Certification standard
ISO/IEC 27001
Certification standard

ISO/IEC 27001

All frameworks

What it is

An international standard for an Information Security Management System (ISMS). Organizations get certified after a third-party audit verifies that their ISMS meets the standard's clauses and that selected Annex A controls are implemented.

Who uses it

Global enterprises, B2B vendors selling into Europe and APAC, MSPs, and SaaS companies whose customers require certification.

Why it matters

ISO 27001 is the international counterpart to SOC 2. A junior analyst working in EMEA or selling globally will work with it constantly.

Structure

ISMS

The management system itself — the scope, policies, processes, roles, and continual improvement loop (Plan-Do-Check-Act).

Clauses 4–10

Mandatory management requirements: context, leadership, planning, support, operation, performance evaluation, improvement.

Annex A controls

93 reference controls (in the 2022 revision) grouped into 4 themes: Organizational, People, Physical, Technological.

Risk treatment

For each risk, choose: treat (apply controls), transfer (insurance/contract), tolerate (accept), or terminate (stop the activity).

Statement of Applicability (SoA)

The auditable document that lists every Annex A control, marks it included or excluded, and justifies the decision.

Terminology

ISMS
Information Security Management System — the program itself.
SoA
Statement of Applicability — central artifact mapping Annex A to your environment.
Nonconformity
An audit finding that the ISMS does not meet a requirement (major or minor).
Stage 1 / Stage 2 audit
Stage 1 reviews documentation; Stage 2 tests implementation.
Surveillance audit
Annual check-in audit during the 3-year certificate cycle.

Beginner explanation

ISO 27001 cares as much about how you manage security as what controls you have. The ISMS is the engine; Annex A is the parts list you choose from.

Practical examples

  • A B2B SaaS scoping the ISMS to 'the production environment supporting the X platform' and excluding the marketing CMS.
  • A risk of 'unauthorized access to production database' treated by Annex A controls A.5.15 (Access Control) and A.8.5 (Secure Authentication).

Advanced notes

The 2022 revision restructured Annex A from 14 domains/114 controls to 4 themes/93 controls and introduced 11 new controls including Threat Intelligence (A.5.7) and Secure Coding (A.8.28).