ISO 27001 Certification: The Complete Implementation Guide for 2026
August 26, 2025
Updated: February 22, 2026
26 min read
Cybersecurity
ISO 27001 is the world's most recognised standard for information security management. With over 70,000 certificates issued globally and growing demand driven by regulations like NIS2 and DORA, ISO 27001 certification has evolved from a competitive advantage to a business necessity. Whether clients require it, regulators expect it, or your organisation needs a structured framework for managing cyber risk, this guide walks you through every aspect — from understanding the standard to passing your certification audit.
Key Takeaways
ISO 27001 is the international standard for an Information Security Management System (ISMS).
The current version is ISO/IEC 27001:2022, with 93 controls across 4 categories in Annex A.
Certification typically takes 6-12 months and costs EUR 15,000-100,000+ depending on organisation size.
The certificate is valid for 3 years, with annual surveillance audits.
ISO 27001 covers 70-80% of NIS2 requirements and supports GDPR Article 32 security obligations.
The standard follows a risk-based approach — you implement controls proportionate to your specific risks.
ISO/IEC 27001 is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies requirements for establishing, implementing, maintaining, and continually improving an .
Share article
Need help with compliance?
Contact us for a free consultation
Information Security Management System (ISMS)
An ISMS is a systematic framework of policies, processes, and controls designed to manage risks to the confidentiality, integrity, and availability of information.
Term
Definition
ISMS
Information Security Management System — the complete set of policies, procedures, and controls
Annex A
The catalogue of 93 security controls that organisations select based on risk assessment
Statement of Applicability (SoA)
Document listing which Annex A controls are applicable, implemented, or excluded (with justification)
Risk assessment
Systematic process of identifying, analysing, and evaluating information security risks
Risk treatment
Selecting and implementing measures to modify (reduce, accept, transfer, or avoid) identified risks
Certification body
Accredited organisation that conducts audits and issues the ISO 27001 certificate
Surveillance audit
Annual audit to confirm the ISMS continues to function effectively
Who publishes it? ISO 27001 is maintained by ISO/IEC JTC 1/SC 27. The current version is ISO/IEC 27001:2022, published in October 2022 with a transition deadline of 31 October 2025 from the 2013 version.
Why Get ISO 27001 Certified?
Business Drivers
Driver
Detail
Client requirements
Enterprise clients increasingly require ISO 27001 as a condition for doing business, especially in technology, finance, and healthcare
Regulatory expectations
NIS2 references "international standards" for security measures; GDPR Article 32 requires "appropriate" security; ISO 27001 demonstrates both
Competitive advantage
Differentiates your organisation in proposals, tenders, and partnerships
Reduced insurance premiums
Many cyber insurance providers offer lower premiums for ISO 27001 certified organisations
Incident reduction
Organisations with mature ISMS experience fewer and less severe security incidents
M&A readiness
Due diligence processes increasingly scrutinise information security posture
By the Numbers
Over 70,000 ISO 27001 certificates issued globally (ISO Survey 2023)
Year-over-year growth of approximately 20% in new certifications
73% of organisations report improved security posture after certification (Advisera survey)
40% reduction in security incidents reported by certified organisations within 2 years
ISO 27001:2022 — What Changed?
The 2022 revision brought significant updates to Annex A while keeping the core ISMS requirements largely intact:
Aspect
ISO 27001:2013
ISO 27001:2022
Annex A controls
114 controls in 14 categories
93 controls in 4 categories
Control categories
A.5-A.18 (14 domains)
Organisational, People, Physical, Technological
New controls
N/A
11 new controls added (threat intelligence, cloud security, data masking, etc.)
Control merging
N/A
Many overlapping controls merged for clarity
Attributes
Not used
5 attributes for each control (type, property, concept, capability, domain)
Core clauses (4-10)
Minor differences
Minor editorial changes only
11 New Controls in ISO 27001:2022
Control
Category
Purpose
A.5.7
Organisational
Threat intelligence — gathering and analysing threat information
A.5.23
Organisational
Information security for use of cloud services
A.5.30
Organisational
ICT readiness for business continuity
A.7.4
Physical
Physical security monitoring — surveillance and detection
Web filtering — managing access to external websites
A.8.28
Technological
Secure coding — applying security in software development
Transition deadline: Organisations certified under ISO 27001:2013 must transition to the 2022 version by 31 October 2025. All new certifications should be against the 2022 version.
Structure of the Standard
ISO 27001 consists of core clauses (4-10) that define the ISMS requirements, plus Annex A which provides the catalogue of controls.
Core Clauses
Clause
Title
Requirements
4
Context of the organisation
Understand the organisation, interested parties, scope of the ISMS
5
Leadership
Management commitment, information security policy, roles and responsibilities
6
Planning
Risk assessment, risk treatment, information security objectives
7
Support
Resources, competence, awareness, communication, documented information
Policies, roles, responsibilities, threat intelligence, asset management, access control, supplier management, incident management, business continuity, compliance, and privacy.
People Controls (8 controls: A.6.1-A.6.8)
Screening, terms of employment, awareness and training, disciplinary process, responsibilities after termination, confidentiality agreements, remote working, and information security event reporting.
Physical Controls (14 controls: A.7.1-A.7.14)
Physical security perimeters, physical entry, offices and facilities, physical security monitoring, protecting against threats, working in secure areas, clear desk and screen, equipment siting, security of off-site assets, storage media, supporting utilities, cabling security, equipment maintenance, and secure disposal.
User endpoint devices, privileged access, information access restriction, authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, DLP, backup, redundancy, logging, monitoring, network security, web filtering, encryption, secure development, security testing, and change management.
Key principle: You do not have to implement all 93 controls. Your risk assessment determines which controls are necessary. The SoA documents your decisions and justifications for excluding any controls.
ISO 27001 Implementation: 7 Phases
Phase 1: Initiation (Weeks 1-2)
Secure management commitment and budget
Define the scope of the ISMS (which business units, locations, systems, and information)
Assign the ISMS project team and designate an ISMS manager
Set a realistic timeline (6-12 months typical)
Engage an implementation consultant if needed
Phase 2: Context and Gap Analysis (Weeks 2-6)
Identify internal and external issues affecting the ISMS (Clause 4.1)
Identify interested parties and their requirements (Clause 4.2)
Formally define and document the ISMS scope (Clause 4.3)
Conduct a gap analysis against ISO 27001:2022 requirements
Develop the project plan based on gap analysis results
Phase 3: Risk Assessment and Treatment (Weeks 4-10)
Define the risk assessment methodology (ISO 27005 recommended)
Create an information asset inventory with owners
Identify threats and vulnerabilities for each asset
Assess likelihood and impact of identified risks
Calculate risk levels and compare against risk acceptance criteria
Risk = Likelihood x Impact (using your defined matrix)
8
Compare against criteria
Determine which risks require treatment
9
Select treatment
Mitigate, accept, transfer, or avoid
10
Document decisions
Risk register, risk treatment plan, SoA
Risk Matrix Example
Impact: Low (1)
Impact: Medium (2)
Impact: High (3)
Impact: Critical (4)
Likelihood: Very Likely (4)
Medium (4)
High (8)
High (12)
Critical (16)
Likelihood: Likely (3)
Low (3)
Medium (6)
High (9)
Critical (12)
Likelihood: Possible (2)
Low (2)
Medium (4)
Medium (6)
High (8)
Likelihood: Unlikely (1)
Low (1)
Low (2)
Low (3)
Medium (4)
Best practice: Review your risk assessment at least annually, after significant security incidents, and when there are major changes to systems, processes, or business activities. The risk assessment is a living document, not a one-time exercise.
Statement of Applicability (SoA)
The SoA is one of the most important ISMS documents. It lists all 93 Annex A controls and states for each one:
Whether the control is applicable to your organisation
Whether it is implemented
The justification for inclusion or exclusion
The implementation status and any notes
Control
Applicable?
Implemented?
Justification
Status
A.5.1 Policies for information security
Yes
Yes
Required for ISMS governance
Fully implemented
A.7.4 Physical security monitoring
Yes
Partial
CCTV at main office; remote site pending
In progress
A.8.28 Secure coding
No
N/A
Organisation does not develop software
Excluded
...
...
...
...
...
Auditor focus: The SoA is one of the first documents auditors review. Ensure exclusions are well-justified — "not currently a risk" is usually insufficient. The justification must demonstrate that the risk has been assessed and is genuinely not applicable.
The Certification Audit Process
Stage 1 Audit (Documentation Review)
The certification body reviews your ISMS documentation to confirm:
The ISMS scope is clearly defined and appropriate
All required documented information exists (policies, SoA, risk assessment, procedures)
The organisation is ready for the Stage 2 audit
Duration: Typically 1-2 days depending on scope
Outcome: Report identifying any areas that need attention before Stage 2
Stage 2 Audit (Implementation Assessment)
The auditor verifies that your ISMS is actually implemented and effective:
Interviews with staff at all levels
Review of records and evidence (logs, training records, incident reports)
Observation of processes in action
Testing of controls (e.g., requesting evidence of access reviews, backup restoration)
Assessment against all applicable Annex A controls
Duration: 3-10+ days depending on organisation size and scope
Outcome: Audit report with findings categorised as:
Finding Type
Definition
Impact
Major nonconformity
Failure to implement a requirement; systemic issue
Must be resolved before certification is granted
Minor nonconformity
Isolated lapse; partial implementation
Must be resolved within agreed timeframe (typically 90 days)
Observation
Area for improvement; not a failure
Recommended for continuous improvement
Opportunity for improvement
Suggestion to enhance the ISMS
Optional; demonstrates maturity if addressed
After Certification
Activity
Frequency
Purpose
Surveillance audit
Annually (Year 1 and Year 2)
Confirm ISMS continues to operate effectively
Recertification audit
Every 3 years
Full reassessment for certificate renewal
Internal audit
At least annually
Self-assessment of all ISMS elements
Management review
At least annually
Senior leadership review of ISMS performance
ISO 27001 Certification Cost
Costs vary significantly based on organisation size, complexity, and existing security maturity.
Cost Component
Small Organisation (50 employees)
Medium Organisation (250 employees)
Large Organisation (1,000+ employees)
Gap analysis and consulting
EUR 5,000-15,000
EUR 15,000-40,000
EUR 40,000-150,000
Implementation (internal effort)
200-400 person-hours
500-1,500 person-hours
2,000-5,000+ person-hours
Technical controls
EUR 2,000-10,000
EUR 10,000-50,000
EUR 50,000-300,000+
Training
EUR 1,000-3,000
EUR 3,000-10,000
EUR 10,000-30,000
Certification audit
EUR 5,000-10,000
EUR 10,000-25,000
EUR 25,000-60,000
Annual surveillance
EUR 3,000-6,000
EUR 6,000-15,000
EUR 15,000-30,000
Total first year
EUR 15,000-45,000
EUR 45,000-140,000
EUR 140,000-570,000+
ROI consideration: A single significant data breach costs an average of EUR 4.3 million (IBM Cost of a Data Breach Report 2024). ISO 27001 certification costs are a fraction of a single incident. Many organisations also report reduced cyber insurance premiums of 10-30% after certification.
ISO 27001 and NIS2
ISO 27001 provides an excellent foundation for NIS2 compliance, covering approximately 70-80% of NIS2 requirements.
NIS2 Minimum Measure
ISO 27001 Coverage
Gap
Risk analysis and security policies
Clauses 6.1, 8.2, A.5.1
None
Incident handling
A.5.24-A.5.28
Partial — NIS2 24h/72h/1m timelines
Business continuity
A.5.29-A.5.30, A.8.13-A.8.14
None
Supply chain security
A.5.19-A.5.23
Partial — NIS2 goes further
Secure development
A.8.25-A.8.33
None
Effectiveness assessment
Clauses 9.1-9.3
None
Cyber hygiene and training
A.6.3, Clauses 7.2-7.3
Partial — NIS2 mandates management training
Cryptography
A.8.24
None
Access control
A.5.15-A.5.18, A.8.2-A.8.5
None
MFA and secure comms
A.8.5
Partial — NIS2 more specific on MFA
Bottom line: If you are pursuing NIS2 compliance, ISO 27001 certification is the most efficient foundation. You will need to supplement it with NIS2-specific incident reporting processes, management training, and national registration.
Read more: See our detailed NIS2 Compliance Checklist with complete ISO 27001 mapping for every requirement.
ISO 27001 and GDPR
ISO 27001 supports GDPR compliance, particularly the security requirements of Article 32.
GDPR Requirement
ISO 27001 Coverage
Article 32 — Security of processing
Comprehensively covered by the ISMS and Annex A controls
Article 25 — Data protection by design and default
Supported by A.8.25-A.8.33 (secure development) and risk assessment process
Article 35 — DPIA
Risk assessment methodology can be extended to cover DPIAs
Article 33-34 — Breach notification
A.5.24-A.5.28 cover incident management; GDPR-specific timelines need additional procedures
Article 28 — Processor requirements
A.5.19-A.5.23 cover supplier security management
Article 30 — Records of processing
Not covered — requires additional GDPR-specific documentation
ISO 27701: For organisations wanting to extend ISO 27001 to cover privacy management specifically, ISO 27701 provides a privacy information management extension that maps directly to GDPR requirements.
ISO 27001 vs SOC 2
Both ISO 27001 and SOC 2 are widely recognised security frameworks, but they serve different purposes and markets.
Type I: point-in-time; Type II: period (typically 12 months)
Global recognition
Strong globally, dominant in EU
Strong in North America, growing globally
Regulatory alignment
Maps well to NIS2, GDPR, DORA
Less direct regulatory mapping
Cost
Generally higher upfront
Generally lower for Type I; comparable for Type II
Best for
EU-focused organisations; regulatory compliance
US-focused SaaS companies; customer assurance
Both? Many organisations pursuing international markets obtain both ISO 27001 and SOC 2 Type II. The overlap is significant — approximately 60-70% of controls are shared.
Common Implementation Mistakes
1. Over-Documenting
Problem: Creating hundreds of pages of policies and procedures that nobody reads or follows.
Solution: Write concise, practical documents. A 3-page security policy that staff actually read is better than a 50-page document that collects dust. Focus on what people need to do, not theoretical completeness.
2. Treating the Risk Assessment as a Checkbox
Problem: Conducting a superficial risk assessment to satisfy the auditor without genuinely identifying and addressing risks.
Solution: Take the risk assessment seriously — it is the foundation of your entire ISMS. Involve business stakeholders, not just IT. Use the results to drive real security improvements.
3. Ignoring the "People" Controls
Problem: Focusing exclusively on technology while neglecting training, awareness, and organisational culture.
Solution: People are involved in the majority of security incidents. Invest in meaningful training, phishing simulations, and building a security-conscious culture.
4. Scope Creep (or Scope Too Narrow)
Problem: Either defining the scope too broadly (making implementation unmanageable) or too narrowly (creating a "paper certification" that does not cover critical systems).
Solution: Define the scope based on business risk. Include all systems and processes that handle sensitive information. Start smaller if needed and expand over time.
5. No Management Commitment
Problem: ISMS is treated as an IT project without genuine leadership support.
Solution: ISO 27001 Clause 5 requires leadership commitment — and auditors will verify it. Ensure the board or senior management is visibly involved, allocates resources, and participates in management reviews.
6. Forgetting Continuous Improvement
Problem: Achieving certification and then letting the ISMS stagnate.
Solution: The PDCA cycle is core to ISO 27001. Schedule regular internal audits, management reviews, and risk assessment updates. Treat certification as the beginning, not the end.
ISO 27001 Checklist
A quick-reference implementation checklist:
Preparation
Secure management commitment and budget approval
Define the ISMS scope (locations, systems, information types)
Appoint an ISMS manager and project team
Conduct a gap analysis against ISO 27001:2022
Core Documentation
Information security policy (Clause 5.2)
Risk assessment methodology (Clause 6.1.2)
Risk assessment results and risk register (Clause 8.2)
Risk treatment plan (Clause 6.1.3)
Statement of Applicability (Clause 6.1.3 d)
Information security objectives (Clause 6.2)
Supporting policies for applicable Annex A controls
Procedures for key processes (incident management, access control, backup, etc.)
Continuous improvement based on incidents, changes, and audit findings
FAQ
How long does ISO 27001 certification take?
Typically 6-12 months from project initiation to certificate issuance. Organisations with existing security frameworks (SOC 2, NIST CSF) can often accelerate to 4-6 months. Very large or complex organisations may need 12-18 months.
Do I need to implement all 93 Annex A controls?
No. You implement only the controls that your risk assessment identifies as necessary. However, you must justify the exclusion of any control in your Statement of Applicability. In practice, most organisations implement 70-80+ controls.
Is ISO 27001 mandatory?
ISO 27001 is a voluntary standard. However, it is increasingly referenced in regulations (NIS2, DORA) and required by clients, particularly in technology, finance, healthcare, and government contracting.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 defines the requirements for the ISMS (what you must do). ISO 27002 provides implementation guidance for the Annex A controls (how to do it). Only ISO 27001 can be certified against.
Can I certify only part of my organisation?
Yes. You define the scope of the ISMS. It is common to certify specific business units, systems, or locations. However, the scope must be clearly defined and make business sense — auditors will assess whether scope exclusions are justified.
How much does the audit itself cost?
Certification audit costs depend on the number of audit days, which is determined by the number of employees in scope, the number of sites, and the complexity of the ISMS. Expect EUR 5,000-10,000 for small organisations, EUR 10,000-25,000 for medium, and EUR 25,000-60,000 for large.
What happens if we fail the audit?
Major nonconformities must be resolved before the certificate is issued, but this does not mean you "failed" — you have a defined period (typically 90 days) to implement corrective actions and provide evidence. Minor nonconformities are addressed during the certification cycle. Very few organisations are refused certification entirely.
How does ISO 27001 help with cyber insurance?
Many insurers offer premium reductions of 10-30% for ISO 27001 certified organisations. The certification demonstrates a mature security posture, reducing the insurer's perceived risk. Some insurers now require certification as a condition for coverage.
Conclusion
ISO 27001 certification is one of the most impactful investments an organisation can make in its security posture. It provides a structured, risk-based framework that goes beyond implementing individual controls to building a genuine culture of information security.
For organisations facing NIS2 compliance obligations, ISO 27001 is the most efficient foundation — covering approximately 70-80% of NIS2 requirements while also supporting GDPR, DORA, and client contractual requirements.
Key success factors:
Start with genuine risk assessment — let your specific risks drive your controls, not a generic template
Invest in people — technology alone will not protect you; trained, aware staff are your strongest defence
Keep documentation practical — policies that people actually follow beat comprehensive documents that no one reads
Commit to the journey — certification is the beginning, not the end; the PDCA cycle drives continuous improvement
Engage leadership — without visible management commitment, the ISMS will not succeed
Need support with ISO 27001 implementation? Vision Compliance provides end-to-end guidance — from gap analysis and risk assessment to audit preparation and ongoing ISMS support.
Cybersecurity Services — ISO 27001 implementation, NIS2 compliance, and security assessments
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.
