ISO/IEC 27001
What it is
An international standard for an Information Security Management System (ISMS). Organizations get certified after a third-party audit verifies that their ISMS meets the standard's clauses and that selected Annex A controls are implemented.
Who uses it
Global enterprises, B2B vendors selling into Europe and APAC, MSPs, and SaaS companies whose customers require certification.
Why it matters
ISO 27001 is the international counterpart to SOC 2. A junior analyst working in EMEA or selling globally will work with it constantly.
Structure
The management system itself — the scope, policies, processes, roles, and continual improvement loop (Plan-Do-Check-Act).
Mandatory management requirements: context, leadership, planning, support, operation, performance evaluation, improvement.
93 reference controls (in the 2022 revision) grouped into 4 themes: Organizational, People, Physical, Technological.
For each risk, choose: treat (apply controls), transfer (insurance/contract), tolerate (accept), or terminate (stop the activity).
The auditable document that lists every Annex A control, marks it included or excluded, and justifies the decision.
Terminology
Beginner explanation
ISO 27001 cares as much about how you manage security as what controls you have. The ISMS is the engine; Annex A is the parts list you choose from.
Practical examples
- A B2B SaaS scoping the ISMS to 'the production environment supporting the X platform' and excluding the marketing CMS.
- A risk of 'unauthorized access to production database' treated by Annex A controls A.5.15 (Access Control) and A.8.5 (Secure Authentication).
Advanced notes
The 2022 revision restructured Annex A from 14 domains/114 controls to 4 themes/93 controls and introduced 11 new controls including Threat Intelligence (A.5.7) and Secure Coding (A.8.28).
Practice this in a lab
Your manager wants a written likelihood-and-impact scale you can defend in management review.
Atlas Health is pursuing ISO 27001. Compare its current program to ISO 27001:2022 and list gaps.
Northbeam has no formal access control policy. Auditors will ask for one in the kickoff.
Map your organization's MFA control to NIST CSF 2.0, ISO 27001 Annex A, SOC 2 TSC, and NIST SP 800-53.