ISO 27001

What Is ISO 27001?

ISO 27001 is an international standard for building and maintaining an Information Security Management System (ISMS). Published by the International Organization for Standardization and the International Electrotechnical Commission, it gives companies a structured way to manage security risks across their entire organization.

The key difference from SOC 2: ISO 27001 is a formal certification. An accredited certification body audits your ISMS and either grants or denies the certificate. You're certified or you're not. There's no opinion letter with qualifications. That binary outcome is part of why ISO 27001 carries so much weight in international markets, particularly in Europe and Asia, where it's often a prerequisite for doing business.

As of 2024, roughly 97,000 organizations worldwide hold active ISO 27001 certificates, nearly double the count from the previous year. The surge is driven by regulatory pressure (DORA, NIS2 in the EU), cyber insurance requirements, and enterprise procurement teams adding it to vendor checklists.

The 2022 Update

The current version is ISO 27001:2022, which replaced the 2013 edition. The transition deadline was October 31, 2025, so all certificates now must be on the 2022 version.

What changed:

• Annex A controls dropped from 114 to 93 (mostly by merging overlapping controls, not removing requirements)
• Controls reorganized from 14 domains into 4 themes: Organizational, People, Physical, and Technological
• 11 new controls added, reflecting modern threats: threat intelligence, cloud security, data leakage prevention, web filtering, secure coding, and others
• A new Clause 6.3 requires organizations to plan any changes to the ISMS formally

The core management system clauses (4 through 10) stayed mostly the same. If you were compliant with the 2013 version, the transition mainly involved remapping your controls to the new structure and addressing the 11 new requirements.

Who Needs ISO 27001?

ISO 27001 is most valuable for companies selling internationally. In the US, SOC 2 is the default ask. In Europe, the UK, the Middle East, and most of Asia-Pacific, buyers expect ISO 27001 instead.

Specific triggers that push companies toward ISO 27001:

• Expanding into European or Asian markets where SOC 2 isn't well understood
• Bidding on government contracts (many countries require it)
• Cyber insurance carriers offering premium discounts for certified organizations
• Customers in regulated industries (banking, healthcare, defense) requiring it of their vendors
• Already having SOC 2 and wanting a second credential for broader market coverage (roughly 80% of the controls overlap)

Key Requirements

ISO 27001 has two layers: the management system requirements (Clauses 4-10) and the Annex A controls (93 controls across 4 categories).

Management system (mandatory clauses):

• Define the scope of your ISMS and understand your organization's context
• Get visible leadership commitment (this isn't a checkbox; auditors verify that executives are actively involved)
• Conduct a formal risk assessment and create a risk treatment plan
• Set security objectives and measure progress
• Ensure staff competence, awareness, and training
• Document everything: policies, procedures, evidence of control operation
• Run internal audits and management reviews at least annually
• Track nonconformities and drive continuous improvement

Annex A controls (93 total):

• Organizational (37 controls): policies, access management, supplier security, incident management, business continuity
• People (8 controls): screening, employment terms, training, remote working
• Physical (14 controls): facility security, equipment protection, clear desk policies
• Technological (34 controls): endpoint security, privileged access, encryption, vulnerability management, logging, network security

You don't necessarily implement all 93 controls. Your risk assessment determines which are applicable. But for each control you exclude, you must justify why in a document called the Statement of Applicability (SoA). Auditors scrutinize this closely.

The Certification Process

Certification happens in stages:

1. Gap analysis and ISMS build (2-6 months). Assess your current state against ISO 27001 requirements. Write policies, build your risk register, implement controls, and train your team. This is the heaviest phase. Many companies hire a consultant or use a compliance automation platform to accelerate it.

2. Internal audit (2-4 weeks). Required by Clause 9 before the certification audit. You can do it in-house or outsource it. The point is to catch problems before the external auditor does.

3. Stage 1 audit (1-2 days). The certification body reviews your documentation: ISMS scope, policies, risk assessment, SoA, internal audit results, management review minutes. This is a readiness check. No certification decision happens here.

4. Stage 2 audit (3-15 days depending on company size). The real audit. Auditors verify controls are implemented and working. They interview staff, sample evidence, and test operational processes. If you pass, the certificate is issued. Minor nonconformities are common and can be resolved after the audit within an agreed timeframe.

5. Surveillance audits (years 1 and 2). Annual check-ins where auditors review a subset of your controls. Shorter and cheaper than the initial audit. Expect $6,000-$7,500 each.

6. Recertification audit (year 3). Similar depth to the Stage 2 audit. Must be completed at least 3 months before your certificate expires. Successful recertification extends the certificate for another 3 years.

What It Costs

Total first-year costs vary widely by company size:

• Under 50 employees: $15,000-$30,000
• 50-250 employees: $30,000-$75,000
• 250+ employees: $75,000-$200,000+

The certification body's audit fees are only part of it. Consulting support averages around $38,000. A compliance automation platform runs $10,000-$50,000/year. And internal staff time is often the largest hidden cost: expect 200-500+ person-hours for a small company.

Over a full 3-year certification cycle, a small company should budget $30,000-$60,000 total. Mid-market organizations are looking at $80,000-$175,000.

How Compliance Tools Help

ISO 27001's documentation requirements are heavy. You need a risk register, SoA, dozens of policies, evidence of control operation, internal audit records, and management review minutes. Doing this in spreadsheets and shared drives is possible but painful.

Compliance automation platforms map their control libraries directly to ISO 27001's 93 Annex A controls. They pull evidence from your cloud infrastructure automatically, track policy acknowledgments, flag gaps in real time, and generate the documentation auditors need. All 17 tools in our database support ISO 27001.

The biggest time savings come during audit prep and surveillance audits, where you'd otherwise spend weeks manually assembling evidence binders.

Common Mistakes

Treating it as an IT project. ISO 27001 covers the entire organization. HR, legal, facilities, and operations all have responsibilities. Dumping it on the IT team is a top cause of failed implementations.

Copy-pasting template policies. Buying a policy pack and not tailoring it to your actual processes. Auditors will interview your staff, and the gap between what policies say and what people actually do creates nonconformities fast.

Superficial risk assessment. Using a generic risk register instead of identifying risks specific to your business. This is the foundation of the entire ISMS. If the risk assessment is weak, everything built on top of it is weak too.

Scoping too broadly. Including every department, office, and system in scope makes the project unmanageable and expensive. Start with a focused scope (your core product and supporting infrastructure) and expand later.

Going dark after certification. The ISMS requires continuous operation: regular risk reviews, policy updates, incident tracking, and internal audits. Companies that treat certification as a one-time project fail their first surveillance audit.