Overview
ISO 27001:2022 is the current international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published in October 2022, it replaced ISO 27001:2013 and provides a globally recognized framework for organizations to systematically manage information security risks.
What it means in practice
ISO 27001:2022 is both a set of requirements your organization must meet and a certification you can earn from an accredited third-party auditor. Think of it as the "rules of the game" for information security management - it tells you what you must do, but gives you flexibility in how you do it based on your context.
Certification value: ISO 27001 certification demonstrates to customers, regulators, and partners that an independent auditor has verified your organization follows internationally recognized security practices. It's often required for government contracts and enterprise procurement.
Key changes from ISO 27001:2013
Annex A control restructure
The most significant change was a complete reorganization of security controls:
2013 version: 114 controls in 14 domains
2022 version: 93 controls in 4 themes (Organizational, People, Physical, Technological)
Result: 11 new controls added, 24 controls merged, streamlined structure
New controls addressing modern threats
ISO 27001:2022 introduced controls for current security challenges:
A.5.7 Threat intelligence - Monitoring and responding to emerging threats
A.5.23 Cloud security - Managing information security in cloud services
A.8.9 Configuration management - Controlling security configurations
A.8.10 Information deletion - Secure data disposal procedures
A.8.11 Data masking - Protecting sensitive data in non-production environments
A.8.12 Data leakage prevention - Detecting and preventing unauthorized data transfers
A.8.16 Monitoring activities - Detecting anomalous behavior
A.8.23 Web filtering - Controlling web access
A.8.28 Secure coding - Building security into software development
Alignment with ISO 27002:2022
The control attributes in ISO 27002:2022 (the companion implementation guidance) now include properties like control type, security domains, and operational capabilities, making it easier to map controls to specific use cases.
Transition deadline: Organizations certified under ISO 27001:2013 must transition to the 2022 version by October 31, 2025. Certifications issued after May 2024 must be to the 2022 version. Start planning your transition now if you haven't already.
Structure of ISO 27001:2022
Clauses 1-3: Introduction and scope
Defines the standard's purpose, applicability, and references related standards like ISO 27000 for terminology.
Clause 4: Context of the organization
Requires understanding your organization's context, interested parties (stakeholders), and determining ISMS scope. You must identify internal and external issues affecting information security.
Clause 5: Leadership
Top management must demonstrate leadership and commitment by establishing security policy, assigning roles and responsibilities, and ensuring ISMS integration into business processes.
Clause 6: Planning
Requires risk assessment and treatment processes, defining how you'll identify risks, evaluate them, and select controls to address them. You must also establish measurable information security objectives.
Clause 7: Support
Covers resources, competence, awareness, communication, and documented information. You must ensure adequate resources, train staff, raise security awareness, and create required documentation.
Clause 8: Operation
Implement and operate planned processes including risk assessment, risk treatment, and operational security controls.
Clause 9: Performance evaluation
Monitor, measure, analyze, and evaluate security performance through internal audits and management reviews. Track whether you're meeting objectives.
Clause 10: Improvement
Address nonconformities through corrective actions and continually improve ISMS effectiveness.
Annex A: Security controls
Lists 93 security controls across four themes that organizations select from based on risk assessment results. This is the implementation "menu" for addressing identified risks.
The four control themes in Annex A
Organizational controls (37 controls, A.5.1-A.5.37)
Governance, policies, risk management, asset management, access control, supplier management, incident management, business continuity, and compliance. These are management-level controls defining how the organization operates.
People controls (8 controls, A.6.1-A.6.8)
Employee screening, employment terms, security training, disciplinary processes, termination procedures, NDAs, remote working, and incident reporting. These controls manage human-related risks.
Physical controls (14 controls, A.7.1-A.7.14)
Facility security, physical access control, equipment protection, environmental protection (power, climate), cable security, secure disposal, desk policies, asset removal, storage media, utilities, cabling, maintenance, and monitoring. These protect the physical environment.
Technological controls (34 controls, A.8.1-A.8.34)
Endpoint security, privileged access, information access restriction, source code access, authentication, capacity management, malware protection, logging, monitoring, clock synchronization, network security, encryption, development security, change management, testing, vulnerability management, and more. These are technical and IT controls.
Not all controls apply: Your risk assessment determines which of the 93 controls are relevant to your organization. Small organizations might implement 40-60 controls, while complex enterprises might need all 93. Document your decisions in the Statement of Applicability.
Mandatory vs. optional requirements
Mandatory requirements (Clauses 4-10)
Every organization seeking certification must implement all requirements in clauses 4 through 10. These are non-negotiable and include:
Defining ISMS scope
Conducting risk assessments
Creating a Statement of Applicability
Documenting security policy
Performing internal audits
Holding management reviews
Managing nonconformities
Risk-based control selection (Annex A)
Annex A controls are selected based on your risk assessment. You can exclude controls if they're not relevant to your risks, but you must justify exclusions in your Statement of Applicability.
Common mistake: Organizations assume they must implement all 93 Annex A controls. The standard explicitly allows exclusions when controls don't address identified risks or aren't applicable to your context. However, you can't exclude mandatory requirements from clauses 4-10.
How certification works
Stage 1: Documentation review
Auditor reviews your ISMS documentation including scope, policies, risk assessment, Statement of Applicability, and procedures. They verify you've addressed all mandatory requirements and have documented appropriate controls.
Stage 2: Implementation verification
On-site or remote audit where auditors interview staff, examine evidence, test controls, and verify your ISMS operates as documented. They'll sample across all control themes and organizational areas within scope.
Certification decision
If no major nonconformities exist, the certification body issues a certificate valid for three years. Minor nonconformities must be corrected within agreed timeframes.
Surveillance audits
Annual follow-up audits verify continued compliance and improvement. These are shorter than the initial certification audit but sample different areas.
Recertification
Every three years, a full recertification audit similar to stage 2 renews your certificate for another three-year cycle.
Maintenance required: Certification isn't "set and forget." You must maintain your ISMS, address changes to your organization or risks, collect ongoing evidence of control operation, and demonstrate continual improvement. Neglecting this leads to nonconformities in surveillance audits.
Who should pursue ISO 27001 certification?
Regulated industries
Financial services, healthcare, telecommunications, and critical infrastructure often face regulatory requirements that ISO 27001 helps satisfy (GDPR, NIS2, DORA, PCI DSS).
B2B service providers
SaaS companies, cloud providers, managed service providers, and business process outsourcers use certification to demonstrate security maturity to enterprise customers.
Government contractors
Public sector procurement increasingly requires or favors ISO 27001 certification as proof of security capability.
Organizations handling sensitive data
Any company processing personal data, intellectual property, or confidential information benefits from systematic risk management.
Companies seeking competitive advantage
In competitive tenders, ISO 27001 certification differentiates vendors and can be a deciding factor.
ISO 27001 vs. other security frameworks
SOC 2
SOC 2 is a North American attestation focused on service organizations. ISO 27001 is broader in scope and globally recognized. Many organizations pursue both.
NIST Cybersecurity Framework
NIST CSF is guidance, not a certifiable standard. ISO 27001 provides certification. The frameworks are compatible and organizations often map between them.
PCI DSS
PCI DSS is specific to payment card data. ISO 27001 addresses all information security. Many PCI DSS requirements overlap with ISO 27001 controls.
GDPR
GDPR is a legal requirement for data protection. ISO 27001 helps demonstrate GDPR compliance through security controls (Article 32) and accountability measures.
Framework synergy: ISO 27001's risk-based approach allows you to address multiple compliance requirements simultaneously. Controls selected for ISO 27001 often satisfy GDPR, SOC 2, PCI DSS, and other frameworks. Use ISMS Copilot to map controls across frameworks.
Benefits of ISO 27001:2022 adoption
Reduced security incidents
Systematic risk identification and control implementation measurably reduces breach likelihood and impact.
Regulatory compliance
Many ISO 27001 controls directly address GDPR, NIS2, DORA, and sector-specific regulations, reducing compliance burden.
Customer confidence
Independent certification provides assurance to customers, especially in procurement and contract negotiations.
Operational efficiency
Documented processes, clear responsibilities, and systematic improvement reduce errors and rework.
Insurance and liability
Some cyber insurance providers offer better terms for certified organizations, recognizing reduced risk.
Business resilience
Incident response and business continuity controls ensure faster recovery from security events and disruptions.
Implementation timeline and cost
Typical implementation timeframe
Small organization (10-50 employees): 6-9 months
Medium organization (50-250 employees): 9-12 months
Large organization (250+ employees): 12-18 months
Cost factors
Internal resources: Project manager, ISMS team, subject matter experts
External support: Consultants ($10K-$100K+ depending on scope and organization size)
Tooling: GRC platforms, security tools, documentation systems
Certification audit: $5K-$50K+ for stage 1 and stage 2 audits
Annual surveillance: $2K-$15K+ per year
Control implementation: Variable based on existing security maturity and required controls
Cost reduction strategies: Use AI tools like ISMS Copilot to accelerate documentation, risk assessment, and gap analysis. Leverage existing security investments and align with other compliance efforts. Consider phased implementation starting with highest-risk areas.
Common implementation challenges
Scope definition
Organizations struggle to define appropriate ISMS scope - too narrow misses risks, too broad becomes unmanageable. Scope should cover critical information assets and interfaces with third parties.
Risk assessment methodology
Developing a risk assessment approach that's both compliant and practical requires balancing rigor with pragmatism. Overly complex methodologies stall implementation.
Evidence collection
Auditors need proof that controls operate effectively. Organizations often implement controls but fail to systematically collect evidence of their operation.
Maintaining momentum
ISMS implementation requires sustained effort over months. Initial enthusiasm wanes without visible management support and quick wins.
Success factor: Treat ISO 27001 as a business improvement initiative, not a compliance project. Link it to business objectives like customer acquisition, operational efficiency, and risk reduction. Celebrate milestones and communicate progress broadly.
Related concepts
Information Security Management System (ISMS) - The system ISO 27001 defines
Annex A Controls - The 93 security controls in ISO 27001:2022
Statement of Applicability - Document listing which controls you implement
Risk Assessment - Process for identifying security risks
Getting help
Ready to implement ISO 27001:2022? Use ISMS Copilot to accelerate your implementation with AI-powered risk assessments, policy generation, and gap analysis tailored to the 2022 version.