ISO/IEC 27001 is the internationally recognized standard for an information security management system (ISMS) — a structured framework of policies, processes, and controls for managing the confidentiality, integrity, and availability of information. It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The current revision, ISO/IEC 27001:2022, was published in 2022 and replaced the 2013 edition.

The standard is voluntary — it is not a law and is not enforced by any government. Instead, organizations adopt it by choice and can pursue independent certification from an accredited body to demonstrate that their ISMS meets the requirements. ISO/IEC 27001 is technology- and sector-neutral: it is designed to be used by organizations of any size or industry, and it takes a risk-based approach rather than prescribing a fixed checklist.

What is an ISMS, and what does ISO 27001 require?

An information security management system (ISMS) is a documented, organization-wide system of policies, procedures, roles, and controls for systematically protecting information. ISO/IEC 27001 sets out the requirements to establish, implement, maintain, and continually improve such a system.

The binding requirements live in clauses 4–10, which an organization must meet to be certified:

  • Clause 4 — Context: understand the organization, interested parties, and ISMS scope.
  • Clause 5 — Leadership: top-management commitment, policy, roles.
  • Clause 6 — Planning: risk assessment, risk treatment, and objectives.
  • Clause 7 — Support: resources, competence, awareness, documentation.
  • Clause 8 — Operation: carry out the risk treatment.
  • Clause 9 — Performance evaluation: monitoring, internal audit, management review.
  • Clause 10 — Improvement: corrective action and continual improvement.

These clauses follow the Plan-Do-Check-Act (PDCA) improvement cycle common to ISO management-system standards.

How does the risk-based approach work?

ISO/IEC 27001 does not mandate a one-size-fits-all set of safeguards. Instead it requires the organization to define its ISMS scope, assess its information security risks, decide how to treat them, and continually improve through monitoring, audits, and management review.

From the assessed risks, the organization selects which controls it needs and records its choices — including any exclusions and the justification — in a document called the Statement of Applicability (SoA). This means two certified organizations can implement materially different controls, each appropriate to its own risk profile.

What changed in the 2022 update?

The 2022 revision restructured the controls listed in Annex A. The previous 2013 edition contained 114 controls organized in 14 domains. The 2022 edition consolidates these into 93 controls grouped into four themes:

  • Organizational — 37 controls
  • People — 8 controls
  • Physical — 14 controls
  • Technological — 34 controls

The update also introduced 11 new controls addressing areas such as threat intelligence, cloud services, and data protection, and aligned Annex A with the ISO/IEC 27002:2022 guidance. Terminology and structure were modernized, but the core management-system requirements (clauses 4–10) remained consistent in intent.

How does ISO 27001 relate to ISO 27002?

ISO/IEC 27001 and ISO/IEC 27002 are companion documents with different roles:

  • ISO/IEC 27001 is the certifiable standard. It states the requirements for the ISMS and lists the controls in Annex A as a reference set.
  • ISO/IEC 27002 is a guidance document. It provides detailed implementation advice for each of the same 93 controls — purpose, attributes, and recommendations on how to apply them.

You certify against 27001; you consult 27002 to understand and implement the controls. ISO/IEC 27002 is not a certification standard on its own.

What does the certification process involve?

Certification is carried out by an accredited independent certification body, not by ISO itself. The process typically follows a two-stage audit:

  • Stage 1 — documentation/readiness review: the auditor reviews ISMS documentation and scope to assess whether the organization is ready for full assessment.
  • Stage 2 — certification audit: a more in-depth, usually on-site assessment that verifies the ISMS is implemented and operating effectively in practice.

Nonconformities found at Stage 2 must be resolved before a certificate is issued. Certification is a recognition that the ISMS conforms to ISO/IEC 27001 — it is earned, not granted by ISO.

How long is certification valid and what maintains it?

An ISO/IEC 27001 certificate is generally valid for three years. To keep it valid, the organization must demonstrate ongoing conformity:

  • Surveillance audits are conducted (typically annually) during the cycle to confirm the ISMS continues to operate effectively. These are shorter than the initial certification audit.
  • At the end of the three-year cycle, a full recertification audit is required to renew the certificate.

This ongoing audit rhythm reflects the standard's emphasis on continual improvement rather than a one-time achievement.

Who is ISO 27001 for?

ISO/IEC 27001 is sector- and size-agnostic. It is designed to be used by organizations of any size or industry — from small and medium-sized enterprises to large corporations, government bodies, and non-profits — and is intended to scale as an organization's needs change.

It is widely adopted internationally: tens of thousands of certificates are reported across more than 100 countries and across economic sectors. Organizations often pursue it to manage information security risk systematically and to provide independent assurance to customers, partners, and regulators.

Frequently asked questions

Is ISO 27001 a law?

No. ISO/IEC 27001 is a voluntary international standard, not legislation. No government mandates it directly. However, organizations may adopt it by choice or because a customer or contract requires it, and certification can help demonstrate good practice that supports legal or regulatory obligations.

What is the difference between ISO 27001 and ISO 27002?

ISO/IEC 27001 is the certifiable standard that sets the ISMS requirements and lists the controls in Annex A. ISO/IEC 27002 is a guidance document giving detailed implementation advice for those same controls. You certify against 27001; you use 27002 to help implement the controls.

How many controls are in ISO 27001:2022?

Annex A of ISO/IEC 27001:2022 lists 93 controls grouped into four themes: organizational (37), people (8), physical (14), and technological (34). This replaced the 114 controls in 14 domains used in the 2013 edition. Organizations select which controls apply based on their risk assessment.

How long does ISO 27001 certification last?

A certificate is generally valid for three years, subject to periodic (typically annual) surveillance audits that confirm the ISMS still operates effectively. A full recertification audit is required at the end of the three-year cycle to renew it.

What are Stage 1 and Stage 2 audits?

Certification involves a two-stage audit by an accredited body. Stage 1 is a documentation and readiness review. Stage 2 is a deeper, usually on-site assessment that verifies the ISMS is implemented and working in practice. Nonconformities must be resolved before the certificate is issued.

Who can use ISO 27001?

Any organization, regardless of size or sector — from small businesses to large enterprises, government, and non-profits. The standard is designed to be scalable and uses a risk-based approach, so each organization tailors its ISMS and control selection to its own context and risks.

Official sources