International Organization for Standardization - ISO/IEC 27001:2022
The Ultimate Guide to

ISO 27001

What is ISO 27001?

ISO 27001 is a globally recognized standard for information security management systems (ISMS). It sets the criteria for what an ISMS must meet, providing comprehensive guidance applicable to companies of all sizes and from all industries.

By adhering to ISO 27001, organizations ensure they have implemented a robust system to manage the security risks associated with their data. This compliance confirms that they follow the best practices and principles outlined in the standard.

The importance of ISO 27001 continues to escalate. This standard advocates for a comprehensive approach to information security that scrutinizes people, policies, and technology. An ISMS structured around ISO 27001 facilitates effective risk management, enhances cyber resilience, and promotes operational excellence. Over the years, ISO 27001 has evolved to stay aligned with the changing nature of cyber risks, continually adapting its frameworks to protect sensitive information and systems better.

Understanding the latest ISO 27001 amendment

ISO 27001 Amendment 1 introduces a significant update to the ISO 27001 standard by incorporating climate change considerations into the information security management system. This amendment, also known as the ISO/IEC 27001:2022 Amendment 1 Climate Action Changes, mandates that organizations assess whether climate change poses a relevant risk to their operations and information security. ISO/IEC 27001:2022 Amendment 1 was released in February 2024.

If climate change is identified as a pertinent risk, organizations are required to document this in the “context of the organization” section of their ISMS. They must also include it in their risk management procedures and risk register. For those who conclude that climate change does not significantly impact their ISMS, a simple acknowledgment in their documentation suffices.

Furthermore, organizations need to engage with their stakeholders to determine if and how climate change is relevant to them. This dialogue should be documented and prepared for discussion during external ISO 27001 certification audits, highlighting the organization’s proactive approach to integrating climate action into their security practices. This amendment reflects a broader trend of integrating environmental considerations into core business strategies and operations.

It’s also the key to securing contracts with large companies and government organizations.

Going through the ISO 27001 certification process can be time-consuming and expensive, especially if your organization doesn’t have compliance expertise or modern tools to handle the work. Here’s the good news: there is a way to gain control over your ISO 27001:2022 compliance program and dramatically reduce your workload. Hyperproof also supports ISO 27001:2013.

Developed by the International Organization for Standardization, ISO 27001:2022 is an information security standard providing requirements for an information management system (ISMS). ISO 27001:2022 defines what an information security management system (ISMS) is, what is required to be included within an ISMS, and how management should implement, monitor, and maintain an ISMS. It is notable for being an all-encompassing framework for protecting all types of digital information, including employee data, financial data, customer data, corporate IP, and third-party entrusted information. 

Most organizations were audited on ISO 27001:2013 throughout 2023. Current certifications for ISO 27001:2013 need to be completed by the end of April 2024. Certifications for ISO 27001:2022 must be completed by the end of October 2025. Starting Nov 1, 2025, all remaining 2013 certificates will be withdrawn and considered to be expired.

ISO 27001 also comes with a control set for organizations to implement to address their information security risk, known as Annex A of ISO 27001.

To obtain an ISO 27001 certification, an organization must hire an accredited certification body to perform an independent assessment verifying that the organization’s ISMS conforms to the ISO 27001:2022 standard requirements. An issued certificate is valid for a three-year term, during which time surveillance audits must be completed. The ISO certificate means that the ISMS is actively implemented and operating effectively.

Unlock the secrets of ISO 27001 certification: comprehensive guide 

ISO/IEC 27001 is the gold standard for information security, and understanding its requirements is crucial for businesses operating in security-conscious industries. Our exclusive ebook, ‘Getting to Know the ISO 27001 Standard’, provides practical guidance on achieving ISO 27001 certification requirements.

Gain valuable insights into key steps for becoming ISO 27001 certified, determining scope, familiarizing yourself with control families and annex controls, and project management tips for certification readiness.Don’t miss out on this opportunity to enhance your information security practices. Download our guide now for actionable strategies and expert tips!

What are the benefits of ISO 27001 compliance?

Having an ISO 27001 certification can provide a competitive advantage for an organization, signaling that the organization has invested significant time and resources in information security. Remember that an organization must clear a high bar to receive a certification; a certificate can only be issued by an accredited certification body and only after the organization has taken the time to fix all significant and minor issues uncovered during the formal audit ISO 27001 process.

You might even find that your B2B customers require it, and you could lose out on business if you don’t pursue the certification. If you’re selling software or services, your customers will want to see your ISO 27001 certification to have confidence that their data will be protected and that you won’t introduce vulnerabilities into their systems.

The certification can also help you protect your reputation in the event of a data breach. When customer data is accessed or stolen, reputations suffer. However, showing that your business complies with one of the most stringent security standards can help you demonstrate your good faith efforts to protect their data and privacy. In fact, several states in the U.S. passed laws in 2021 establishing a safe harbor for organizations that create and maintain written cybersecurity programs that meet the ISO 27001 standard.

In addition, if your business is ISO 27001 compliant, it’s highly likely that you’re well on your way to becoming compliant with other security standards, laws and regulations.

Lastly, an ISO 27001 certification can help reduce audit fatigue by eliminating or reducing the need for spot audits from customers and business partners. Many companies annually audit their customers and business partners as part of their risk management process. As a vendor, you may be bombarded with a high volume of time-consuming audits coming from multiple sources. An ISO 27001 certification is a great solution for this, as companies will often accept your certification in place of conducting a separate audit.

Preparing for the ISO 27001 certification process

As a first step, you need to determine which areas of your business will be within the scope of your Information Security Management System (ISMS). Each business is unique and houses different types and amounts of data, so before building out your ISO 27001 compliance program, you need to know exactly what information you need to protect.

Conservatively, businesses should plan on spending around a year to become ISO 27001compliant and certified. You’ll need to undertake several activities before your organization is ready to go through a formal audit. Getting ready for an ISO 27001 certification audit involves the following key steps, including:

Develop a project plan

It’s important to treat your ISO 27001 initiative as a project that needs to be managed diligently. Planning involves several key pieces, including getting leadership commitment, understanding the needs and expectations of all parties that have a stake in Information security and determining the boundaries of your ISMS. These ISO 27001 requirements are outlined in Clause 4 and 5 of ISO 27001.

Getting leadership commitment early in the ISO 27001 process is key because your leadership team will need to be aware of ISO 27001 requirements and commit to performing certain key activities, such as setting security objectives and ensuring that information security management system requirements are integrated into your organization’s processes.

Define an information risk assessment process and use that process to identify, analyze and evaluate information security risks.

ISO 27001 requires each organization to define an information risk assessment process that contains risk acceptance criteria and criteria for performing information security risk assessments. Each organization also needs to ensure that their risk assessment process is set up to produce consistent and comparable results.

Once the risk assessment process is created, your organization will need to use it to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS and track those risks somewhere (ideally in a centralized risk register).

Design and implement ISO 27001 controls to treat security risks identified during your risk assessment process.

During this stage, you’ll need to determine which controls are needed to address the risks you’ve identified sufficiently. You’ll need to refer to ISO 27001 Annex A as your control baseline and ensure no necessary controls are overlooked. You should assign individuals or teams to manage the risks, ensuring they’re on board with the proposed controls and accept the residual information security risks. Keep in mind that your entire control set, as well as your control selection process, need to be documented, as documentation is a requirement of ISO Clause 7.5, and your auditors will ask to see this documentation as a part of their assessment.

Conduct an internal audit

How can you be sure that your ISMS is effectively implemented and maintained? The key is to conduct your own internal audit of your ISMS and control activities at regular intervals. ISO 27001 Clause 9 contains a number of requirements on how an internal audit ought to be conducted (ISO calls this “performance evaluation”). In ISO language, if you find that the ISMS isn’t conforming to ISO standards, or if it’s not effectively implemented or maintained, that finding is a “nonconformity.” Again, you must retain evidence of the audit process and audit results.

Address the nonconformities found during the internal audit and take corrective action.

ISO 27001 Clause 10 requires your organization’s management team to review the results of internal audits and react to “nonconformities” that were discovered. Treatment might involve taking action to control and correct the nonconformity or making a more significant change to the ISMS. Again, your organization needs to retain documentation of the nature of issues, any subsequent actions taken, and the results of any corrective actions.

ISO 27001 compliance checklist: key points for implementation

  1. Get executive support: For ISO 27001 certification, the organization must openly embrace change as it may involve implementing new policies, tools and training on security topics. Having senior executives’ support is crucial for the project’s success.
  2. Conduct a gap analysis: An ISO 27001 gap analysis helps identify disparities between your organization’s existing security measures and ISO 27001 requirements. If internal expertise for ISO 27001 is lacking, hire an external aligned consultant.
  3. Assign a project leader: To ensure smooth progress and efficient communication, a dedicated project leader should be assigned to manage and drive the project forward.
  4. Careful scoping: To determine which information assets need protection, scoping is essential. Maintain a balance as too broad or narrow scope can either inflate costs or leave you at risk.
  5. Establish an ISO 27001 approved risk management framework: Risk assessment is crucial for ISO 27001 compliance. Using an approved risk assessment methodology ensures that all potential risks are covered.
  6. Organize control implementation: Prioritize controls and manage risks by splitting up work into manageable sprints. A compliance project management tool can help track progress.
  7. Map existing controls to ISO 27001 requirements: Map your existing controls (from previous compliance programs) to ISO 27001 to avoid duplicative work. Use compliance software for easier management.
  8. Prepare the RTP and SoA: Documenting risks and controls consistently can make preparing the Risk Treatment Plan (RTP) and Statement of Applicability (SoA) easier and less time-consuming.
  9. Combine audits: If ISO 27001 isn’t the only security audit your organization undergoes, try to combine all audits within the same timeframe to reduce compliance team’s burden.
  10. Use a compliance operations platform: To efficiently manage all compliance work, use a central compliance operations platform. It helps compliance professionals drive accountability across an organization. Such platforms help understand ISO 27001 requirements in detail, document risk assessment results, develop ISMS, streamline evidence collection, monitor ISMS and make continuous improvements.

The ISO 27001 audit process

Once you have completed the steps outlined above, you’re ready to invite an independent auditor to conduct the ISMS audit.

An ISO 27001 audit occurs in two stages:

Stage 1

A review of all the documentation and artifacts from clauses 4-10 of ISO 27001. At the end of stage 1 assessment, your auditing firm will write up the nonconformities they identified and issue a stage 1 report.

Once you have a stage 1 report in hand, your organization should review the results and implement a corrective action plan (CAP) to address the nonconformities your auditor has identified, implement the corrective actions, and gather evidence of correction and remediation. The external auditor has no responsibility in this step.

Stage 2

The external auditing firm will perform the stage 2 audit. This includes a review of any findings from stage 1, along with the applicable control activities implemented by the organization. At the end of stage 2, the auditor will write up any nonconformities and a stage 2 report.

An ISO 27001 certificate will only be issued if all major and minor nonconformities have been corrected and remediation activities were performed for all major nonconformities. You will need to provide acceptable corrective action plans (CAPs) for each nonconformity.

An ISO 27001 certificate is valid for three years. In year 2 and 3, your organization will need to go through surveillance audits (or mini-audits). After three years, you’ll need to complete full-scale audits (Stage 1 and 2) in order to receive a new certificate.

What industries need ISO 27001?

While many mistake it as solely an IT standard, ISO 27001 certification is actually a need that spreads across industries. Healthcare, retail, financial services, SaaS, cloud storage and cloud computing companies are some of the businesses that will benefit from achieving the certification. If your business handles any kind of sensitive customer data, getting an ISO 27001 certification will help show your customers and users that you are committed to protecting their data.

Can I use compliance operations software to meet ISO 27001 certification requirements faster?

Once you’ve developed all of the policies and created all of the documentation required for ISO 27001, you will likely have thousands of pages of information that will continually need to be updated, searched, referenced, and utilized. To prepare for your ISO 27001 audit, you’ll have to gather all of your evidence files and ensure each piece of evidence is associated with the proper control(s) and correct requirement(s) so your auditor can verify this information.

ISO 27001 frequently asked questions

ISO 27001 applies to any organization, regardless of size, industry, or geographical location, that seeks to establish, implement, maintain, and continually improve an information security management system (ISMS). This standard is particularly relevant to businesses that handle sensitive or confidential information, including those in sectors such as finance, healthcare, IT services, government, and more. Any organization looking to enhance its information security posture and demonstrate its commitment to protecting data can benefit from ISO 27001.

ISO 27001 is important for several reasons:

  1. Risk Management: ISO 27001 provides a structured approach to managing information security risks, helping organizations identify, assess, and mitigate risks to their information assets.
  2. Reputation: Achieving ISO 27001 certification demonstrates to customers, partners, and stakeholders that an organization is committed to protecting sensitive information, which can enhance its reputation and trustworthiness.
  3. Compliance: ISO 27001 helps organizations comply with legal, regulatory, and contractual requirements related to information security.
  4. Continuous Improvement: The standard promotes a culture of continual improvement in information security practices, ensuring that organizations adapt to evolving threats.
  5. Competitive advantage: Certification can provide a competitive edge by differentiating an organization from its competitors regarding information security practices.
  6. Ability to expand into additional markets: ISO 27001 is the most commonly used framework worldwide, and certification can help unlock new markets for growing companies.

The principles of ISO 27001 include:

  1. Confidentiality: Guaranteeing that data is only accessible to those who are permitted to view it.
  2. Integrity: Protecting the accuracy and wholeness of data and its processing techniques. 
  3. Availability: Making sure all authorized individuals can access the necessary information and related resources when needed.

ISO 27001:2013 previously had Annex A in ISO 27001:2013 that listed 14 ‘control objectives,’ each of which comprises a set of security controls (114 in total). These control objectives were:

  • A.5 Information security policies
  • A.6 Organization of information security
  • A.7 Human resource security
  • A.8 Asset management
  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operations security
  • A.13 Communications security
  • A.14 System acquisition, development and maintenance
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

The ISO 27001:2022 standard was updated in October 2022 to reflect changes in technology and information security. The 14 domains from the previous version were replaced by four themes: people, organizational, operational, and technological:

  • Physical: 14 controls
  • People: 8 controls
  • Organizational: 37 controls
  • Technological: 34 controls

ISO 27001 is not legally required. However, obtaining ISO 27001 certification can help organizations comply with various legal, regulatory, and contractual requirements related to information security. In some industries and jurisdictions, demonstrating adherence to certain information security standards might be mandated by law, making ISO 27001 a valuable framework for achieving compliance. In some US States with “cyber safe harbor laws” following a reputable framework like ISO 27001 may result in a reduction of civil legal risks related to data breaches.

The three pillars of ISO 27001 are:

  1. People: Ensuring that employees and contractors understand their roles and responsibilities in maintaining information security.
  2. Processes: Establishing and implementing policies, procedures, and controls to manage information security risks effectively.
  3. Technology: Utilizing appropriate technological solutions to protect information assets from various threats.

To achieve ISO 27001 certification, an organization typically follows these steps:

  1. Gap analysis: Assess the current state of information security practices against ISO 27001 requirements.
  2. ISMS Implementation: Develop and implement an ISMS, including policies, procedures, and controls to address identified gaps.
  3. Internal audit: Conduct internal audits to evaluate the effectiveness of the ISMS and identify areas for improvement.
  4. Management review: Review the ISMS at the management level to ensure it meets the organization’s strategic objectives.
  5. Certification audit: Engage an accredited certification body to perform a certification audit, which includes a thorough review of the ISMS documentation and practices.
  6. Certification: If the certification body is satisfied with the ISMS implementation, the organization is awarded ISO 27001 certification.

The cost of ISO 27001 certification varies widely based on several factors, including the size and complexity of the organization, the scope of the information security management system (ISMS), and the chosen certification body. Costs typically include:

  • Consulting fees: For gap analysis, ISMS implementation support, and internal audits.
  • Training costs: For staff training and awareness programs.
  • Certification body fees: For the certification audit and any follow-up assessments.
  • Internal resources: The time and effort invested by the organization’s staff in preparing for and maintaining certification.
  • GRC platform: Tools to streamline the certification process and maintain compliance.

The starting point of your organization’s security controls can significantly impact the overall cost.  For example, those already meeting SOC 2 requirements will typically incur fewer expenses.

The time required to achieve ISO 27001 certification can vary, but a given organization will take at least several months to a year to become certified. The timeline depends on factors like the organization’s current information security maturity level, the complexity of its operations, resources dedicated to the project, and ISMS readiness.

The process involves initial preparation, ISMS implementation, internal audits, and the certification audit by an external body. Organizations should also factor in time for addressing any non-conformities identified during audits.

ISO 27001 addresses a partial set of GDPR requirements related to personal data security. For full GDPR compliance, GDPR should be implemented alongside ISO 27001 to establish a comprehensive Privacy Information Management System.

ISO 27001 and ISO 27002 are both international standards for information security management, but they have different purposes and cover different topics. ISO 27001 outlines the requirements for an Information Security Management System (ISMS), including risk assessment, risk treatment, and ongoing management. ISO 27001 also includes Annex A, which lists security controls that can be implemented to meet the requirements. The goal of ISO 27001 is certification, and organizations can use it to create and implement an ISMS in a systematic and cost-effective way.

ISO 27002 is a supporting standard that provides guidelines for enforcing information security controls within an ISMS. ISO 27002 offers best practices and control objectives for key cybersecurity aspects, such as access control, cryptography, human resource security, and incident response. It describes these controls in depth, explaining how each one works, its purpose and objectives, and how it can be implemented. ISO 27002 emphasizes the importance of reviewing and updating security controls to address changing threats and vulnerabilities.

It’s important to note that both frameworks complete each other. ISO 27002 provides in-depth guidance on implementing ISO 27001 Annex A controls. Ideally, both frameworks should be implemented together to avoid control gaps. Leveraging technology to implement both frameworks is critical to avoiding the heavy manual processes that come with becoming ISO 27001 and ISO 27002 certified.

Unfortunately, a public register of certified employees does not exist, but certified companies are issued certificates by their certification body. To verify ISO 27001 certification, ask for the company’s certificate and check:

  1. It is the latest version (ISO 27001:2022), as any older versions are no longer valid
  2. The expiration date
  3. The company name and specific groups covered
  4. The scope of certification relevant to the services provided
  5. Accreditation by a recognized body, such as UKAS
  6. That the Certification scope covers relevant business processes and locations of interest

Yes, ISO 27001 covers cybersecurity by providing a management system framework for addressing information security risks, which include cyber security risks. Major companies like Microsoft and Google use ISO 27001 certifications to demonstrate robust security practices.

A Statement of Applicability (SoA) is a crucial document that outlines which controls from Annex A of the standard an organization has implemented, the reasons for their inclusion, and any exclusions with justifications. This document serves as a bridge between the risk assessment process and the implementation of the Information Security Management System (ISMS).

The SoA is derived from the risk assessment and risk treatment plan. During the risk assessment, an organization identifies and evaluates potential security risks to its information assets. Following this, the risk treatment plan outlines how these risks will be managed, including the selection of appropriate controls from Annex A of ISO 27001.

The SoA is a dynamic document and should be regularly reviewed and updated to reflect changes in the organization’s risk environment, business processes, and technological landscape. It is also a key document during the certification audit, as auditors use it to verify that the selected controls are appropriate and effectively implemented.

A privacy information management system (PIMS) is a framework for managing personal data and ensuring compliance with privacy laws. It is typically integrated with an Information Security Management System (ISMS) and follows ISO 27701 guidelines.

Hyperproof for ISO 27001 compliance

Hyperproof is a compliance operations software solution that helps organizations implement, monitor and maintain an ISMS that conforms to the ISO 27001 standard in the most effective way possible. Here are just a few of the ways Hyperproof can be used to make preparing for ISO 27001 audits more manageable and less stressful:

ISO27001

Document and track risks

It’s important to treat your ISO 27001 initiative as a project that needs to be managed diligently. Planning involves several key pieces, including getting leadership commitment, understanding the needs and expectations of all parties with a stake in Information security and determining the boundaries of your ISMS. These requirements are outlined in Clauses 4 and 5 of ISO 27001.

Implement controls that conform to ISO 27001:2022 standards

Hyperproof comes with an ISO 27001 “starter compliance template” containing all ISO 27001 requirements and Annex A controls. Once you’ve implemented the template, you’ll see that requirements are enumerated individually and you’ll be able to add controls to each. For organizations with existing controls, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.

Conduct internal audits efficiently

You can use Hyperproof to set up an internal audit program to audit your organization’s ISMS and control activities. Within Hyperproof, all evidence of the audit process and the results can be maintained.

Take corrective actions (and assign actions to organizational stakeholders)

In ISO 27001, being able to manage nonconformities identified from internal and external audits continually is key. All remediation activities can be managed within the Hyperproof platform.

In fact, Hyperproof can automate certain activities such as assigning tasks to individuals or teams and reminding people to get their work done. Further, business stakeholders do not need to go into Hyperproof to do their work; they can complete tasks in third-party ticketing/project management systems they’re already familiar with.

Implement and maintain control mapping

Hyperproof makes it easier to utilize a common control framework that meets the needs of ISO 27001 Annex A control set as well as SOC 2 Trust Services Criteria and other frameworks (ISO 27017, ISO 27018, ISO 27701, NIST SP 800-53, PCI DSS, etc.)

ISO 27001 expertise

Hyperproof has partnerships with professional service firms with proven track records and deep expertise in the ISO 27001 standard. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader