ISO 27001 is the international standard for information security management systems (ISMS). It's the most widely recognised security certification globally — essential for companies operating in Europe, selling to enterprises, or in regulated industries.
Unlike SOC 2 (which is a report), ISO 27001 is a certification. An accredited certification body audits your ISMS and, if you pass, issues a certificate valid for 3 years (with annual surveillance audits).
The Structure
ISO 27001:2022 consists of two parts:
Clauses 4-10: The Management System
These clauses define how you establish, implement, maintain, and continuously improve your ISMS:
| Clause | What It Covers |
|---|---|
| 4. Context | Understanding your organisation and stakeholders |
| 5. Leadership | Management commitment and information security policy |
| 6. Planning | Risk assessment, risk treatment, and security objectives |
| 7. Support | Resources, competence, awareness, communication, documentation |
| 8. Operation | Implementing risk treatment and security controls |
| 9. Performance evaluation | Monitoring, measurement, internal audit, management review |
| 10. Improvement | Corrective actions, continual improvement |
Annex A: The Controls
Annex A contains 93 controls (down from 114 in the 2013 version) organised into 4 themes:
| Theme | Controls | Examples |
|---|---|---|
| Organisational (37) | Policies, roles, threat intelligence, cloud security | Information security policy, acceptable use, supplier security |
| People (8) | Screening, training, remote working, reporting | Background checks, security awareness, disciplinary process |
| Physical (14) | Perimeters, equipment, storage media, monitoring | Office security, clear desk, equipment maintenance |
| Technological (34) | Access, cryptography, logging, malware, network | MFA, encryption, vulnerability management, secure development |
You don't have to implement all 93 controls. You implement the controls that are relevant to your risk assessment. The Statement of Applicability (SoA) documents which controls apply and which don't (with justification).
Implementation Roadmap
Phase 1: Scope and Gap Analysis (Month 1-2)
Define the scope: What parts of your organisation are covered by the ISMS? This can be the entire company or specific business units/services. Narrower scope = easier to certify, but customers may question exclusions.
Gap analysis: Assess your current state against ISO 27001 requirements. Identify what you already have in place and what's missing.
Deliverables:
- ISMS scope statement
- Gap analysis report
- Implementation project plan
Phase 2: Risk Assessment (Month 2-3)
The risk assessment is the foundation of your ISMS. Everything flows from it — the controls you implement, the resources you allocate, and the priorities you set.
Process:
- Identify information assets (data, systems, processes)
- Identify threats and vulnerabilities for each asset
- Assess likelihood and impact (use a consistent scoring method)
- Determine risk level (likelihood × impact)
- Decide treatment (mitigate, accept, transfer, avoid)
- Select controls from Annex A for risks you're mitigating
Deliverables:
- Risk assessment methodology
- Risk register
- Risk treatment plan
Phase 3: Documentation (Month 3-5)
ISO 27001 requires specific documented information:
Mandatory documents:
- ISMS scope
- Information security policy
- Risk assessment methodology and results
- Risk treatment plan
- Statement of Applicability (SoA)
- Information security objectives
- Evidence of competence
- Operational planning and control documents
- Risk assessment results
- Internal audit results
- Management review results
- Corrective action records
Don't over-document. Auditors want to see that controls are effective, not that you have beautiful policy documents. Keep documentation practical and maintainable. A 3-page policy that's followed is better than a 30-page policy that's ignored.
Phase 4: Implementation (Month 4-8)
Implement the controls identified in your risk treatment plan. Prioritise by risk level — address the highest risks first.
Key implementation areas:
- Access control (MFA, RBAC, regular reviews)
- Encryption (at rest, in transit)
- Vulnerability management (scanning, patching)
- Incident management (process, roles, communication)
- Business continuity (backup, DR, testing)
- Supplier management (assessment, contracts, monitoring)
- Awareness training (all staff, role-specific)
Phase 5: Internal Audit and Management Review (Month 8-10)
Internal audit: Required before certification. Can be performed by internal staff (if independent of the areas being audited) or an external consultant.
The audit verifies that:
- The ISMS conforms to ISO 27001 requirements
- Controls are implemented and operating effectively
- The ISMS is maintained and improved
Management review: The management body (typically senior leadership) reviews the ISMS performance, including audit results, risk changes, and improvement opportunities. This must be documented.
Phase 6: Certification Audit (Month 10-12)
Stage 1 audit (documentation review): The certification body reviews your ISMS documentation, scope, and readiness. Identifies any major gaps before Stage 2. Typically 1-2 days.
Stage 2 audit (on-site/remote assessment): The certification body assesses whether controls are implemented and operating effectively. Interviews staff, reviews evidence, tests processes. Typically 3-5 days depending on scope and size.
Outcomes:
- Certification granted (possibly with minor non-conformities to address)
- Major non-conformities — must be resolved before certification
- Minor non-conformities — must be resolved by next surveillance audit
Cost Breakdown
| Component | Small Company (< 50 staff) | Mid-size (50-250 staff) |
|---|---|---|
| Gap analysis and consulting | €10K-€25K | €25K-€60K |
| Implementation effort | 0.5-1 FTE for 6-12 months | 1-2 FTEs for 8-12 months |
| Security tooling | €5K-€20K/year | €20K-€50K/year |
| Certification audit | €5K-€15K | €15K-€30K |
| Annual surveillance audit | €3K-€8K | €8K-€15K |
| Total first year | €25K-€70K + effort | €70K-€160K + effort |
Maintaining Certification
Certification is valid for 3 years with annual surveillance audits. Ongoing requirements:
- Continuous risk management — update the risk assessment when the environment changes
- Incident management — document and learn from security incidents
- Internal audits — at least annually
- Management reviews — at least annually
- Corrective actions — address non-conformities promptly
- Awareness training — ongoing for all staff
- Control monitoring — verify controls remain effective
Relationship with SOC 2 and NIS2
| Aspect | ISO 27001 | SOC 2 | NIS2 |
|---|---|---|---|
| Type | Certification | Audit report | Regulation |
| Scope | Global | Primarily US/global | EU |
| Focus | ISMS | Trust Service Criteria | Cybersecurity |
| Duration | 3 years + annual surveillance | Annual report | Ongoing compliance |
| Overlap | ~70% with SOC 2 | ~70% with ISO 27001 | ~60% with ISO 27001 |
If you need multiple: Start with ISO 27001. It provides the most comprehensive framework, and ~70% of the work transfers to SOC 2. NIS2 compliance maps well to ISO 27001 controls.
ISO 27001 certification is a significant investment that pays dividends in customer trust, regulatory compliance, and genuine security improvement. If you're planning your ISO 27001 journey, let's talk.