What is ISO 27001?

What is ISO 27001?

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

First published in 2005 and most recently revised in 2022, ISO 27001 is the world's most widely adopted information security framework. It takes a risk-based approach: rather than prescribing a fixed checklist, it requires organizations to identify their own security risks and select controls appropriate to their context. Certification is granted by accredited third-party certification bodies after a formal audit process.

What are the key components of ISO 27001?

• ISMS — a systematic approach to managing sensitive information through people, processes, and technology
• Annex A controls — a reference set of 93 controls (in the 2022 revision) organized into four themes: organizational, people, physical, and technological
• Statement of Applicability (SoA) — a document listing which Annex A controls apply and justifying any exclusions
• Risk assessment — a formal process for identifying and treating information security risks

What is the ISO 27001 certification process?

ISO 27001 certification involves:

1. Gap analysis — compare current practices against the standard
2. ISMS implementation — build policies, controls, and processes
3. Internal audit — verify the ISMS works as intended
4. Stage 1 audit — external auditor reviews documentation
5. Stage 2 audit — external auditor tests operational effectiveness
6. Surveillance audits — annual reviews to maintain certification
7. Recertification — full audit every three years

Who needs ISO 27001?

ISO 27001 certification is voluntary — no law mandates it — but it is increasingly expected by enterprise buyers and procurement teams. Organizations that benefit most include:

• Companies targeting international customers — ISO 27001 is the de facto security standard in Europe, APAC, and the Middle East. Without it, you may not make it past vendor questionnaires.
• Regulated industries — Financial services, healthcare, and government contractors often require suppliers to hold ISO 27001 certification as a baseline.
• SaaS and cloud providers — Enterprise buyers routinely ask for ISO 27001 during procurement. It signals that your security program is structured and externally validated.
• Organizations scaling into new markets — If you already serve the US with a SOC 2, adding ISO 27001 opens doors globally without rebuilding your program from scratch.

Even when not contractually required, holding the certification reduces the time spent answering security questionnaires and builds trust with prospects before the first sales call.

ISO 27001 is especially valued in:

• Europe — GDPR-conscious buyers view it as evidence of mature data protection practices.
• APAC — Markets like Japan, Australia, and Singapore treat it as a baseline requirement for technology vendors.
• Global enterprises — Companies like Google, Microsoft, and Salesforce require ISO 27001 from critical suppliers in their vendor risk management programs.

What changed in ISO 27001:2022?

The 2022 revision of ISO 27001 (formally ISO/IEC 27001:2022) brought the most significant structural changes since the standard's 2013 edition. The core ISMS requirements in clauses 4–10 received minor wording updates, but Annex A was overhauled:

• Restructured from 14 categories to 4 themes — The previous 14-domain layout was replaced with four broad themes: organizational, people, physical, and technological.
• Consolidated from 114 controls to 93 — Controls were merged and reorganized, not removed. The reduction reflects overlapping controls being combined into more coherent groupings.
• 11 new controls added — The 2022 revision introduced controls that reflect the modern threat landscape, including:
  • Threat intelligence
  • Information security for cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Organizations certified under the 2013 edition were required to transition to the 2022 revision by October 31, 2025. New certifications are issued exclusively against the 2022 standard.

What are the Annex A control themes?

The four themes in Annex A group controls by domain rather than by the asset or process they protect. This makes it easier to assign ownership and track implementation progress.

Organizational controls (37 controls) These cover governance, policies, and management-level activities. Examples include information security policies, defined roles and responsibilities, threat intelligence, asset management, access control policies, supplier security, and incident management.

People controls (8 controls) Focused on the human side of security. Examples include pre-employment screening, information security awareness and training, disciplinary processes, responsibilities after termination, remote working arrangements, and confidentiality agreements.

Physical controls (14 controls) Address the protection of physical spaces and equipment. Examples include physical security perimeters, physical entry controls, securing offices and facilities, equipment maintenance, storage media handling, and supporting utility security.

Technological controls (34 controls) Cover technical safeguards applied to IT systems. Examples include user endpoint devices, privileged access rights, access restriction to information, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, logging, network security, encryption, secure development lifecycle, and data masking.

Together, the 93 controls form the reference set from which you build your Statement of Applicability. Not every control will apply — the SoA documents which you selected and why you excluded the rest.

A common approach is to assign theme ownership: IT leads technological controls, HR owns people controls, facilities manages physical controls, and a GRC or security team coordinates organizational controls. This clear division of responsibility is one reason the 2022 restructuring was widely welcomed by practitioners.

What is the cost and timeline of ISO 27001 certification?

ISO 27001 certification is a significant investment in both money and internal effort. Typical ranges depend on organization size, complexity, and existing maturity:

These figures include consulting, tooling, auditor fees, and remediation. They do not include the internal time your team spends building policies, gathering evidence, and running internal audits — which is often the largest hidden cost.

The implementation timeline typically breaks down as:

1. Months 1–2 — Scoping, gap analysis, and risk assessment
2. Months 3–6 — Policy development, control implementation, and staff training
3. Months 7–8 — Internal audit and management review
4. Months 9–10 — Stage 1 audit (documentation review)
5. Months 10–12 — Remediation and Stage 2 audit (operational effectiveness)

After certification, expect ongoing costs for surveillance audits (annually) and a full recertification audit every three years.

Tips for reducing cost and timeline:

• Start with a gap analysis to avoid over-investing in areas you already cover.
• Reuse existing policies and evidence from SOC 2 or NIST CSF if you have them.
• Use a GRC platform to centralize evidence collection and automate control tracking.
• Engage your certification body early for a pre-assessment to surface surprises before the formal audit.

How does ISO 27001 map to other frameworks?

If your organization already operates under another framework, ISO 27001 will share significant control overlap. Mapping controls across frameworks reduces duplicate work and accelerates certification timelines.

The overlap between ISO 27001 and SOC 2 is roughly 70–80% at the control level. NIST CSF aligns even more closely with ISO 27001 since both follow a risk-based approach. PCI DSS is more prescriptive but shares foundational controls around access management, logging, encryption, and incident response.

Organizations that already have one framework in place can typically achieve ISO 27001 certification 30–40% faster by reusing existing policies, evidence, and control implementations.

Key areas of overlap include:

• Access control — covered by all four frameworks, though PCI DSS is the most prescriptive about password complexity and multi-factor authentication.
• Incident response — ISO 27001, NIST CSF, and PCI DSS all require documented incident response plans and regular testing.
• Risk management — ISO 27001 and NIST CSF both center on risk-based decision-making; SOC 2 addresses it through the Common Criteria.
• Logging and monitoring — a universal requirement, with PCI DSS specifying exact log retention periods and ISO 27001 leaving implementation details to the organization.

For a detailed breakdown of how controls map across frameworks, see our framework mapping guide.

How does episki help with ISO 27001?

episki maps controls to Annex A, tracks your Statement of Applicability, and connects evidence across ISO 27001 and other frameworks. Learn more on our ISO 27001 compliance page.