Skip to main content
> ISO 27001

ISO/IEC 27001 Information Security Management System

The international standard for establishing, implementing, and certifying information security management

Governing Body: International Organization for Standardization (ISO)
Established: 2005 (current version 2022) Last Updated: October 2022 (ISO 27001:2022) Scope: Global
93
Annex A Controls

// What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, encompassing people, processes, and technology. Organizations can achieve formal certification through accredited third-party auditors.

The 2022 revision restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes, aligning with the updated ISO 27002 guidance. The standard emphasizes risk-based thinking and integration with other management systems.

ISO 27001 certification is often a prerequisite for international business, particularly in Europe and Asia, and is increasingly requested by enterprise customers as evidence of security program maturity.

// Inside the Regulation

ISO 27001 consists of mandatory ISMS requirements (Clauses 4-10) and Annex A controls selected based on risk assessment. Organizations must implement the ISMS requirements and select applicable Annex A controls, documenting any exclusions with justification.

1

ISMS Requirements (Clauses 4-10)

The mandatory requirements for establishing, implementing, maintaining, and continually improving an information security management system.

Context of the Organization (Clause 4)

Understanding internal/external issues, interested party requirements, and defining ISMS scope.

Leadership (Clause 5)

Top management commitment, security policy establishment, and organizational roles/responsibilities.

Planning (Clause 6)

Risk assessment and treatment, security objectives, and planning changes to the ISMS.

Support (Clause 7)

Resources, competence, awareness, communication, and documented information requirements.

Operation (Clause 8)

Operational planning, risk assessment execution, and risk treatment implementation.

Performance Evaluation (Clause 9)

Monitoring, measurement, analysis, internal audit, and management review.

Improvement (Clause 10)

Nonconformity handling, corrective action, and continual improvement.

2

Organizational Controls

Annex A.5

37 controls addressing policies, roles, asset management, access control, and supplier relationships.

Information Security Policies

Management direction for information security through policies reviewed at planned intervals.

Asset Management

Inventory, ownership, acceptable use, and return of assets.

Access Control

Business requirements, user access management, and access rights review.

Supplier Relationships

Information security in supplier agreements and supply chain management.

3

People Controls

Annex A.6

8 controls addressing human resource security throughout employment lifecycle.

Screening

Background verification checks on candidates before employment.

Awareness and Training

Security awareness education and relevant training for all personnel.

Disciplinary Process

Formal process for personnel committing information security breaches.

4

Physical Controls

Annex A.7

14 controls addressing physical security perimeters, entry controls, and equipment security.

Physical Security Perimeters

Defined perimeters protecting areas containing sensitive information and systems.

Physical Entry

Secure areas protected by appropriate entry controls.

Equipment Security

Siting, protection, maintenance, and secure disposal of equipment.

5

Technological Controls

Annex A.8

34 controls addressing endpoint devices, access rights, cryptography, operations security, and network security.

Endpoint Security

User endpoint devices including BYOD, privileged access workstations, and secure configuration.

Cryptography

Policy on cryptographic controls and key management.

Network Security

Network controls, segregation, and filtering mechanisms.

Secure Development

Security requirements for development, secure coding, and security testing.

Note: Certification involves a two-stage audit: Stage 1 reviews documentation and readiness; Stage 2 assesses implementation and effectiveness. Certification is valid for three years with annual surveillance audits. Organizations must maintain the ISMS and demonstrate continual improvement.

// Who Must Comply

  • 1 Organizations seeking international business requiring certified security programs
  • 2 Technology vendors serving European or Asian enterprise customers
  • 3 Companies pursuing formal third-party security certification
  • 4 Government contractors in jurisdictions requiring ISO 27001
  • 5 Organizations wanting integration with other ISO management systems (9001, 22301)

// Key Requirements

ISMS Documentation

Establish and maintain documented information security management system policies and procedures

Risk Assessment

Conduct formal risk assessments and implement risk treatment plans with management approval

Control Implementation

Implement selected Annex A controls and document justification for any exclusions

Internal Audit

Conduct internal audits at planned intervals to verify ISMS conformity and effectiveness

Management Review

Top management reviews ISMS performance and improvement opportunities at planned intervals

Continual Improvement

Implement corrective actions and continuously improve ISMS suitability, adequacy, and effectiveness

// Enforcement & Penalties

ISO 27001 is a voluntary certification with no direct regulatory penalties. However, certification loss can have significant business consequences, and organizations may face contractual penalties if certification is a customer requirement.

Maximum Penalty

No regulatory fines (voluntary certification)

Examples:

  • Loss of certification after failed surveillance or recertification audit
  • Contract termination if certification is a vendor requirement
  • Loss of business opportunities requiring ISO 27001 certification
  • Reputational damage from publicized certification suspension

// Cyber Insurance Impact

ISO 27001 certification provides strong evidence of security program maturity to cyber insurers. Certified organizations often receive more favorable underwriting terms, as the certification process requires independent verification of security controls. Some insurers offer premium discounts for ISO 27001 certified organizations.

// How Breach Craft Helps

We help organizations achieve ISO 27001 compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of ISO 27001.

Gap Assessment

Measure your security against industry standards.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Vulnerability Assessment

Comprehensive security scanning and risk prioritization.

Learn more

// Related Frameworks

SOC 2 NIST CSF PCI-DSS

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873