ISMS Copilot
Supported frameworks

ISO 27001 Information Security Management

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive information, covering people, processes, and technology. ISO 27001 certification demonstrates to clients, regulators, and partners that your organization has implemented comprehensive controls to protect data confidentiality, integrity, and availability.

ISO 27001 is globally recognized and applies to any organization, regardless of size or industry. It's often required by enterprise clients, government contracts, and regulated sectors.

Who Needs ISO 27001?

ISO 27001 is relevant for organizations across industries:

  • Technology companies: SaaS providers, cloud infrastructure, software vendors, managed service providers

  • Financial services: Banks, payment processors, fintech platforms, insurance companies

  • Healthcare: Electronic health record systems, telemedicine platforms, medical device manufacturers

  • Professional services: Consulting firms, law firms, accounting firms handling confidential client data

  • Government contractors: Organizations bidding for public sector contracts requiring information security certification

  • Supply chain partners: Vendors supporting enterprise clients or critical infrastructure

While not legally mandated in most jurisdictions, ISO 27001 is a de facto requirement for doing business with security-conscious clients, especially in Europe.

ISO 27001 Structure

The standard is divided into two parts:

Main clauses (4-10): Requirements for establishing, implementing, maintaining, and improving an ISMS

  • Clause 4: Context of the organization (scope, stakeholders, legal requirements)

  • Clause 5: Leadership (top management commitment, roles, policy)

  • Clause 6: Planning (risk assessment, risk treatment, objectives)

  • Clause 7: Support (resources, competence, awareness, communication, documentation)

  • Clause 8: Operation (implementing risk treatment plans, controls)

  • Clause 9: Performance evaluation (monitoring, internal audit, management review)

  • Clause 10: Improvement (nonconformity handling, corrective actions, continual improvement)

Annex A: 93 security controls organized into 4 themes and 14 categories

Organizations select applicable Annex A controls based on their risk assessment and document justifications for exclusions in a Statement of Applicability (SoA).

Annex A Control Themes

The 93 controls (ISO 27001:2022 version) are grouped into:

Organizational controls (37 controls):

  • Policies, roles and responsibilities, segregation of duties

  • Asset management, acceptable use, return of assets

  • Human resource security (background checks, security training, disciplinary process)

  • Supplier relationships (vendor security assessments, contracts, monitoring)

  • Compliance (legal requirements, privacy, intellectual property, audits)

People controls (8 controls):

  • Screening, terms of employment, security awareness training

  • Disciplinary process, responsibilities after termination

  • Remote working and mobile device security

Physical controls (14 controls):

  • Physical security perimeters, entry controls, securing offices and facilities

  • Equipment security (placement, protection, maintenance, disposal)

  • Clear desk and clear screen policies

Technological controls (34 controls):

  • Access control (user registration, password management, access rights review)

  • Cryptography (encryption policies, key management)

  • Network security (segmentation, intrusion detection, firewall rules)

  • System security (hardening, patch management, logging, monitoring)

  • Application security (secure development, testing, change management)

  • Backup, business continuity, disaster recovery

  • Incident management (detection, response, forensics, lessons learned)

Not all controls apply to every organization. A startup SaaS company might exclude physical perimeter controls if using colocation data centers, but must justify the exclusion.

The 2022 revision of ISO 27001 reduced controls from 114 to 93 and reorganized them into 4 themes. If you were certified under the 2013 version, you'll need to transition to the 2022 structure by October 2025.

Risk Assessment and Treatment

ISO 27001 requires a structured risk management process:

  1. Identify assets: Data, systems, personnel, facilities, reputation

  2. Identify threats and vulnerabilities: Cyberattacks, insider threats, natural disasters, human error, third-party failures

  3. Assess likelihood and impact: Quantify or qualify risk levels

  4. Determine risk appetite: Define what level of risk is acceptable

  5. Select risk treatment: Mitigate (apply controls), accept (document justification), transfer (insurance, outsourcing), or avoid (discontinue risky activities)

  6. Document in Risk Treatment Plan: List selected controls, responsibilities, timelines, resources

The risk assessment drives which Annex A controls you implement. High-priority risks require stronger controls; low-priority risks may be accepted or addressed with lighter measures.

Statement of Applicability (SoA)

The SoA is a critical document mapping your risk assessment to Annex A controls:

  • List all 93 Annex A controls

  • For each control, indicate: Applicable or Not Applicable

  • If applicable: Describe how it's implemented, reference policies/procedures

  • If not applicable: Justify the exclusion based on risk assessment

Auditors scrutinize the SoA to verify controls are appropriate and exclusions are justified. Poor justifications (e.g., "not relevant" without explanation) will trigger nonconformities.

Excluding controls without proper justification is a common audit failure. Document why each exclusion is acceptable based on your organization's context, assets, and risk profile.

Certification Process

Achieving ISO 27001 certification typically follows this timeline:

  1. Gap analysis (1-2 months): Assess current security posture against ISO 27001 requirements

  2. ISMS design (2-4 months): Define scope, conduct risk assessment, create SoA, draft policies

  3. Implementation (4-12 months): Deploy controls, train staff, document procedures, collect evidence

  4. Internal audit (1 month): Test ISMS effectiveness, identify nonconformities, remediate

  5. Management review: Leadership evaluates ISMS performance and improvement opportunities

  6. Stage 1 audit (documentation review): External auditor reviews ISMS documentation, identifies gaps

  7. Remediation: Address Stage 1 findings before Stage 2

  8. Stage 2 audit (implementation audit): External auditor tests controls, interviews staff, reviews evidence

  9. Certification: Certificate issued for 3 years with annual surveillance audits

First-time certification can take 6-18 months depending on organization size and maturity.

Surveillance and Recertification

ISO 27001 certification is valid for 3 years, with ongoing obligations:

  • Annual surveillance audits: External auditor tests a subset of controls each year to ensure continued compliance

  • Internal audits: Conduct at least annually to catch issues before external audits

  • Management review: Leadership reviews ISMS performance at least annually

  • Continuous improvement: Address nonconformities, update risk assessments, adapt to new threats

  • Recertification audit (year 3): Comprehensive audit to renew the certificate for another 3 years

Failing a surveillance audit can result in certificate suspension or withdrawal, so continuous monitoring is critical.

Key Documentation

ISO 27001 requires documented information including:

  • ISMS scope: Boundaries of the ISMS (which departments, locations, systems are covered)

  • Information Security Policy: Top-level commitment to security signed by leadership

  • Risk assessment methodology: How you identify and evaluate risks

  • Risk assessment results: Asset inventory, threat/vulnerability analysis, risk scores

  • Risk Treatment Plan: Selected controls, owners, timelines

  • Statement of Applicability: All 93 Annex A controls with applicability and implementation details

  • Supporting policies and procedures: Access control policy, acceptable use policy, incident response plan, backup policy, change management, etc.

  • Evidence of control operation: Logs, audit trails, training records, access reviews, incident reports, patch management records

  • Internal audit reports: Findings, nonconformities, corrective actions

  • Management review minutes: Leadership decisions, action items

Choosing a Certification Body

Select an accredited certification body (CB) with ISO 27001 experience:

  • Verify accreditation by a recognized body (UKAS, ANAB, DAkkS, etc.)

  • Check the CB's scope includes your industry and geography

  • Ask for references from similar-sized organizations

  • Compare pricing (certification costs typically range from $15,000-$100,000+ depending on scope and organization size)

  • Evaluate auditor expertise (technical depth, industry knowledge)

Common certification bodies include BSI, SGS, TÜV, DNV, Bureau Veritas, and A-LIGN.

ISO 27001 vs. SOC 2

Organizations often compare ISO 27001 and SOC 2:

Aspect

ISO 27001

SOC 2

Geography

International (ISO standard)

US-focused (AICPA standard)

Applicability

Any organization

Service providers only

Output

Public certificate

Confidential audit report

Controls

Prescriptive (93 Annex A controls)

Flexible (auditor-determined)

Cost

$15,000-$100,000+/year

$20,000-$75,000+/year

Timeline

6-12 months

9-18 months (Type II)

Many organizations pursue both: ISO 27001 for European clients and public credibility, SOC 2 for US clients and SaaS vendor assessments.

How ISMS Copilot Helps

ISMS Copilot is purpose-built for ISO 27001 compliance:

  • Policy generation: Create ISO 27001-aligned policies (information security, access control, incident response, acceptable use, backup, change management)

  • Risk assessment: Build risk assessment frameworks, asset inventories, threat/vulnerability matrices

  • Gap analysis: Upload existing policies to identify gaps against ISO 27001 requirements

  • Statement of Applicability: Generate SoA templates with all 93 Annex A controls

  • Control implementation guidance: Ask about specific controls (e.g., "How do I implement A.8.1 User endpoint devices?")

  • Documentation templates: Incident response playbooks, access review checklists, audit evidence collection guides

  • Audit preparation: Generate internal audit plans, corrective action reports

ISMS Copilot's knowledge base is built from real ISO 27001 consulting experience, so it understands auditor expectations and common pitfalls.

Try asking: "Generate an ISO 27001 information security policy" or "What evidence do I need for control A.5.23 (information security for cloud services)?"

Getting Started

To prepare for ISO 27001 with ISMS Copilot:

  1. Create a dedicated workspace for your ISO 27001 project

  2. Define your ISMS scope (which parts of the organization will be certified)

  3. Conduct a gap analysis to assess current maturity

  4. Use the AI to generate core policies (information security policy, acceptable use, access control, incident response, backup)

  5. Perform a risk assessment (identify assets, threats, vulnerabilities, impacts)

  6. Create a Statement of Applicability based on your risk assessment

  7. Develop procedures and evidence for high-priority controls

  8. Run an internal audit to test ISMS effectiveness before engaging a certification body

  • Official ISO 27001:2022 standard (purchase from ISO or national standards bodies)

  • ISO 27002:2022 (implementation guidance for Annex A controls)

  • Certification body directories (UKAS, ANAB, IAF for accredited auditors)

  • ISO 27001 transition guide (2013 to 2022 version)

Was this helpful?