Skip to main content
> ISO 27001

ISO/IEC 27001 Information Security Management System

The international standard for establishing, implementing, and certifying information security management

Established: 2005 (current version 2022) Last Updated: 2024 (Amendment 1:2024); 2013 transition closed Oct 2025 Scope: Global
93
Annex A Controls

What is ISO 27001 and who needs it?

ISO 27001 is the international standard for information security management systems (ISMS). It requires organizations to identify information risks, select controls from Annex A (93 controls across 4 themes in the 2022 edition), and demonstrate continual improvement through a cycle of internal audits and management reviews. Certification is voluntary but often required by enterprise customers in Europe and Asia. Amendment 1:2024 (February 2024) added climate-change considerations to Clauses 4.1 and 4.2. Critically, the transition deadline from ISO 27001:2013 passed October 31, 2025; certificates still referencing the 2013 version are no longer valid. All active certifications must conform to ISO 27001:2022. Sources: iso.org/standard/27001; iso.org/standard/88435.

// What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, encompassing people, processes, and technology. Organizations can achieve formal certification through accredited third-party auditors.

The 2022 revision restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes, aligning with the updated ISO 27002 guidance. The standard emphasizes risk-based thinking and integration with other management systems.

Amendment 1:2024 (published February 2024) added climate-change considerations to Clauses 4.1 and 4.2, requiring organizations to consider whether climate change is a relevant external issue and whether interested parties have climate-related requirements. The ISO 27001:2013 transition deadline passed on October 31, 2025; certificates issued against the 2013 version are no longer valid, and all active certifications must now conform to ISO 27001:2022.

ISO 27001 certification is often a prerequisite for international business, particularly in Europe and Asia, and is increasingly requested by enterprise customers as evidence of security program maturity.

// Inside the Regulation

ISO 27001 consists of mandatory ISMS requirements (Clauses 4-10) and Annex A controls selected based on risk assessment. Organizations must implement the ISMS requirements and select applicable Annex A controls, documenting any exclusions with justification.

1

ISMS Requirements (Clauses 4-10)

The mandatory requirements for establishing, implementing, maintaining, and continually improving an information security management system.

Context of the Organization (Clause 4)

Understanding internal/external issues, interested party requirements, and defining ISMS scope.

Leadership (Clause 5)

Top management commitment, security policy establishment, and organizational roles/responsibilities.

Planning (Clause 6)

Risk assessment and treatment, security objectives, and planning changes to the ISMS.

Support (Clause 7)

Resources, competence, awareness, communication, and documented information requirements.

Operation (Clause 8)

Operational planning, risk assessment execution, and risk treatment implementation.

Performance Evaluation (Clause 9)

Monitoring, measurement, analysis, internal audit, and management review.

Improvement (Clause 10)

Nonconformity handling, corrective action, and continual improvement.

2

Organizational Controls

Annex A.5

37 controls addressing policies, roles, asset management, access control, and supplier relationships.

Information Security Policies

Management direction for information security through policies reviewed at planned intervals.

Asset Management

Inventory, ownership, acceptable use, and return of assets.

Access Control

Business requirements, user access management, and access rights review.

Supplier Relationships

Information security in supplier agreements and supply chain management.

3

People Controls

Annex A.6

8 controls addressing human resource security throughout employment lifecycle.

Screening

Background verification checks on candidates before employment.

Awareness and Training

Security awareness education and relevant training for all personnel.

Disciplinary Process

Formal process for personnel committing information security breaches.

4

Physical Controls

Annex A.7

14 controls addressing physical security perimeters, entry controls, and equipment security.

Physical Security Perimeters

Defined perimeters protecting areas containing sensitive information and systems.

Physical Entry

Secure areas protected by appropriate entry controls.

Equipment Security

Siting, protection, maintenance, and secure disposal of equipment.

5

Technological Controls

Annex A.8

34 controls addressing endpoint devices, access rights, cryptography, operations security, and network security.

Endpoint Security

User endpoint devices including BYOD, privileged access workstations, and secure configuration.

Cryptography

Policy on cryptographic controls and key management.

Network Security

Network controls, segregation, and filtering mechanisms.

Secure Development

Security requirements for development, secure coding, and security testing.

Note: Certification involves a two-stage audit: Stage 1 reviews documentation and readiness; Stage 2 assesses implementation and effectiveness. Certification is valid for three years with annual surveillance audits. Organizations must maintain the ISMS and demonstrate continual improvement.

// Who Must Comply

  • 1 Organizations seeking international business requiring certified security programs
  • 2 Technology vendors serving European or Asian enterprise customers
  • 3 Companies pursuing formal third-party security certification
  • 4 Government contractors in jurisdictions requiring ISO 27001
  • 5 Organizations wanting integration with other ISO management systems (9001, 22301)

// Key Requirements

ISMS Documentation

Establish and maintain documented information security management system policies and procedures

Risk Assessment

Conduct formal risk assessments and implement risk treatment plans with management approval

Control Implementation

Implement selected Annex A controls and document justification for any exclusions

Internal Audit

Conduct internal audits at planned intervals to verify ISMS conformity and effectiveness

Management Review

Top management reviews ISMS performance and improvement opportunities at planned intervals

Continual Improvement

Implement corrective actions and continuously improve ISMS suitability, adequacy, and effectiveness

// Enforcement & Penalties

ISO 27001 is a voluntary certification with no direct regulatory penalties. However, certification loss can have significant business consequences, and organizations may face contractual penalties if certification is a customer requirement.

Maximum Penalty

No regulatory fines (voluntary certification)

Examples:

  • Loss of certification after failed surveillance or recertification audit
  • Contract termination if certification is a vendor requirement
  • Loss of business opportunities requiring ISO 27001 certification
  • Reputational damage from publicized certification suspension

// Cyber Insurance Impact

ISO 27001 certification provides strong evidence of security program maturity to cyber insurers. Certified organizations often receive more favorable underwriting terms, as the certification process requires independent verification of security controls. Some insurers offer premium discounts for ISO 27001 certified organizations.

// Common Questions

Is ISO 27001:2013 certification still valid?

No. The transition deadline from ISO 27001:2013 to ISO 27001:2022 was October 31, 2025. Certificates issued against the 2013 version expired on that date and are no longer recognized by accreditation bodies. If your organization holds a 2013 certificate that was not upgraded before the deadline, you need to initiate a re-certification audit against ISO 27001:2022. Customers and procurement processes that require ISO 27001 will expect a valid 2022-edition certificate.

What changed in ISO 27001:2022 compared to the 2013 version?

The 2022 revision restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological). It added 11 new controls covering areas such as threat intelligence, cloud security, data masking, and secure coding. The core ISMS clauses (4-10) were lightly updated to align with the harmonized ISO management system structure. Amendment 1:2024 (February 2024) further added climate-change considerations to Clauses 4.1 and 4.2, requiring organizations to assess whether climate change is a relevant external issue for their ISMS scope.

How long does ISO 27001 certification take?

Timeline depends on your starting point. Organizations with a mature security program can complete readiness work in three to six months before the certification audit. From scratch, twelve to eighteen months is typical. The audit itself is two stages: Stage 1 reviews documentation and readiness (usually one to two days); Stage 2 assesses implementation (one to several days, scaled to scope). Certification is valid for three years with annual surveillance audits. A gap assessment upfront gives you a realistic timeline and identifies the highest-priority work.

Can a virtual CISO lead an ISO 27001 program?

Yes. ISO 27001 requires top management commitment and defined security roles, but it does not mandate an in-house CISO. A virtual CISO can own the ISMS program, coordinate the risk assessment and treatment process, manage Annex A control implementation, and serve as the primary point of contact for the certification body. Many small and mid-sized organizations use a vCISO to reach certification cost-effectively while keeping day-to-day responsibility under internal staff.

How do I prepare for an ISO 27001 certification audit?

Most organizations start with an ISO 27001 gap assessment: a structured review of your current ISMS against the standard's requirements and Annex A controls. It produces a prioritized roadmap and a defensible Statement of Applicability so the certification audit holds no surprises. This is a readiness engagement, distinct from the certification audit itself, which must be performed by an accredited certification body.

// Related Frameworks

// Industries That Need ISO 27001

These industries commonly require ISO 27001 compliance as part of their regulatory obligations.

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873