ISO/IEC 27001:2022 – The Information Security Management Standard

What is ISO 27001?

ISO/IEC 27001 is the international standard for information security management.

It sets out a risk-based framework that any organisation can use to establish, implement, operate, monitor, review, maintain and continually improve an approach to securing corporate information known as an ISMS (information security management system).

Organisations can achieve accredited certification to the ISO 27001 standard to demonstrate that their ISMS is aligned with internationally accepted best practice.

According to the latest ISO Survey, there are now almost 100,000 valid ISO 27001 certificates around the world.

What ISO 27001 covers

ISO 27001 covers the requirements for an ISMS, from scoping to continual improvement. These include:

• Understanding your organisation, its context and the needs and expectations of interested parties.
• Determining the scope of the ISMS.
• Establishing leadership and commitment from top management.
• Establishing an information security policy.
• Assigning organisational roles, responsibilities and authorities.
• Information security risk management.
• Establishing information security objectives and planning to achieve them.
• Training and staff awareness.
• Operational planning and control.
• ISMS monitoring, measurement, analysis and evaluation.
• Internal audit.
• Management review.
• Continual improvement.

What is an ISMS?

An ISMS is a systematic approach to securing the CIA (confidentiality, integrity and availability) of corporate information assets.

An ISO 27001 ISMS consists of organisational, people, physical and technological controls, selected on the basis of regular risk assessments.

What are the Annex A controls?

Annex A of ISO 27001 lists 93 information security controls that support the implementation and maintenance of an ISMS.

These controls are explained in ISO 27001’s companion standard, ISO 27002, alongside guidance for implementing them.

The controls are grouped into four themes:

• 5 Organisational (37 controls)
• 6 People (8 controls)
• 7 Physical (14 controls)
• 8 Technological (34 controls)

You don’t have to implement all 93. Instead, you should carry out a risk assessment to determine which controls you need. You should also justify why you exclude other controls.

Read our blog post ISO 27001:2022 Annex A Controls Explained to learn more about control selection and implementation.

Why ISO 27001 matters for businesses

As cyber attacks continue to increase in both scale and severity, and with new threats regularly emerging, it is critical for all organisations to implement the measures they need to secure themselves and their information.

ISO 27001 provides a means for organisations to proactively identify and address security weaknesses that could affect the confidentiality, integrity and availability of their information assets.

Doing so helps compliance with business, legal, contractual and regulatory requirements, such as the GDPR (General Data Protection Regulation) and NIS (Network and Information Systems) Regulations.

• Protect your data, wherever it is: Protect all forms of information, whether digital, hard copy or in the Cloud.
• Increase your attack resilience: Increase your organisation’s resilience to cyber attacks.
• Reduce information security costs: Implement only the security controls you need, helping you get the most out of your budget.
• Respond to evolving security threats: Constantly adapt to changes both in the wider environment and inside the organisation.
• Improve company culture: An ISMS encompasses people, processes and technology, ensuring staff understand risks and embrace security as part of their everyday working practices.
• Meet contractual obligations: Certification demonstrates your organisation’s commitment to data security and provides a valuable credential when tendering for new business.

Who needs ISO 27001?

Any organisation that takes information security seriously needs a clear and systematic way to identify risks, protect information and respond as those risks change.

ISO 27001 provides that framework.

Its technology- and vendor-neutral approach makes it suitable for all organisations, whatever their size, complexity, sector or location.

In particular, it benefits organisations that store, process or manage sensitive data, such as companies in the financial, healthcare, legal, professional services and public sectors.

Software-as-a-service organisations, tech companies and other supply-chain-driven organisations also benefit from its approach.

By embedding security into day-to-day processes, systems and decision-making, the Standard helps organisations work more efficiently and demonstrate that information security is being managed properly.

How do you implement ISO 27001?

Implementing an ISO 27001-compliant ISMS involves:

• Scoping the project.
• Securing management commitment and adequate resources.
• Identifying interested parties and applicable legal and contractual requirements.
• Conducting a risk assessment.
• Selecting and implementing the required controls.
• Developing internal competence to manage the project.
• Developing the appropriate documentation.
• Conducting staff awareness training.
• Continually measuring, monitoring, reviewing and auditing your ISMS.
• Implementing the necessary corrective and preventive actions.

You can find our ISO 27001 implementation checklist and our nine-step approach to implementing an ISMS in our bestselling guide, Nine Steps to Success – An ISO 27001:2022 implementation overview.

What is ISO 27001 certification?

Certification to ISO 27001 provides independently audited assurance that your ISMS conforms to the Standard’s requirements.

To achieve certification, you must be able to show that your ISMS:

• Meets the mandatory requirements of ISO 27001
• Complies with all relevant legal, regulatory and contractual security obligations
• Follows its own documented policies and procedures

The certification audit involves two stages:

• Stage 1: A review of your documentation to ensure your ISMS has been designed appropriately.
• Stage 2: An implementation audit to confirm that your ISMS is operating in line with your documented processes.

Certification is valid for three years, with regular surveillance audits to ensure you’re maintaining your ISMS.

ISO 27001 vs other security frameworks

There are many ways of implementing policies, procedures and technical controls to help secure your organisation. With so many frameworks available, how do you know which one best suits your needs?

The Cyber Essentials scheme

Cyber Essentials is a UK government-backed certification scheme built around five technical controls designed to reduce exposure to common internet-based attacks. Compared with ISO 27001, it is narrower in scope and more prescriptive.

Read our blog post Cyber Essentials vs ISO 27001: Key Differences for more information.

SOC 2

SOC 2 assesses service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the American Institute of Certified Public Accountants Trust Services Criteria.

SOC 2 reports are generally more popular in North America than Europe and are generally used for existing or prospective clients.

Read our blog post ISO 27001 vs SOC 2 Certification: What’s the Difference? for more information.

The NCSC CAF (Cyber Assessment Framework)

The NCSC CAF (Cyber Assessment Framework) is used to assess how well organisations manage cyber risks to essential functions, particularly in critical sectors and regulated environments.

Unlike ISO 27001, it is not a general-purpose certifiable management system standard for all organisations but is more closely tied to cyber resilience and assurance.

The PCI DSS (Payment Card Industry Data Security Standard)

If you store, process or transmit payment card data, you must comply with the PCI DSS, an industry standard that sets a baseline of technical and operational requirements to protect that data.

Compared with ISO 27001, the PCI DSS is much more specific in scope: it is focused on payment card environments, whereas ISO 27001 provides a broader framework for managing information security risks across the organisation.

Next steps for organisations

If you’d like to learn more about how ISO 27001 works and the benefits of implementing an ISMS, download our free white paper Information Security and ISO 27001 – An introduction.

Or, if you’re ready to start your ISO 27001 implementation project, you can find out more about our ISO 27001 solutions here.

Why choose GRC Solutions?

• We’re the global authority on ISO 27001, having led the world’s first certification project, when the Standard was known as BS 7799.
• Since then, we’ve supported more than 20,000 ISO 27001 projects and have trained more than 7,000 professionals on ISO 27001 implementations and audits.
• We offer everything you need to implement an ISMS – you don’t need to go anywhere else.
• We’ve honed our implementation methodology over more than 20 years and are so confident in its effectiveness that we guarantee certification – provided you follow our advice, that is!
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have a proven and pragmatic approach to assessing compliance with international standards, whatever your organisation’s size or nature.
• Our pricing and proposals are completely transparent, so you won’t get any surprises.
• Our FastTrack™ service helps organisations prepare for certification in three to six months.

FAQs (frequently asked questions)

What is ISO 27001?
ISO 27001 is the international standard for information security management. It sets out the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The standard helps organisations protect data, manage risk and demonstrate compliance to customers and regulators.

What is ISO 27001 certification?
ISO 27001 certification is the formal recognition that an independent auditor has verified your organisation’s ISMS meets the requirements of the standard. Certification shows clients, partners and regulators that you follow best practice for information security.

How many controls are in ISO 27001?
The latest version of ISO 27001 references 93 controls grouped into four themes: organisational, people, physical and technological. These controls are detailed in Annex A of the Standard.

What is ISO 27001 compliance?
ISO 27001 compliance means your organisation has implemented the policies, procedures and controls required by the standard, but may not yet have external certification. Compliance shows alignment with best practice, while certification provides independent verification.

How long does ISO 27001 certification last?
An ISO 27001 certificate is valid for three years, subject to annual surveillance audits. After three years, a recertification audit is required to maintain certification.

Is ISO 27001 GDPR compliant?
ISO 27001 certification is not the same as GDPR compliance, but it supports it. The standard provides a structured framework for protecting personal data, helping organisations demonstrate that they have appropriate security measures in place to meet GDPR requirements.

What does ISO 27001 stand for?
ISO refers to the International Organization for Standardization, and 27001 is the number assigned to the standard covering ISMSs (information security management systems).