ISO 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001, and it specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System — commonly abbreviated as ISMS. Certification against this standard is independent proof that your organisation manages information security in a structured, audited way.
That is the official definition. In plain terms: ISO 27001 is a framework that forces your organisation to identify what information assets it holds, understand the risks to those assets, put controls in place to manage those risks, and review whether the controls are working. The certificate that comes from a successful third-party audit tells your customers, partners, and regulators that you have done this systematically — not just guessed at security.
Why ISO 27001 Was Created
The first edition of ISO 27001 was published in 2005, building on a British Standard called BS 7799 that had existed since the mid-1990s. The goal was to create a globally recognised benchmark for information security management — something that organisations could certify against and that buyers could use as a reliable signal of security maturity.
The standard was revised in 2013 and most recently updated in October 2022. The 2022 revision is the version you need to certify against today. If your organisation was previously certified to the 2013 version, you had until October 2025 to transition. Any new certifications from 2024 onwards are automatically to the 2022 edition.
The Structure: Clauses 4 Through 10
The main body of ISO 27001 is organised into clauses numbered 4 through 10. Clauses 1 to 3 cover scope, references, and definitions. The requirements your organisation must meet — the things an auditor will check — live in clauses 4 to 10.
Clause 4: Context of the Organisation
You must understand your organisation's internal and external context, identify interested parties (customers, regulators, suppliers), and define the scope of your ISMS. Scope is a critical decision — it defines exactly which parts of your business are covered by the certificate.
Clause 5: Leadership
Senior management must demonstrate commitment to the ISMS, assign roles and responsibilities, and establish a documented information security policy. This clause exists because security programmes that lack executive sponsorship consistently fail.
Clause 6: Planning
This is where risk assessment and treatment live. You must define a methodology for identifying and evaluating information security risks, produce a risk register, and create a risk treatment plan that maps accepted risks to controls. The Statement of Applicability (SoA) — which records which Annex A controls you have selected or excluded — is also produced at this stage.
Clauses 7, 8, 9, and 10
Clause 7 covers support: resources, competence, awareness, communication, and documented information. Clause 8 requires operational planning and control of risk treatment. Clause 9 covers performance evaluation — internal audits and management review are mandatory. Clause 10 requires continual improvement, including a process for addressing nonconformities.
Annex A: The 93 Controls Across 4 Themes
Attached to the main standard is Annex A, which lists 93 information security controls grouped into four themes. These controls are the specific measures your organisation can apply to treat risks. The 2022 revision reorganised and updated the controls significantly compared to the 2013 edition, which had 114 controls across 14 domains.
A.5: Organisational Controls (37 controls)
These cover policies, roles, responsibilities, supplier relationships, incident management, and business continuity. They are the governance layer — controls that exist at the organisational level rather than being tied to a specific technology or person.
A.6: People Controls (8 controls)
These address the human element: screening, terms of employment, security awareness training, disciplinary processes, remote working, and what happens when someone leaves. People remain the most common root cause of information security incidents, which is why this theme exists separately.
A.7: Physical Controls (14 controls)
Physical security covers office and data centre perimeters, access controls to secure areas, equipment security, clear desk and clear screen policies, and secure disposal of media. For cloud-first organisations, many physical controls are largely inherited from your cloud provider, though you still need to document this.
A.8: Technological Controls (34 controls)
This is the largest theme and covers user endpoint devices, privileged access management, access control, cryptography, network security, secure development, vulnerability management, and logging and monitoring. The 2022 revision added several new controls here, including threat intelligence, information security for cloud services, and data masking.
You do not need to implement every Annex A control. The standard requires you to justify which controls are applicable to your organisation and which are excluded, based on your risk assessment. This justification is documented in the Statement of Applicability. A small SaaS company will legitimately exclude controls that only apply to organisations running physical data centres.
Who Needs ISO 27001
Any organisation that handles sensitive information — customer data, employee records, financial data, intellectual property — can benefit from ISO 27001. In practice, certification is most commonly pursued by technology companies, SaaS businesses, financial services firms, healthcare organisations, and professional services companies that process client data.
The trigger is usually commercial rather than ideological. Enterprise procurement teams require it. Government contracts specify it. Cyber insurance applications ask for it. GDPR due diligence often surfaces it as a requirement for data processors. If you sell to businesses in Europe or are entering regulated industries, the question is usually not whether you need ISO 27001 but when.
What Certification Actually Proves
A valid ISO 27001 certificate, issued by an accredited certification body, proves three things: that your ISMS meets the requirements of the standard, that an independent auditor has reviewed your documentation and evidence, and that at the point of audit, your controls were implemented and operating effectively. It does not prove that you will never have a security incident. No certification can guarantee that. What it proves is that you have a structured approach to managing risk and that you have the processes in place to detect, respond to, and learn from incidents when they happen.
Certificates are valid for three years, subject to annual surveillance audits. This ongoing oversight is what makes the certification meaningful — it is not a one-time snapshot but a commitment to continuous compliance.
If you are ready to start building your ISMS, explore our ISO 27001 document templates — each one maps directly to the clauses and controls described above, so you are building something audit-ready from day one.