ISO 27001 certification is often misunderstood as a project to implement a fixed list of security controls. In practice, that mistaken view can produce weak scoping, rushed evidence collection, and a Statement of Applicability that does not stand up well in audit.
ISO/IEC 27001 is the international standard for an information security management system, usually called an ISMS. It gives organisations a structured way to identify information security risks, decide how those risks should be treated, operate security controls, and continually improve the management system over time.
Last updated: 2026. This overview reflects ISO/IEC 27001:2022 and the related ISO/IEC 27002:2022 control guidance. Authoritative definitions and certification expectations should always be checked against the ISO standard itself and the rules of the relevant accredited certification body, such as bodies recognised through national accreditation services including UKAS or equivalent accreditation directories.
ISO 27001 is designed to help an organisation manage information security as a business system rather than as a collection of isolated technical safeguards. It covers leadership, planning, risk assessment, operational control, performance evaluation, internal audit, management review, and improvement. That structure is why it applies beyond the IT department: legal, HR, procurement, product, operations, and senior management usually all have a role in a functioning ISMS.
The standard is often adopted because customers, investors, regulators, or commercial partners want evidence that information security is being managed consistently. Certification can support trust, procurement, and regulatory readiness, but it should not be treated as a substitute for legal compliance. For example, ISO 27001 can support GDPR or NIS2 readiness by strengthening governance, risk management, access control, supplier oversight, and incident processes, but it does not automatically prove compliance with either regime.
A useful way to view the standard is as a repeatable management cycle. The organisation defines what is in scope, understands interested parties and obligations, assesses information security risks, chooses risk treatment actions, documents the Statement of Applicability, operates selected controls, checks whether the system works, and improves it when evidence shows gaps. The order matters because control selection should follow risk assessment, rather than starting with a generic control checklist.
One of the most important distinctions in ISO/IEC 27001:2022 is the difference between the mandatory requirements in clauses 4–10 and the reference controls in Annex A. Clauses 4–10 describe what the organisation must establish and maintain as a management system, including context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A provides a catalogue of information security controls that may be selected when they are relevant to the organisation’s risks.
This distinction affects the whole implementation sequence. A credible ISMS starts with scope and context, then moves into risk assessment and risk treatment. Only after that should the organisation confirm which Annex A controls are applicable and explain its decisions in the Statement of Applicability. Excluding a control is allowed where there is a defensible reason, but the reason has to be documented and consistent with the risk assessment and the organisation’s operating model.
The Statement of Applicability is therefore more than a spreadsheet of selected controls. It connects risk treatment decisions to the control environment and explains which Annex A controls are included, which are excluded, why those decisions were made, and how selected controls are implemented. Certification auditors commonly test whether that logic is coherent, particularly where controls have been excluded despite obvious business relevance.
Scope is one of the earliest decisions and one of the easiest to underestimate. A whole-organisation scope may be appropriate where systems, processes, and leadership are centralised. A narrower scope may be more realistic where the certification driver relates to a specific SaaS product, platform, business unit, region, or customer-facing service. The important point is that the boundary must be clear, defensible, and auditable.
For a SaaS company, a practical scope might include the production cloud environment, product engineering, customer support processes, incident response, and the employees who administer those systems. It may exclude unrelated internal business systems if they do not process customer data and are not part of the certified service, although interfaces and dependencies still need to be described. If a subsidiary is excluded, the organisation should be able to explain shared services, personnel, infrastructure, contracts, and any data flows between the certified and non-certified parts of the business.
Third parties also need careful treatment. Cloud providers, payroll platforms, managed security providers, software vendors, and outsourced support partners may sit outside the certification boundary, but their services can still create risks inside the ISMS. Supplier due diligence, contractual security requirements, monitoring, and incident notification expectations often become part of the evidence trail. In practice, poor supplier records and unclear shared-responsibility assumptions can slow down certification as much as missing technical controls.
Certification is performed by an independent certification body, ideally one accredited by a recognised accreditation body. Before selecting a certification body, organisations normally check whether accreditation is valid for the relevant management system standard and market. ISO itself publishes information about the standard, while accreditation bodies and directories provide the route for checking whether a certification body is formally accredited.
The certification journey usually begins with readiness work or a gap assessment. This is not the certification audit itself; it is a way to identify missing policies, unclear ownership, incomplete risk records, weak evidence, or controls that have been designed but not yet operated. For small and medium-sized organisations, a realistic kick-off-to-Stage-2 timeline is often around 3–6 months, depending on scope, current maturity, asset inventory quality, supplier due diligence, internal audit readiness, and the availability of management evidence.
Stage 1 is primarily a readiness and documentation review. The auditor looks at whether the ISMS has been designed in line with the standard, whether scope is clear, whether core documents exist, and whether the organisation appears ready for Stage 2. Stage 2 then tests implementation and effectiveness: whether processes are actually operating, whether controls produce evidence, whether staff understand their responsibilities, and whether management review and improvement activities are real rather than nominal.
After certification, the work continues. Accredited certification normally includes surveillance audits during the certification cycle and recertification at the end of the cycle. These follow-up audits are important because ISO 27001 is based on continual improvement. A certificate can be put at risk if the ISMS is left static while the organisation changes its products, systems, suppliers, locations, or risk profile.
ISO/IEC 27001:2022 updated the structure around Annex A and aligned it with ISO/IEC 27002:2022. The Annex A controls are now grouped into four themes: organisational, people, physical, and technological controls. This grouping is easier to map to real operating responsibilities than older control categories, because many controls sit across governance, behaviour, facilities, and technical systems.
The 2022 revision also introduced and adjusted controls to reflect current security practice. Examples include threat intelligence, information security for use of cloud services, ICT readiness for business continuity, configuration management, data leakage prevention, monitoring activities, and secure coding. These controls reflect how organisations now operate across cloud platforms, distributed teams, software supply chains, and continuous service delivery.
ISO/IEC 27002:2022 is not the certification standard, but it is useful guidance for understanding and implementing the controls referenced by Annex A. Organisations preparing for certification should avoid copying control wording into a policy library without adapting it. Auditors are more interested in whether the selected control is appropriate, implemented, evidenced, and reviewed than whether a policy repeats standard terminology.
Most ISO 27001 delays are not caused by obscure technical issues. They usually come from governance gaps, unclear evidence, inconsistent risk logic, or scope decisions that have not been tested against how the business actually works. A control may exist in practice, but if ownership, operation, monitoring, and evidence are unclear, it can still be difficult to defend during audit.
A short anonymised example shows how these issues appear in practice. A growing software company scoped its ISMS around a single customer-facing platform and expected certification to be mainly a policy exercise. During readiness work, the largest gaps were not encryption or access control, but an incomplete asset inventory, unclear supplier risk ratings, and a Statement of Applicability that excluded controls without enough explanation. Stage 1 raised documentation and scope clarification findings; after the organisation tightened its risk methodology, updated supplier records, and completed an independent internal audit, Stage 2 focused more on operational evidence and management review actions.
ISO 27001 implementation does not require everyone to become an auditor, but role-specific understanding helps. Senior leaders need to understand accountability, risk acceptance, objectives, and management review. Process owners need to understand how their evidence supports the ISMS. Internal auditors need enough independence and competence to test the system before the certification body does.
Readynez offers ISO courses and certifications for teams that need structured learning around ISO standards, including preparation for people involved in implementation, auditing, or governance. Security teams that maintain several certification tracks may also consider Unlimited Security Training where a broader security learning plan is needed.
ISO/IEC 27001 is an international standard for an information security management system. It is important because it gives organisations a structured way to manage information security risks, assign responsibilities, operate controls, audit performance, and improve over time.
No. The management system requirements are in clauses 4–10 of ISO/IEC 27001:2022. Annex A is a reference set of controls that the organisation considers after risk assessment, with inclusion or exclusion justified in the Statement of Applicability.
The organisation defines scope, assesses risks, selects risk treatments, prepares the Statement of Applicability, implements and operates controls, performs an internal audit, and completes management review. An accredited certification body then conducts Stage 1 to assess readiness and documentation, followed by Stage 2 to test implementation and effectiveness.
Many SMEs plan for roughly 3–6 months from kick-off to Stage 2, but the timeline depends on scope, existing maturity, available evidence, supplier complexity, asset inventory quality, and how quickly management decisions are made. A narrower product or service scope may be faster than a whole-organisation scope, provided the boundary is clear and auditable.
ISO/IEC 27001:2022 updated Annex A to align with ISO/IEC 27002:2022 and grouped controls into organisational, people, physical, and technological themes. It also introduced or refined controls that reflect current practice, including threat intelligence, cloud services use, configuration management, monitoring activities, and secure coding.
ISO 27001 works best when it is treated as a management system that reflects the organisation’s real risks and operating model. A practical plan starts with scope and interested parties, moves through risk assessment and the Statement of Applicability, then builds evidence through implemented controls, internal audit, management review, and corrective action.
The most effective next step is to decide whether the organisation is exploring feasibility, preparing for implementation, or strengthening audit capability. If a conversation would help clarify the training route, Readynez can be contacted through the contact page.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?