What is ISO 27001?

What is ISO 27001?

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Key components

• ISMS — a systematic approach to managing sensitive information through people, processes, and technology
• Annex A controls — a reference set of 93 controls (in the 2022 revision) organized into four themes: organizational, people, physical, and technological
• Statement of Applicability (SoA) — a document listing which Annex A controls apply and justifying any exclusions
• Risk assessment — a formal process for identifying and treating information security risks

Certification process

ISO 27001 certification involves:

1. Gap analysis — compare current practices against the standard
2. ISMS implementation — build policies, controls, and processes
3. Internal audit — verify the ISMS works as intended
4. Stage 1 audit — external auditor reviews documentation
5. Stage 2 audit — external auditor tests operational effectiveness
6. Surveillance audits — annual reviews to maintain certification
7. Recertification — full audit every three years

ISO 27001 vs SOC 2

Both address information security, but they differ in scope and structure:

Many organizations pursue both to satisfy international and US-based customers. Controls often overlap significantly, reducing duplicate work.

How episki helps with ISO 27001

episki maps controls to Annex A, tracks your Statement of Applicability, and connects evidence across ISO 27001 and other frameworks. Learn more on our ISO 27001 compliance page.