ISO 27001 certification on your timeline

Build and maintain your ISMS without drowning in spreadsheets

episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.
Start ISO 27001 trialBook a demo

What is ISO 27001?

ISO 27001 is the world's most widely adopted international standard for information security management. Formally titled ISO/IEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ISMS. Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.

The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO/IEC JTC 1/SC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).

ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.

At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.

Why ISO 27001 matters

ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.

Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.

ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.

The ISO 27001 certification process

ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.

For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ISO 27001 certification process guide. If you are still evaluating whether to pursue ISO 27001 at all, the ISO 27001 certification guide covers the business case and sequencing decisions.

ISO 27001:2022 — What changed

The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.

First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into 93 controls across four themes: organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.

Annex A controls

Annex A of ISO 27001 is the reference control set. The 93 Annex A controls are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.

Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.

For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ISO 27001 Annex A controls reference. ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.

Statement of Applicability (SoA)

The Statement of Applicability is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.

A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.

See the dedicated guide on the ISO 27001 Statement of Applicability for format examples, justification patterns, and common SoA mistakes.

Building your ISMS

Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:

  • Clause 4 — Context of the organization. Understand internal and external issues, interested parties, and define the ISMS scope.
  • Clause 5 — Leadership. Top management must demonstrate commitment, approve the information security policy, and assign roles.
  • Clause 6 — Planning. Identify risks and opportunities, set information security objectives, and plan how to achieve them.
  • Clause 7 — Support. Provide resources, competence, awareness, communication, and documented information.
  • Clause 8 — Operation. Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.
  • Clause 9 — Performance evaluation. Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.
  • Clause 10 — Improvement. Handle nonconformities and drive continual improvement.

Each clause has mandatory documented information and mandatory activities. The ISO 27001 ISMS implementation guide breaks down exactly what to produce at each stage.

Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ISMS scope guide walks through how to draw the right boundaries for your business.

ISO 27001 risk assessment

Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.

Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.

For methodology, risk register structure, treatment options, and residual risk handling, see the ISO 27001 risk assessment guide.

Internal audits and management review

Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.

Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.

Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the internal audit guide and the management review guide.

Nonconformities and corrective action

When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.

Mature organizations treat nonconformities as valuable signals rather than failures. The nonconformity and corrective action guide walks through the full CAPA workflow auditors expect to see.

Continual improvement

Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.

Learn how to set ISMS metrics that auditors respect and leadership actually uses in the continual improvement guide.

Cost and timeline

ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:

  • Internal effort. Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.
  • External consulting (optional). Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.
  • Certification body fees. Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.
  • Platform and tooling. GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.

Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the cost and timeline discussion in the certification process guide for more detail.

Choosing a certification body

Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.

Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The certification body selection guide walks through the full evaluation.

Surveillance audits and recertification

Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.

See the surveillance audits guide for preparation checklists and what auditors typically sample during year-one and year-two visits.

ISO 27001 vs SOC 2 vs NIST CSF

Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:

  • ISO 27001 vs SOC 2. ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.
  • ISO 27001 vs NIST CSF. NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See NIST CSF mapping to other frameworks for a side-by-side comparison.

If you are weighing which framework to pursue first, the ISO 27001 certification guide covers framework sequencing for growing companies.

Getting certified with episki

Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.

episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see episki vs Vanta and episki vs Drata for honest side-by-side views.

Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.

Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.

ISO 27001 topics

Deep-dive into specific ISO 27001 compliance topics.
ISO 27001 Annex A Controls
An overview of all 93 Annex A controls in the ISO 27001:2022 standard, organized by their four themes, with guidance on implementation and prioritization.
Choosing an ISO 27001 Certification Body
How to evaluate and select an ISO 27001 certification body, including accreditation (UKAS, ANAB, JAS-ANZ), cost, scope, and what to ask during selection.
ISO 27001 Certification Process
A complete walkthrough of the ISO 27001 certification journey, from selecting a certification body through Stage 1 and Stage 2 audits to achieving certified status.
ISO 27001 Continual Improvement (Clause 10.3)
Drive ISO 27001 continual improvement under Clause 10.3 with ISMS metrics, KPIs, effectiveness measurement, and trend analysis auditors and leadership respect.
ISO 27001 Internal Audit (Clause 9.2)
How to plan, conduct, and document ISO 27001 Clause 9.2 internal audits including scheduling, auditor independence, evidence collection, and reporting.
ISMS Implementation Guide
A step-by-step guide to implementing an Information Security Management System aligned with ISO 27001 clauses 4 through 10, including documentation requirements and practical advice.
ISO 27001 ISMS Scope — Boundaries, Interfaces, and Context
Define an ISO 27001 ISMS scope that satisfies auditors and customers, covering boundaries, interfaces, interested parties, and organizational context.
ISO 27001 Management Review (Clause 9.3)
How ISO 27001 Clause 9.3 management reviews work, including required inputs and outputs, cadence, documentation, and demonstrating leadership engagement.
ISO 27001 Nonconformity and Corrective Action (Clauses 10.1 and 10.2)
Handle ISO 27001 nonconformities and corrective actions under Clauses 10.1 and 10.2 with root cause analysis, CAPA workflows, and effectiveness verification.
ISO 27001 Risk Assessment
A practical guide to performing ISO 27001 risk assessments, building risk treatment plans, maintaining a risk register, and embedding continuous risk monitoring into your ISMS.
Statement of Applicability (SoA)
Everything you need to know about the ISO 27001 Statement of Applicability, including what it contains, how to create one, its relationship to Annex A, and mistakes to avoid.
ISO 27001 Surveillance Audits
What happens after ISO 27001 certification, including annual surveillance audits, the three-year certification cycle, recertification requirements, and how to stay audit-ready.

ISO 27001 outcomes with episki

Quantify the impact security and compliance brings to your business.
93 Annex A controls
Pre-mapped to your control graph with owners, evidence, and review cadences.
60% less prep
Average reduction in Stage 2 audit preparation time with episki's automation.
Continuous compliance
Surveillance audits stay painless with always-current evidence and risk registers.

Why teams choose episki for ISO 27001

Framework-specific automation, collaboration, and reporting in one workspace.
Statement of Applicability in minutes
Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.
  • Auto-populate applicability status from existing controls
  • Link each control to risk treatment decisions
  • Export auditor-ready SoA documents on demand
Risk-driven control management
Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.
  • Risk assessment templates following ISO 27005 guidance
  • Heat maps show residual risk by domain
  • Treatment plans tie directly to control tasks and owners
Surveillance audit confidence
Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.
  • Automated evidence refresh and expiration alerts
  • Internal audit scheduling with finding tracking
  • Management review templates with trend data

ISO 27001 certification checklist inside episki

Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.

Plug episki into your stack and work directly from this checklist during the free trial.

  • ISMS scope definition and context of the organization templates
  • Full Annex A control library with implementation guidance
  • Risk assessment and treatment plan workflows
  • Statement of Applicability generator
  • Internal audit programme with finding management
  • Management review agenda and output templates
  • Corrective action tracking with root cause analysis
ISO 27001 certification resources

ISO 27001 certification resources

Give leadership, auditors, and customers visibility into your ISMS maturity.
ISMS maturity dashboard
Visual progress across all Annex A domains with gap analysis and trending.
Auditor collaboration portal
Scoped access for certification bodies with evidence requests and Q&A threads.
Customer trust pack
Shareable ISO 27001 certification summary with scope details and control highlights.

ISO 27001 frequently asked questions

Related terms

What is Access Control?What is ISO 27001 Annex A?What is an Audit Trail?What is Business Continuity?What is a Certification Body?What is Change Management?What is Continuous Monitoring?What is a Control Framework?What are Control Objectives?What is Data Classification?What is Disaster Recovery?What is Encryption?What is Evidence Collection?What is a Firewall?What is a Framework?What is GRC?What is Incident Response?What is an ISMS?What is ISO 27002?What is ISO 27001?What is Job Separation?What is Key Management?What is Least Privilege?What is Log Management?What is Malware?What is Monitoring?What is Multi-Factor Authentication?What is Network Security?What is NIST?What is Offboarding?What is Operational Risk?What is Remediation?What is a Risk Register?What is a Risk Treatment Plan?What is Security Awareness Training?What is a Statement of Applicability?What is a Surveillance Audit?What is Third-Party Risk?What is Vendor Risk Management?What is Vulnerability Management?What is Web Application Security?What is Workforce Security?

Other compliance frameworks

CMMCHIPAANIST CSFPCI DSSSOC 2 Type I/II

Start your ISO 27001 journey today

Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.
Start free trialBook a walkthrough