configuration management; information deletion; data masking; data leakage prevention.
- Monitoring activities; web filtering; secure coding.
Risk assessment and the Statement of Applicability
- Define a repeatable risk-assessment methodology (criteria for likelihood and impact).
- Identify risks to the confidentiality, integrity and availability of information in scope.
- Analyse and evaluate risks against your acceptance criteria.
- Decide treatment for each risk: mitigate, transfer, accept or avoid.
- Select Annex A controls (and any additional controls) to treat the risks.
- Document the Statement of Applicability (SoA): which controls apply, justification, and implementation status — the central artefact auditors scrutinise.
- Produce the Risk Treatment Plan with owners and timelines.
The certification journey
| Stage | What happens |
|---|---|
| Gap assessment (optional) | Baseline current state against the standard; plan remediation |
| Implementation | Build the ISMS: policies, risk assessment, controls, records |
| Internal audit | Independent internal check of the ISMS against the standard (mandatory) |
| Management review | Leadership reviews ISMS performance and decides improvements (mandatory) |
| Stage 1 audit | Certification body reviews documentation and readiness |
| Stage 2 audit | Certification body tests that controls operate effectively |
| Certification | Certificate issued (valid 3 years) after any nonconformities are closed |
| Surveillance & recertification | Annual surveillance audits; full recertification at 3 years |
Implementation roadmap (typical 3–6 months)
- Month 1: secure leadership commitment; define scope and the ISMS policy.
- Month 1–2: risk assessment methodology and first risk assessment.
- Month 2–3: risk treatment plan, control selection and SoA.
- Month 2–4: implement policies, processes and technical controls; run awareness training.
- Month 4–5: operate the ISMS and collect records (access reviews, incidents, changes).
- Month 5: internal audit and management review; close gaps.
- Month 5–6: Stage 1 and Stage 2 certification audits; certificate issued.
Readiness checklist
- ISMS scope and boundaries are documented and justified.
- Information security policy is approved by top management.
- A risk-assessment methodology exists and a risk assessment is complete.
- A Risk Treatment Plan and Statement of Applicability are approved.
- Annex A controls are implemented and evidenced (not just documented).
- Core policies exist: access control, cryptography, supplier security, incident response, secure development, acceptable use.
- Access reviews, logging, backups and vulnerability management are operating.
- Security objectives and metrics are defined and measured.
- An internal audit and a management review have been completed.
- Corrective actions are tracked to closure.
Evidence auditors expect
- ISMS scope, policy, risk methodology, risk assessment and SoA.
- Risk Treatment Plan with owners and status.
- Records of operating controls: access reviews, change approvals, backups, patching, vulnerability scans, incidents.
- Awareness-training completion and supplier assessments.
- Internal audit reports, management-review minutes and corrective-action records.
- Metrics/KPIs against security objectives.
Common nonconformities
- A polished SoA with no evidence the controls actually operate.
- Risk assessment not linked to control selection.
- Internal audit or management review missing or superficial.
- Corrective actions raised but not closed.
- Supplier/cloud security controls (new in 2022) not addressed.
- Scope drawn too broadly, making the ISMS hard to sustain.
ISO 27001 mapped to other frameworks
| Framework | Relationship |
|---|---|
| SOC 2 | Heavy control overlap; ISO certifies a management system, SOC 2 is an attestation report |
| NIST CSF | Complementary; controls map closely, work is reusable |
| PCI DSS | ISO provides the governance layer; PCI is prescriptive for card data |
| COBIT | COBIT governs security alignment and accountability above the ISMS |
| ISO 27701 | Privacy extension (PIMS) built on top of ISO 27001 |
Frequently asked questions
Need help with ISO 27001?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
