Glossary · Frameworks & standards
What is ISO 27001?
Also known as: ISO/IEC 27001, ISO 27001:2022, ISMS standard
ISO 27001 is the international standard for an information security management system (ISMS), published by ISO and IEC. It defines requirements for systematically identifying, treating, and monitoring information security risks, and is the basis for accredited certification recognized worldwide. The 2022 revision lists 93 Annex A controls across four themes.
Key takeaways
- ISO 27001 certifies a management system (an ISMS), not just a set of controls.
- Certification is granted by an accredited registrar and is internationally recognized.
- The 2022 version has 93 Annex A controls across four themes: Organizational, People, Physical, Technological.
- Risk assessment and a Statement of Applicability sit at the core of the standard.
- Certification follows a multi-year cycle with surveillance audits and recertification.
What is an ISMS and how does ISO 27001 structure it?
At its heart, ISO 27001 requires a documented information security management system - a set of policies, processes, and controls governed by leadership and improved over time. The main clauses (4 to 10) cover context, leadership, planning, support, operation, performance evaluation, and improvement, following the Plan-Do-Check-Act cycle.
Risk is the engine of the standard. Organizations perform a risk assessment, decide how to treat each risk, and document their decisions in a Statement of Applicability that justifies which Annex A controls are included or excluded.
The 93 Annex A controls
The 2022 revision reorganized Annex A controls into 93 controls grouped under four themes, replacing the earlier 14-domain structure.
- Organizational (37 controls) - policies, roles, supplier and incident management.
- People (8 controls) - screening, awareness, terms of employment.
- Physical (14 controls) - secure areas, equipment, disposal.
- Technological (34 controls) - access control, cryptography, logging, secure development.
The 2022 update also introduced new controls reflecting modern practice, such as threat intelligence, information security for cloud services, data masking, and secure coding.
How do you get certified?
Certification involves an accredited registrar conducting a two-stage audit: Stage 1 reviews documentation and readiness, and Stage 2 tests whether the ISMS is implemented and effective. Once certified, the organization undergoes annual surveillance audits and a full recertification audit, commonly on a three-year cycle.
Sustaining the ISMS between audits is where continuous control monitoring helps. CATAAM keeps ISO 27001 controls under live observation and feeds in findings from internal attack surface management, so management reviews are grounded in current evidence.
ISO 27001 vs SOC 2
ISO 27001 and SOC 2 are the two dominant security assurances. ISO 27001 is a certification of a management system valued globally, while SOC 2 is a US-centric attestation report describing controls and an auditor opinion.
Their control sets overlap heavily, so organizations targeting both can reuse much of the same evidence. ISO 27001 places more explicit emphasis on governance, leadership commitment, and continual improvement of the ISMS, whereas SOC 2 emphasizes mapping controls to the Trust Services Criteria.
Frequently asked questions
- How many controls are in ISO 27001:2022?
- Annex A of the 2022 revision contains 93 controls grouped into four themes: Organizational, People, Physical, and Technological.
- How long does ISO 27001 certification take?
- Implementing the ISMS and reaching the Stage 2 audit commonly takes several months to a year, depending on size and maturity. The certificate then runs on roughly a three-year cycle with annual surveillance audits.
- What is the difference between ISO 27001 and ISO 27002?
- ISO 27001 is the certifiable standard that defines ISMS requirements, while ISO 27002 is a guidance document offering implementation detail for the Annex A controls. You certify against 27001, not 27002.
- Do I need to implement all 93 Annex A controls?
- Not necessarily. You apply controls based on your risk assessment and justify any exclusions in the Statement of Applicability, which the auditor reviews.