International Organization for Standardization - ISO/IEC 27001:2022
The Ultimate Guide to

ISO 27001

What is ISO 27001?

ISO 27001 is a globally recognized standard for information security management systems (ISMS). It sets the criteria for what an ISMS must meet, providing comprehensive guidance applicable to companies of all sizes and from all industries.

By adhering to this standard, organizations ensure they have implemented a robust system to manage the security risks associated with their data. This compliance confirms that they follow the best practices and principles outlined in the standard.

The importance of this standard continues to escalate. This standard advocates for a comprehensive approach to information security that scrutinizes people, policies, and technology. An ISMS structured around ISO 27001 facilitates effective risk management, enhances cyber resilience, and promotes operational excellence. Over the years, it has evolved to stay aligned with the changing nature of cyber risks, continually adapting its frameworks to protect sensitive information and systems better.

Understanding the latest ISO 27001 amendment

ISO 27001 Amendment 1 introduces a significant update to the standard by incorporating climate change considerations into the information security management system. This amendment, also known as the ISO/IEC 27001:2022 Amendment 1 Climate Action Changes, requires organizations to determine whether climate change is a relevant issue to their business and information security operations. ISO/IEC 27001:2022 Amendment 1 was released in February 2024.

If climate change is identified as a pertinent risk, organizations are required to document this in the Clause 4.1 (Understanding the organization and its context) and Clause 4.2 (Understanding the needs and expectations of interested parties)  section of their ISMS. They must also update their Information Security Management System documentation to show how they plan to address climate change considerations and any necessary actions regarding information security, including updates to risk management procedures and risk registers as applicable. For those who conclude that climate change does not significantly impact their ISMS, a simple acknowledgment in their documentation suffices.

Furthermore, organizations need to engage with their stakeholders to determine if and how climate change is relevant to them. This dialogue should be documented as part of the organization’s Information Security Management System documentation updates to show how they plan to address climate change considerations and any necessary actions regarding information security. This amendment reflects a broader trend of integrating environmental considerations into core business strategies and operations.

It’s also the key to securing contracts with large companies and government organizations.

Going through the ISO 27001 certification process can be time-consuming and expensive, especially if your organization doesn’t have compliance expertise or modern tools to handle the work. Here’s the good news: there is a way to gain control over your ISO 27001:2022 compliance program and dramatically reduce your workload. Hyperproof also supports ISO 27001:2013.

Developed by the International Organization for Standardization, ISO 27001:2022 is an information security standard providing requirements for an information security management system (ISMS). ISO 27001:2022 defines what an information security management system (ISMS) is, what is required to be included within an ISMS, and how management should implement, monitor, and maintain an ISMS. It is notable for being an all-encompassing framework for protecting all types of digital information, including employee data, financial data, customer data, corporate IP, and third-party entrusted information. 

Most organizations were audited on ISO 27001:2013 throughout 2023. Current certifications for ISO 27001:2013 need to be completed by the end of April 2024. Certifications for ISO 27001:2022 should be conducted by July 31, 2025. Starting Nov 1, 2025, all remaining 2013 certificates will be withdrawn and considered to be expired.

The standard also comes with a control set for organizations to implement to address their information security risk, known as Annex A of ISO 27001.

To obtain a certification, an organization must hire an accredited certification body to perform an independent assessment verifying that the organization’s ISMS conforms to the ISO 27001:2022 standard requirements. An issued certificate is valid for a three-year term, during which time surveillance audits must be completed. The ISO certificate means that the ISMS is actively implemented and operating effectively.

A comprehensive guide to ISO 27001 certification 

ISO/IEC 27001 is the gold standard for information security, and understanding its requirements is crucial for businesses operating in security-conscious industries. Our exclusive ebook, Getting to Know the ISO 27001 Standard, provides practical guidance on achieving ISO 27001 certification requirements.

Gain valuable insights into key steps for becoming certified, determining scope, familiarizing yourself with control families and annex controls, and project management tips for certification readiness.Don’t miss out on this opportunity to enhance your information security practices. Download our guide now for actionable strategies and expert tips!

What are the benefits of compliance?

Having an ISO 27001 certification can provide a competitive advantage for an organization, signaling that the organization has invested significant time and resources in information security. Remember that an organization must clear a high bar to receive a certification; a certificate can only be issued by an accredited certification body and only after the organization demonstrates that they have all the required processes in place and can provide appropriate objective evidence to support compliance with all requirements in Clauses 4–10 of the standard.

You might even find that your B2B customers require it, and you could lose out on business if you don’t pursue the certification. If you’re selling software or services, your customers will want to see your certification to have confidence that their data will be protected and that you won’t introduce vulnerabilities into their systems.

The certification can also help you protect your reputation in the event of a data breach. When customer data is accessed or stolen, reputations suffer. However, showing that your business complies with one of the most stringent security standards can help you demonstrate your good faith efforts to protect their data and privacy. In fact, several states in the U.S. passed laws in 2021 establishing a safe harbor for organizations that create and maintain written cybersecurity programs that meet the standard.

In addition, if your business is ISO 27001 compliant, it’s highly likely that you’re well on your way to becoming compliant with other security standards, laws and regulations.

Lastly, a certification can help reduce audit fatigue by eliminating or reducing the need for spot audits from customers and business partners. Many companies annually audit their customers and business partners as part of their risk management process. As a vendor, you may be bombarded with a high volume of time-consuming audits coming from multiple sources. A certification is a great solution for this, as companies will often accept your certification in place of conducting a separate audit.

Blog

Read more about why you should get certified with “What is ISO 27001:2022 and the Benefits of Getting Certified”

Read More

Preparing for the certification process

As a first step, you need to determine which areas of your business will be within the scope of your Information Security Management System (ISMS). Each business is unique and houses different types and amounts of data, so before building out your ISO 27001 compliance program, you need to know exactly what information you need to protect.

Conservatively, businesses should plan on spending around a year to become ISO 27001compliant and certified. You’ll need to undertake several activities before your organization is ready to go through a formal audit. Getting ready for an ISO 27001 certification audit involves the following key steps, including:

Develop a project plan

It’s important to treat your ISO 27001 initiative as a project that needs to be managed diligently. Planning involves several key pieces, including getting leadership commitment, understanding the needs and expectations of all parties that have a stake in Information security and determining the boundaries of your ISMS. Stakeholder needs and ISMS boundaries requirements are outlined in Clause 4 of ISO 27001, with stakeholder identification specifically addressed in Clause 4.2.

Getting leadership commitment early in the process is key because your leadership team will need to be aware of ISO 27001 requirements and commit to performing certain key activities, such as setting security objectives and ensuring that information security management system requirements are integrated into your organization’s processes.

Define an information risk assessment process and use that process to identify, analyze and evaluate information security risks.

ISO 27001 requires each organization to define an information risk assessment process that contains risk acceptance criteria and criteria for performing information security risk assessments. Each organization also needs to ensure that their risk assessment process is set up to produce consistent and comparable results.

Once the risk assessment process is created, your organization will need to use it to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS and track those risks somewhere (ideally in a centralized risk register).

Design and implement ISO 27001 controls to treat security risks identified during your risk assessment process.

During this stage, you’ll need to determine which controls are needed to address the risks you’ve identified sufficiently. You’ll need to refer to ISO 27001 Annex A as your control baseline and ensure no necessary controls are overlooked. You should assign individuals or teams to manage the risks, ensuring they’re on board with the proposed controls and accept the residual information security risks. Keep in mind that your entire control set, as well as your control selection process, need to be documented, as organizations must produce a Statement of Applicability that documents control selection with appropriate justifications for inclusion and exclusion of controls, and your auditors will ask to see this documentation as a part of their assessment.

Conduct an internal audit

How can you be sure that your ISMS is effectively implemented and maintained? The key is to conduct your own internal audit of your ISMS and control activities at regular intervals. ISO 27001 Clause 9 contains a number of requirements on how an internal audit ought to be conducted (ISO calls this “performance evaluation”). In ISO language, if you find that the ISMS isn’t conforming to ISO standards, or if it’s not effectively implemented or maintained, that finding is a “nonconformity.” Again, you must retain evidence of the audit process and audit results.

Address the nonconformities found during the internal audit and take corrective action.

ISO 27001 Clause 10 requires your organization’s management team to review the results of internal audits and react to “nonconformities” that were discovered. Treatment might involve taking action to control and correct the nonconformity or making a more significant change to the ISMS. Again, your organization needs to retain documentation of the nature of issues, any subsequent actions taken, and the results of any corrective actions.

Case Study

See How Glance Network Uses Hyperproof to Gain Control Over Its ISO 27001:2022 Compliance Program

Read More

ISO 27001 compliance checklist: key points for implementation

  1. Get executive support: For certification, the organization must openly embrace change as it may involve implementing new policies, tools and training on security topics. Having senior executives’ support is crucial for the project’s success.
  2. Conduct a gap analysis: An ISO 27001 gap analysis helps identify disparities between your organization’s existing security measures and the standard’s requirements. If internal expertise is lacking, hire an external aligned consultant.
  3. Assign a project leader: To ensure smooth progress and efficient communication, a dedicated project leader should be assigned to manage and drive the project forward.
  4. Careful scoping: To determine which information assets need protection, scoping is essential. Maintain a balance as too broad or narrow scope can either inflate costs or leave you at risk.
  5. Establish an ISO 27001-approved risk management framework: Risk assessment is crucial for ISO 27001 compliance. Using an approved risk assessment methodology that complies with ISO 27001 Requirement 6.1.3 ensures that all potential risks are covered.
  6. Organize control implementation: Prioritize controls and manage risks by splitting up work into manageable sprints. A compliance project management tool can help track progress.
  7. Map existing controls to ISO 27001 requirements: Map your existing controls (from previous compliance programs) to ISO 27001 to avoid duplicative work. Use compliance software for easier management.
  8. Prepare the RTP and SoA: Documenting risks and controls consistently can make preparing the Risk Treatment Plan (RTP) and Statement of Applicability (SoA) easier and less time-consuming.
  9. Combine audits: If ISO 27001 isn’t the only security audit your organization undergoes, try to combine all audits within the same timeframe to reduce compliance team’s burden.
  10. Use a compliance operations platform: To efficiently manage all compliance work, use a central compliance operations platform. It helps compliance professionals drive accountability across an organization. Such platforms help

The ISO 27001 audit process

Once you have completed the steps outlined above, you’re ready to invite an independent auditor to conduct the ISMS audit.

An ISO 27001 audit occurs in two stages:

Stage 1

Conduct a comprehensive documentation review of the organization’s entire ISMS, including all documented policies, procedures, risk assessment reports, and supporting documentation, to assess alignment with ISO 27001 standards and identify any gaps or inconsistencies. At the end of stage 1 assessment, your auditing firm will write up any areas of concern, gaps in documentation, or readiness issues they identified and issue a Stage 1 report that determines whether the organization is ready to proceed to Stage 2.

Once you have a stage 1 report in hand, your organization should review the results and implement a corrective action plan (CAP) to address any documented gaps, areas of concern, or readiness issues your auditor has identified, implement the corrective actions, and gather evidence of correction and remediation. The external auditor has no responsibility in this step.

Stage 2

The external auditing firm will perform the stage 2 audit. This includes a review of any findings from stage 1, along with testing the practical implementation and effectiveness of the ISMS, including security controls, risk management processes, and documented policies and procedures implemented by the organization. At the end of stage 2, the auditor will document their findings, including any nonconformities, observations, and recommendations,  and issue a stage 2 report with a certification recommendation.

An ISO 27001 certificate will only be issued if all major nonconformities have been corrected and remediation activities have been performed. Minor nonconformities may be addressed through acceptable corrective action plans with agreed timelines for resolution. You will need to provide acceptable corrective action plans (CAPs) for major nonconformities before certificate issuance, and for minor nonconformities with agreed implementation timelines.

The certificate is valid for three years. In years 2 and 3, your organization will need to go through surveillance audits, which are shorter in scope than initial certification audits but still comprehensive assessments of ongoing compliance. After three years, you’ll need to complete a recertification audit, which typically involves a comprehensive system audit similar to Stage 2, in order to receive a new certificate.

What industries need ISO 27001?

While many mistake it as solely an IT standard, ISO 27001 certification is actually a need that spreads across industries. Healthcare, retail, financial services, SaaS, cloud storage and cloud computing companies are some of the businesses that will benefit from achieving the certification. If your business handles any kind of sensitive customer data, getting a certification will help show your customers and users that you are committed to protecting their data.

Ebook
A Guide to ISO
27001:2022 Compliance

Want to learn more about what it takes to achieve the ISO 27001:2022 certification?

Read More

Can I use compliance operations software to meet ISO 27001 certification requirements faster?

Once you’ve developed all of the policies and created all of the documentation required, you will likely have thousands of pages of information that will continually need to be updated, searched, referenced, and utilized. To prepare for your audit, you’ll have to gather all of your evidence files and ensure each piece of evidence is associated with the proper control(s) and correct requirement(s) so your auditor can verify this information.

ISO 27001 frequently asked questions

ISO 27001 applies to any organization, regardless of size, industry, or geographical location, that seeks to establish, implement, maintain, and continually improve an information security management system (ISMS). This standard is particularly relevant to businesses that handle sensitive or confidential information, including those in sectors such as finance, healthcare, IT services, government, and more. Any organization looking to enhance its information security posture and demonstrate its commitment to protecting data can benefit from ISO 27001.

ISO 27001 is important for several reasons:

  1. Risk management: ISO 27001 provides a structured approach to managing information security risks, helping organizations identify, assess, and mitigate risks to their information assets.
  2. Reputation: Achieving ISO 27001 certification demonstrates to customers, partners, and stakeholders that an organization is committed to protecting sensitive information, which can enhance its reputation and trustworthiness.
  3. Compliance: ISO 27001 helps organizations comply with legal, regulatory, and contractual requirements related to information security.
  4. Continuous improvement: The standard promotes a culture of continual improvement in information security practices, ensuring that organizations adapt to evolving threats.
  5. Competitive advantage: Certification can provide a competitive edge by differentiating an organization from its competitors regarding information security practices.
  6. Ability to expand into additional markets: ISO 27001 is the most commonly used framework worldwide, and certification can help unlock new markets for growing companies.

The principles of ISO 27001 include:

  1. Confidentiality: Guaranteeing that data is only accessible to those who are permitted to view it.
  2. Integrity: Protecting the accuracy and wholeness of data and its processing techniques. 
  3. Availability: Making sure all authorized individuals can access the necessary information and related resources when needed.

ISO 27001:2013 previously had Annex A in ISO 27001:2013 that listed 14 ‘control objectives,’ each of which comprises a set of security controls (114 in total). These control objectives were:

  • A.5 Information security policies
  • A.6 Organization of information security
  • A.7 Human resource security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

The ISO 27001:2022 standard was updated in October 2022 to reflect changes in technology and information security. The 14 domains from the previous version were replaced by four themes: people, organizational, physical, and technological:

  • Physical: 13 controls
  • People: 8 controls
  • Organizational: 37 controls
  • Technological: 34 controls

ISO 27001 is not legally required. However, obtaining ISO 27001 certification can help organizations comply with various legal, regulatory, and contractual requirements related to information security. In some industries and jurisdictions, demonstrating adherence to certain information security standards might be mandated by law, making ISO 27001 a valuable framework for achieving compliance. In some US States with “cyber safe harbor laws” following a reputable framework like ISO 27001 may result in a reduction of civil legal risks related to data breaches.

ISO 27001:2022 organizes its controls into four main categories, with people, processes, and technology being key components:

  1. People: Ensuring that employees and contractors understand their roles and responsibilities in maintaining information security.
  2. Processes: Establishing and implementing policies, procedures, and controls to manage information security risks effectively.
  3. Technology: Utilizing appropriate technological solutions to protect information assets from various threats.

To achieve ISO 27001 certification, an organization typically follows these steps:

  1. Gap analysis: Assess the current state of information security practices against ISO 27001 requirements.
  2. ISMS Implementation: Develop and implement an ISMS, including policies, procedures, and controls to address identified gaps.
  3. Internal audit: Conduct internal audits to evaluate the effectiveness of the ISMS and identify areas for improvement.
  4. Management review: Review the ISMS at the management level, including internal audit results, to ensure it meets the organization’s strategic objectives.
  5. Certification audit: Stage 1 audit: Engage an accredited certification body to perform a documentation review and readiness assessment to determine if the organization is prepared for Stage 2. Stage 2 audit: Complete the main compliance audit, which includes on-site assessment, interviews, inspection of documented evidence, and observation of processes to verify ISMS implementation.
  6. Certification: Address any major nonconformities identified during the Stage 2 audit through corrective actions. If the certification body confirms that all major nonconformities have been resolved and the ISMS is effectively implemented, the organization is awarded ISO 27001 certification.

The cost of ISO 27001 certification varies widely based on several factors, including the size and complexity of the organization, the scope of the information security management system (ISMS), and the chosen certification body. Costs typically include:

  • Consulting fees: For gap analysis, ISMS implementation support, and internal audits.
  • Training costs: For staff training and awareness programs.
  • Certification body fees: For the certification audit and any follow-up assessments.
  • Internal resources: The time and effort invested by the organization’s staff in preparing for and maintaining certification.
  • GRC platform: Tools to streamline the certification process and maintain compliance.

The starting point of your organization’s security controls can significantly impact the overall cost.  For example, those already meeting SOC 2 requirements will typically incur fewer expenses.

The time required to achieve ISO 27001 certification can vary, but a given organization will take at least several months to a year to become certified. The timeline depends on factors like the organization’s current information security maturity level, the complexity of its operations, resources dedicated to the project, and ISMS readiness.

The process involves initial preparation, ISMS implementation, internal audits, and the certification audit by an external body. Organizations should also factor in time for addressing any non-conformities identified during audits.

ISO 27001 addresses a partial set of GDPR requirements related to personal data security. For full GDPR compliance, GDPR should be implemented alongside ISO 27001 to establish a comprehensive Privacy Information Management System.

ISO 27001 and ISO 27002 are both international standards for information security management, but they have different purposes and cover different topics. ISO 27001 outlines the requirements for an Information Security Management System (ISMS), including risk assessment, risk treatment, and ongoing management. ISO 27001 also includes Annex A, which lists security controls that can be implemented to meet the requirements. The goal of ISO 27001 is certification, and organizations can use it to create and implement an ISMS in a systematic and cost-effective way.

ISO 27002 is a supporting standard that provides guidelines for enforcing information security controls within an ISMS. ISO 27002 offers best practices and control objectives for key cybersecurity aspects, such as access control, cryptography, human resource security, and incident response. It describes these controls in depth, explaining how each one works, its purpose and objectives, and how it can be implemented. ISO 27002 emphasizes the importance of reviewing and updating security controls to address changing threats and vulnerabilities.

It’s important to note that both frameworks complete each other. ISO 27002 provides in-depth guidance on implementing ISO 27001 Annex A controls. Ideally, both frameworks should be implemented together to avoid control gaps. Leveraging technology to implement both frameworks is critical to avoiding the heavy manual processes that come with becoming ISO 27001 and ISO 27002 certified.

Unfortunately, a public register of certified companies does not exist, but certified companies are issued certificates by their certification body. To verify ISO 27001 certification, ask for the company’s certificate and check:

  1. It is the latest version (ISO 27001:2022), as any older versions are no longer valid
  2. The expiration date
  3. The company name and specific groups covered
  4. The scope of certification relevant to the services provided
  5. Accreditation by a recognized body, such as UKAS in the UK, ANAB in the US, or other IAF members
  6. That the certification scope covers the specific business processes, services, and locations of interest relevant to your requirements.

Yes, ISO 27001 covers cybersecurity by providing a management system framework for addressing information security risks, which include cyber security risks. Major companies like Microsoft and Google use ISO 27001 certifications to demonstrate robust security practices.

A Statement of Applicability (SoA) is a crucial document that outlines which controls from Annex A of the standard an organization has implemented, the implementation status of each control, the reasons for their inclusion, and any exclusions with justifications. This document serves as a bridge between the risk assessment process and the implementation of the Information Security Management System (ISMS).

The SoA is derived from the risk assessment and risk treatment plan. During the risk assessment, an organization identifies and evaluates potential security risks to its information assets. Following this, the risk treatment plan outlines how these risks will be managed, including the selection of appropriate controls. The SoA then documents all necessary controls (including but not limited to those from Annex A of ISO 27001) required to satisfy the risk treatment options.

The SoA is a dynamic document and should be regularly reviewed and updated to reflect changes in the organization’s risk environment, business processes, and technological landscape. It is also a key document during the certification audit, as auditors use it to verify that the selected controls are appropriate and effectively implemented.

A privacy information management system (PIMS) is a framework for managing personal data and ensuring compliance with privacy laws. It is typically integrated with an Information Security Management System (ISMS) and follows ISO 27701 guidelines.

Hyperproof for ISO 27001 compliance

Hyperproof is a compliance operations software solution that helps organizations implement, monitor and maintain an ISMS that conforms to the ISO 27001 standard in the most effective way possible. Here are just a few of the ways Hyperproof can be used to make preparing for audits more manageable and less stressful:

ISO27001

Document and track risks

It’s important to treat your ISO 27001 initiative as a project that needs to be managed diligently. Planning involves several key pieces, including getting leadership commitment, understanding the needs and expectations of all parties with a stake in Information security and determining the boundaries of your ISMS. These requirements are outlined in Clauses 4 and 5 of ISO 27001.

Implement controls that conform to ISO 27001:2022 standards

Hyperproof comes with an ISO 27001 “starter compliance template” containing all requirements and Annex A controls. Once you’ve implemented the template, you’ll see that requirements are enumerated individually and you’ll be able to add controls to each. For organizations with existing controls, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.

Conduct internal audits efficiently

You can use Hyperproof to set up an internal audit program to audit your organization’s ISMS and control activities. Within Hyperproof, all evidence of the audit process and the results can be maintained.

Take corrective actions (and assign actions to organizational stakeholders)

Being able to manage nonconformities identified from internal and external audits continually is key. All remediation activities can be managed within the Hyperproof platform.

In fact, Hyperproof can automate certain activities such as assigning tasks to individuals or teams and reminding people to get their work done. Further, business stakeholders do not need to go into Hyperproof to do their work; they can complete tasks in third-party ticketing/project management systems they’re already familiar with.

Implement and maintain control mapping

Hyperproof makes it easier to utilize a common control framework that meets the needs of ISO 27001 Annex A control set as well as SOC 2 Trust Services Criteria and other frameworks (ISO 27017, ISO 27018, ISO 27701, NIST SP 800-53, PCI DSS, etc.)

ISO 27001 expertise

Hyperproof has partnerships with professional service firms with proven track records and deep expertise in the ISO 27001 standard. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader