International information security standard
15 articles available
The ISO 27001 certification process involves three main stages: building your ISMS (3-9 months), Stage 1 audit (documentation review), and Stage 2 audit (implementation assessment). After passing both stages, you receive a 3-year certificate with annual surveillance audits.
The ISO 27001 risk assessment is the cornerstone of the ISMS. It requires you to identify information security risks, analyze their likelihood and impact, evaluate them against your risk criteria, and select appropriate controls from Annex A to treat unacceptable risks.
The Statement of Applicability (SoA) is a mandatory ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable or not, with justification. It's the bridge between your risk assessment and your implemented controls.
ISO 27001 Clause 9.2 requires organizations to conduct internal audits at planned intervals to verify the ISMS conforms to requirements and is effectively implemented. Internal audits must be independent (auditors can't audit their own work), follow a documented audit program, and produce formal findings.
ISO 27001 requires specific mandatory documents including the ISMS scope, information security policy, risk assessment process, risk treatment plan, Statement of Applicability, and several others. In total, you need approximately 15-20 mandatory documents plus additional records and evidence.
An ISO 27001 gap analysis systematically compares your current security posture against ISO 27001 requirements to identify what you already have in place and what needs to be implemented. It covers both the ISMS management clauses (4-10) and the 93 Annex A controls.
Continuous improvement is a core ISO 27001 principle embedded in Clause 10. It requires organizations to systematically identify and implement improvements to the ISMS through corrective actions, management reviews, internal audits, risk reassessments, and performance metrics.
ISO 27001 certification typically costs $20,000-$100,000+ total, including $5K-$20K for consulting, $5K-$30K for audit fees, $5K-$25K for tooling, and significant internal labor costs. Smaller organizations with compliance platforms can often certify for $30K-$50K total.
ISO 27001 certification typically takes 6-12 months for most organizations. Small, mature organizations can certify in 4-6 months with a compliance platform. Larger organizations or those starting from scratch may need 12-18 months. The timeline depends on scope, current maturity, and internal resources.
ISO 27001:2022 Annex A contains 93 controls organized into 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). These controls cover everything from access management and encryption to supplier relationships and incident response.
ISO 27001:2022 restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes, added 11 new controls for cloud security, threat intelligence, and data protection, and made minor updates to clauses 4-10. The transition deadline from ISO 27001:2013 is October 31, 2025.
