Skip to content
Infilux AppSec Logo
Glossary · ISO 27001

What is ISO 27001?

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). It defines how an organisation systematically identifies information assets, assesses threats, selects controls (Annex A lists 93 of them across 4 themes), implements them, and continuously improves. Certification — issued by an accredited body after a third-party audit — is a globally recognised proof of security maturity, required by most enterprise customers and many regulators worldwide.

ISO 27001 is structured in two parts: the main clauses (4–10) that define the management system requirements — context, leadership, planning, support, operation, performance evaluation, improvement — and Annex A, which lists the 93 specific security controls grouped into four themes: organisational (37 controls), people (8), physical (14), and technological (34).

An organisation doesn't have to implement all 93 controls — only those determined necessary by the risk assessment. The Statement of Applicability (SoA) documents which Annex A controls apply, which are excluded, and why. Auditors examine the SoA to confirm risk-based reasoning is sound and that excluded controls are genuinely irrelevant.

Certification follows a two-stage external audit by a UKAS / ANAB / IAS-accredited body. Stage 1 is documentation review (typically 1–2 days). Stage 2 is operational verification — interviews, evidence sampling, technical walk-throughs (typically 3–5 days for SMEs, 1–2 weeks for enterprises). Certificates are valid for 3 years, with annual surveillance audits in years 1 and 2 and a full re-certification in year 3.

Key points

  • Latest revision: ISO/IEC 27001:2022 (replaces 2013 revision; 2-year transition ended 2025).
  • Two components: management-system clauses (4–10) + 93 Annex A controls.
  • Required Statement of Applicability documents control selection and exclusions.
  • Three-year certification cycle with annual surveillance audits.
  • Roughly 70% control overlap with SOC 2 Trust Services Criteria.

Frequently asked

How long does ISO 27001 certification take?+
From kickoff to certificate: typically 6–12 months. Gap analysis: 2–4 weeks. Implementation of new controls: 3–6 months depending on existing maturity. Internal audit + management review: 4–6 weeks. Stage 1 + Stage 2 external audit: 2–6 weeks. Companies with strong existing security can compress this to 4–6 months.
What's the difference between ISO 27001 and SOC 2?+
ISO 27001 is an international management-system standard with prescribed clauses and a 93-control catalogue (Annex A). SOC 2 is an attestation report against five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) — flexible in implementation. ISO is more globally portable; SOC 2 is faster to obtain and is preferred by US SaaS buyers. Many vendors do both.
Do we need ISO 27001 if we already have SOC 2?+
Depends on your buyers. EU, Middle East, and Asia-Pacific enterprises typically require ISO 27001. North American SaaS buyers typically accept SOC 2 alone. If you sell into both, dual certification is common — and a unified GRC programme can run both with about 30% additional effort over either alone.

Related services

ISO 27001 Compliance ServiceGRC Compliance PlatformSOC 2 Compliance

Continue learning

VAPTEASMRed TeamingSOC as a ServiceDark Web MonitoringGRC ComplianceSOC 2Zero TrustMITRE ATT&CK