ISO 27001 is the international standard for information security management, providing a systematic framework for protecting sensitive information. Certification demonstrates to customers, partners, and regulators that your organisation takes information security seriously and has implemented robust controls.
This guide walks you through everything you need to know about ISO 27001, from understanding the requirements to achieving and maintaining certification.
What is ISO 27001?
ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It was originally published in 2005 and most recently updated in 2022.
The standard provides a systematic approach to managing sensitive company information, encompassing people, processes, and technology. It applies to organisations of any size and sector.
Key Concepts
Information Security Management System (ISMS): A set of policies, procedures, and controls designed to systematically manage information security risks.
Risk-based approach: ISO 27001 requires organisations to identify, assess, and treat information security risks based on their specific context.
Continuous improvement: The standard follows the Plan-Do-Check-Act (PDCA) cycle, requiring ongoing monitoring and improvement.
Annex A controls: A reference set of 93 security controls organised into four themes that organisations can select based on their risk assessment.
ISO 27001 vs ISO 27002
These standards work together but serve different purposes:
| ISO 27001 | ISO 27002 |
|---|---|
| Contains requirements for an ISMS | Provides guidance on implementing controls |
| Can be certified against | Cannot be certified against |
| Defines what must be done | Explains how to do it |
| Includes Annex A control objectives | Provides detailed control guidance |
Benefits of ISO 27001 Certification
Business Benefits
Customer confidence: Certification provides independent assurance that your organisation protects information appropriately.
Competitive advantage: Many customers, particularly enterprises and government bodies, require or prefer ISO 27001-certified suppliers.
Regulatory alignment: ISO 27001 maps to multiple regulatory requirements (GDPR, NIS2, DORA), simplifying compliance.
Reduced incidents: Systematic risk management reduces the likelihood and impact of security incidents.
Insurance benefits: Some insurers offer reduced premiums for certified organisations.
Operational Benefits
Structured approach: Provides a framework for organising security activities systematically.
Clear responsibilities: Defines roles, responsibilities, and authorities for information security.
Improved processes: Documentation requirements drive process standardisation and efficiency.
Better risk management: Formal risk assessment processes improve decision-making.
Continuous improvement: Built-in review mechanisms drive ongoing enhancement.
ISO 27001:2022 Structure
The current version of ISO 27001 (published in 2022) follows the Harmonised Structure common to all ISO management system standards.
Main Clauses (4-10)
Clause 4: Context of the Organisation
- Understanding the organisation and its context
- Understanding stakeholder needs and expectations
- Determining the scope of the ISMS
- Information security management system
Clause 5: Leadership
- Leadership and commitment
- Information security policy
- Organisational roles, responsibilities, and authorities
Clause 6: Planning
- Actions to address risks and opportunities
- Information security objectives and planning
Clause 7: Support
- Resources
- Competence
- Awareness
- Communication
- Documented information
Clause 8: Operation
- Operational planning and control
- Information security risk assessment
- Information security risk treatment
Clause 9: Performance Evaluation
- Monitoring, measurement, analysis, and evaluation
- Internal audit
- Management review
Clause 10: Improvement
- Continual improvement
- Nonconformity and corrective action
Annex A Controls
ISO 27001:2022 includes 93 controls organised into four themes:
Organisational Controls (37 controls)
| Control Area | Examples |
|---|---|
| Policies | Information security policies, policy reviews |
| Organisation | Roles and responsibilities, segregation of duties |
| Human resources | Screening, terms and conditions, awareness |
| Asset management | Inventory, acceptable use, return of assets |
| Access control | Access policy, user registration, privilege management |
| Supplier relationships | Supplier security policy, supply chain security |
| Incident management | Responsibilities, reporting, response, learning |
| Business continuity | Planning, implementation, verification |
| Compliance | Legal requirements, intellectual property, privacy |
People Controls (8 controls)
| Control Area | Examples |
|---|---|
| Screening | Background verification before employment |
| Terms and conditions | Employment agreements including security responsibilities |
| Awareness and training | Security awareness programme |
| Disciplinary process | Actions for information security violations |
| Responsibilities after termination | Ongoing obligations after employment ends |
| Confidentiality agreements | Non-disclosure agreements |
| Remote working | Security for remote work arrangements |
| Information security event reporting | Reporting suspicious activities |
Physical Controls (14 controls)
| Control Area | Examples |
|---|---|
| Security perimeters | Physical boundary protection |
| Physical entry | Access control to secure areas |
| Offices and facilities | Physical security of work areas |
| Physical security monitoring | Surveillance and monitoring |
| Protection against threats | Environmental protection |
| Working in secure areas | Procedures for secure areas |
| Clear desk and screen | Protecting information when unattended |
| Equipment siting | Placement to reduce risks |
| Equipment security | Protecting equipment off-premises |
| Storage media | Managing removable media |
| Supporting utilities | Protecting power, connectivity |
| Cabling security | Protecting network and power cables |
| Equipment maintenance | Maintaining equipment properly |
| Secure disposal | Disposing of equipment securely |
Technological Controls (34 controls)
| Control Area | Examples |
|---|---|
| Endpoint devices | User endpoint security |
| Privileged access | Managing privileged access rights |
| Information access | Restricting access to information |
| Source code access | Protecting source code |
| Secure authentication | Authentication mechanisms |
| Capacity management | Monitoring and planning capacity |
| Malware protection | Protection against malicious software |
| Vulnerability management | Technical vulnerability management |
| Configuration management | Secure configurations |
| Information deletion | Secure deletion of information |
| Data masking | Protecting sensitive data |
| Data leakage prevention | Preventing data loss |
| Information backup | Backup procedures |
| Redundancy | Availability through redundancy |
| Logging | Activity logging |
| Monitoring | Security monitoring activities |
| Clock synchronisation | Time synchronisation |
| Use of utilities | Managing privileged utility programs |
| Software installation | Controlling software installation |
| Network security | Network security management |
| Network services | Security of network services |
| Web services | Security of web-based services |
| Application security | Secure development practices |
| Secure coding | Secure coding principles |
| Security testing | Testing security requirements |
| Outsourced development | Security in outsourced development |
| Separation of environments | Separating development, test, production |
| Change management | Managing changes to systems |
| Test information | Protecting test data |
| Audit system protection | Protecting audit logs |
Statement of Applicability
The Statement of Applicability (SoA) is a required document that:
- Lists all 93 Annex A controls
- States whether each control is applicable or not
- Justifies any exclusions
- Indicates implementation status
- References implementation documentation
The SoA is a key audit document and must be kept current as your ISMS evolves.
ISO 27001 Implementation Steps
Phase 1: Preparation (Weeks 1-4)
Secure management commitment
- Present business case to leadership
- Obtain budget and resource allocation
- Appoint ISMS project manager
- Establish project governance
Define scope
- Identify business processes to include
- Determine organisational boundaries
- Define technological boundaries
- Document scope statement
Establish project plan
- Create detailed implementation timeline
- Identify resource requirements
- Define milestones and deliverables
- Establish communication plan
Phase 2: Context and Planning (Weeks 5-8)
Understand context
- Analyse internal and external issues affecting information security
- Identify interested parties and their requirements
- Document context analysis
Conduct gap analysis
- Assess current state against ISO 27001 requirements
- Identify existing controls and documentation
- Determine gaps requiring remediation
- Prioritise remediation activities
Establish ISMS framework
- Define ISMS governance structure
- Assign roles and responsibilities
- Develop information security policy
- Create ISMS documentation structure
Phase 3: Risk Assessment (Weeks 9-12)
Define risk methodology
- Select risk assessment approach
- Define risk criteria (likelihood, impact scales)
- Establish risk acceptance criteria
- Document risk assessment methodology
Identify assets and risks
- Create information asset inventory
- Identify threats and vulnerabilities
- Determine potential impacts
- Document risk scenarios
Analyse and evaluate risks
- Assess likelihood of each risk
- Assess potential impact
- Calculate risk levels
- Compare against acceptance criteria
Develop risk treatment plan
- Select treatment options (mitigate, accept, transfer, avoid)
- Map controls to risks
- Create risk treatment plan
- Obtain management approval
Phase 4: Control Implementation (Weeks 13-24)
Develop documentation
- Create required policies and procedures
- Develop operational documentation
- Establish record-keeping processes
- Implement document control
Implement controls
- Deploy technical controls
- Implement organisational controls
- Establish physical security measures
- Configure people-related controls
Create Statement of Applicability
- Document control selection decisions
- Justify any control exclusions
- Reference implementation evidence
- Obtain management approval
Phase 5: Operation and Monitoring (Weeks 25-32)
Implement monitoring
- Deploy security monitoring tools
- Establish metrics and KPIs
- Create monitoring dashboards
- Implement alerting mechanisms
Conduct awareness training
- Develop training materials
- Deliver awareness sessions
- Document training completion
- Assess training effectiveness
Establish incident management
- Define incident response procedures
- Train incident response team
- Conduct incident response exercises
- Document incident handling
Perform internal audits
- Plan internal audit programme
- Train or engage internal auditors
- Conduct internal audits
- Document findings and corrective actions
Phase 6: Management Review (Weeks 33-36)
Prepare management review
- Compile ISMS performance data
- Document audit results
- Summarise incidents and changes
- Prepare improvement recommendations
Conduct management review
- Present ISMS status to leadership
- Review risk assessment results
- Discuss resource requirements
- Make decisions on improvements
Document outcomes
- Record management review minutes
- Document decisions and actions
- Assign responsibilities
- Update ISMS as needed
Phase 7: Certification Audit (Weeks 37-44)
Select certification body
- Research accredited certification bodies
- Request proposals
- Evaluate auditor competence
- Engage selected certification body
Stage 1 audit (documentation review)
- Provide documentation to auditor
- Participate in Stage 1 audit
- Receive Stage 1 findings
- Address any issues identified
Stage 2 audit (implementation assessment)
- Host on-site audit activities
- Demonstrate control implementation
- Provide evidence of effectiveness
- Receive audit findings
Address nonconformities
- Analyse any nonconformities
- Implement corrective actions
- Provide evidence of correction
- Obtain certification recommendation
The Certification Audit Process
Stage 1 Audit
The Stage 1 audit is primarily a documentation review to determine readiness for the Stage 2 audit.
Focus areas:
- ISMS scope and boundaries
- Information security policy
- Risk assessment methodology and results
- Statement of Applicability
- Internal audit and management review records
Outcomes:
- Confirmation of readiness for Stage 2
- Identification of areas of concern
- Opportunities for improvement
- Stage 2 audit planning
Duration: Typically 1-2 days depending on scope.
Stage 2 Audit
The Stage 2 audit assesses the implementation and effectiveness of your ISMS.
Focus areas:
- Implementation of controls from SoA
- Risk treatment plan execution
- Effectiveness of security measures
- Competence and awareness of personnel
- Monitoring and measurement processes
- Internal audit and management review effectiveness
- Continual improvement activities
Audit methods:
- Interviews with staff at all levels
- Observation of processes and controls
- Review of records and evidence
- Sampling of activities and transactions
Outcomes:
- Major nonconformities (must be corrected before certification)
- Minor nonconformities (can be corrected after certification)
- Opportunities for improvement
- Certification recommendation
Duration: Typically 3-10 days depending on scope and organisation size.
Surveillance Audits
After initial certification, surveillance audits occur annually to verify ongoing compliance.
Focus:
- Review of corrective actions from previous audits
- Sampling of ISMS processes and controls
- Changes since last audit
- Internal audit and management review
- Complaints and incidents
- Continual improvement activities
Duration: Typically 1-3 days annually.
Recertification Audit
Certificates are valid for three years. Before expiry, a recertification audit is required.
Focus:
- Complete review of ISMS effectiveness
- Changes over the certification cycle
- Performance against objectives
- Continued conformity to all requirements
Duration: Similar to initial Stage 1 and Stage 2 audits combined.
Common Implementation Challenges
Challenge: Scope Creep
Problem: ISMS scope expands during implementation, increasing complexity and cost.
Solution: Define scope precisely at the outset. Document boundaries clearly. Resist pressure to expand without formal change control.
Challenge: Documentation Overload
Problem: Creating excessive documentation that becomes unmanageable.
Solution: Document what is necessary for control and evidence. Focus on usability. Leverage existing documentation where possible.
Challenge: Risk Assessment Complexity
Problem: Risk assessment becomes too complex or time-consuming.
Solution: Start with a pragmatic methodology. Focus on significant risks. Use qualitative approaches initially. Refine over time.
Challenge: Control Implementation
Problem: Difficulty implementing all necessary controls within timeline.
Solution: Prioritise based on risk. Address high-risk areas first. Accept that some controls may be partially implemented at certification.
Challenge: Staff Engagement
Problem: Staff see ISMS as bureaucratic overhead rather than valuable protection.
Solution: Communicate benefits clearly. Involve staff in development. Make controls practical and user-friendly. Celebrate successes.
Challenge: Maintaining Momentum
Problem: Initial enthusiasm wanes after certification.
Solution: Integrate ISMS into business as usual. Automate where possible. Link security to business objectives. Regular communication of value.
ISO 27001 and Other Standards/Regulations
ISO 27001 and GDPR
ISO 27001 supports GDPR compliance but does not guarantee it:
| ISO 27001 Supports | GDPR Additionally Requires |
|---|---|
| Security of processing (Article 32) | Lawful basis for processing |
| Confidentiality, integrity, availability | Data subject rights |
| Risk assessment | Data Protection Impact Assessment |
| Incident management | 72-hour breach notification |
| Staff training | Privacy by design |
| Documentation | Records of processing |
ISO 27001 and NIS2
For organisations in scope of NIS2, ISO 27001 provides a strong foundation:
| NIS2 Requirement | ISO 27001 Support |
|---|---|
| Risk management | Clause 6, 8 - Risk assessment and treatment |
| Incident handling | A.5.24-A.5.28 - Incident management |
| Business continuity | A.5.29-A.5.30 - Business continuity |
| Supply chain security | A.5.19-A.5.23 - Supplier relationships |
| Vulnerability management | A.8.8 - Technical vulnerabilities |
ISO 27001 and SOC 2
ISO 27001 and SOC 2 overlap significantly but have differences:
| ISO 27001 | SOC 2 |
|---|---|
| International standard | US-focused framework |
| Prescriptive controls | Principles-based criteria |
| 3-year certification | Annual attestation |
| Any organisation | Primarily service organisations |
| Broad information security | Trust Service Criteria focus |
Many organisations pursue both certifications, leveraging common controls.
Costs and Timeline
Typical Costs
| Cost Category | Small Organisation | Medium Organisation | Large Organisation |
|---|---|---|---|
| Gap analysis | EUR 3,000-8,000 | EUR 8,000-15,000 | EUR 15,000-30,000 |
| Implementation support | EUR 15,000-30,000 | EUR 30,000-80,000 | EUR 80,000-200,000 |
| Technology investments | EUR 5,000-20,000 | EUR 20,000-100,000 | EUR 100,000+ |
| Certification audit | EUR 5,000-10,000 | EUR 10,000-25,000 | EUR 25,000-50,000 |
| Annual surveillance | EUR 3,000-6,000 | EUR 6,000-15,000 | EUR 15,000-30,000 |
Typical Timeline
| Organisation Size | Implementation | Total to Certification |
|---|---|---|
| Small (< 50 employees) | 3-6 months | 6-9 months |
| Medium (50-250 employees) | 6-9 months | 9-12 months |
| Large (250+ employees) | 9-18 months | 12-24 months |
Timelines depend on:
- Current security maturity
- Scope complexity
- Resource availability
- Management commitment
- Existing documentation
Maintaining Certification
Ongoing Activities
Daily/Weekly:
- Security monitoring and log review
- Incident handling
- Access management
- Vulnerability scanning
Monthly:
- Security metrics reporting
- Policy exception reviews
- Change management reviews
- Training delivery
Quarterly:
- Risk register review
- Control effectiveness testing
- Third-party security reviews
- Management reporting
Annually:
- Complete risk assessment review
- Internal audit programme
- Management review
- Surveillance audit
- Awareness training refresh
Continual Improvement
ISO 27001 requires continual improvement through:
- Corrective actions for nonconformities
- Preventive actions for potential issues
- Enhancement opportunities from audits
- Learning from incidents
- Incorporating new threats and technologies
- Feedback from interested parties
Conclusion
ISO 27001 certification represents a significant commitment but delivers substantial value. The structured approach to information security management reduces risk, builds stakeholder confidence, and creates competitive advantage.
Success factors for ISO 27001 implementation include:
- Strong leadership commitment from the outset
- Realistic scope that balances comprehensiveness with achievability
- Pragmatic risk assessment focused on significant risks
- Staff engagement through communication and training
- Sustainable processes that integrate with business operations
- Continuous improvement culture beyond certification
Start with a clear understanding of your objectives, secure appropriate resources, and maintain focus throughout the implementation journey. The result will be a robust information security management system that protects your organisation and demonstrates your commitment to security.
Need support with ISO 27001 implementation? Vision Compliance helps organisations achieve and maintain ISO 27001 certification efficiently. Contact us to discuss your certification journey.