What is ISO 27001? A certification guide
ISO 27001 is the international standard for managing information security. Here is what it involves and how to get certified without a year of manual work.
ISO/IEC 27001 is the leading international standard for an Information Security Management System (ISMS): a documented, risk-based way of managing the security of the information your organisation holds. Certification against it is independent proof to customers, partners, and regulators that you take security seriously.
The current version, ISO 27001:2022, refreshed the control set and structure. This guide explains the ISMS, the controls, and how certification actually works.
- ISO 27001 certifies a management system (an ISMS), not just a checklist of controls.
- ISO 27001:2022 lists 93 Annex A controls across four themes: organizational, people, physical, technological.
- Certification is a two-stage audit by an accredited body, then surveillance audits over a three-year cycle.
- The heavy lifting is evidence and risk management, which is where automation pays off.
What an ISMS is
An ISMS is the set of policies, processes, and controls you use to manage information security risk systematically. ISO 27001 requires you to define scope, assess risks, select controls to treat them, and continually improve. It is deliberately risk-based, so two certified organisations can look different as long as each manages its risks properly.
The 2022 controls
ISO 27001:2022 organises its 93 Annex A controls into four themes:
- Organizational controls: policies, roles, supplier and cloud security, and more.
- People controls: screening, awareness, and responsibilities.
- Physical controls: secure areas, equipment, and media handling.
- Technological controls: access, cryptography, logging, and secure development.
How certification works
An accredited certification body runs a Stage 1 audit (are your ISMS and documentation ready) and a Stage 2 audit (are the controls actually implemented and effective). Pass both and you are certified, with lighter surveillance audits over a three-year cycle before recertification.
Most of the effort is producing and maintaining evidence that controls operate over time. Automating evidence collection and control mapping turns a months-long scramble into a steady, always-ready state.
Frequently asked questions
Get ISO 27001-ready faster
Automate the evidence and control mapping behind certification. See your starting point with a free check.
Run a free check