Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is ISO 27001? A certification guide

ISO 27001 is the international standard for managing information security. Here is what it involves and how to get certified without a year of manual work.

7 min read

ISO/IEC 27001 is the leading international standard for an Information Security Management System (ISMS): a documented, risk-based way of managing the security of the information your organisation holds. Certification against it is independent proof to customers, partners, and regulators that you take security seriously.

The current version, ISO 27001:2022, refreshed the control set and structure. This guide explains the ISMS, the controls, and how certification actually works.

Key takeaways
  • ISO 27001 certifies a management system (an ISMS), not just a checklist of controls.
  • ISO 27001:2022 lists 93 Annex A controls across four themes: organizational, people, physical, technological.
  • Certification is a two-stage audit by an accredited body, then surveillance audits over a three-year cycle.
  • The heavy lifting is evidence and risk management, which is where automation pays off.

What an ISMS is

An ISMS is the set of policies, processes, and controls you use to manage information security risk systematically. ISO 27001 requires you to define scope, assess risks, select controls to treat them, and continually improve. It is deliberately risk-based, so two certified organisations can look different as long as each manages its risks properly.

The 2022 controls

ISO 27001:2022 organises its 93 Annex A controls into four themes:

  • Organizational controls: policies, roles, supplier and cloud security, and more.
  • People controls: screening, awareness, and responsibilities.
  • Physical controls: secure areas, equipment, and media handling.
  • Technological controls: access, cryptography, logging, and secure development.

How certification works

An accredited certification body runs a Stage 1 audit (are your ISMS and documentation ready) and a Stage 2 audit (are the controls actually implemented and effective). Pass both and you are certified, with lighter surveillance audits over a three-year cycle before recertification.

Most of the effort is producing and maintaining evidence that controls operate over time. Automating evidence collection and control mapping turns a months-long scramble into a steady, always-ready state.

Frequently asked questions

Is ISO 27001 mandatory?
It is not a law, but it is frequently required by enterprise customers and in tenders, so in practice it is often a commercial requirement to win or keep business.
How long does ISO 27001 certification take?
Typically a few months to build and operate the ISMS before the Stage 2 audit, depending on your starting point and how much of the evidence work is automated.
What changed in ISO 27001:2022?
The 2022 revision restructured Annex A into 93 controls across four themes and added controls for areas such as cloud services, threat intelligence, and secure development.
How does NMT help with ISO 27001?
NMT maps your controls to ISO 27001, automates evidence collection, and monitors control status continuously, so you reach and stay audit-ready with far less manual effort.

Get ISO 27001-ready faster

Automate the evidence and control mapping behind certification. See your starting point with a free check.

Run a free check
Related
Compliance & Assurance solution Guide: What is SOC 2? For Startups (free security essentials)