ISO/IEC 27001:2022 · ISMS · Annex A · Accredited Certification

Your Complete Guide to ISO 27001 Certification

The international gold standard for information security management systems. Our ISO 27001 hub walks you from ISMS scoping and Annex A control selection through Stage 1 and Stage 2 certification with checklists, templates, and real-world implementation playbooks.

global

Global Standard

annex-a

93 Annex A

isms

ISMS

cycle

3-Year Cycle

Book a Free ISO 27001 Gap Assessment Download the ISMS Roadmap

Free Assessment

Request ISO 27001 Readiness Review

24h Response

4.9 rating 200+ audits supported

Full Name Required

Work Email Valid email required

Company Required

Stage

Message (optional)

SSL Encrypted No spam, ever 100% Confidential

What is ISO/IEC 27001 Compliance?

ISO/IEC 27001 is the globally recognized international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published jointly by ISO and IEC, the current version is ISO/IEC 27001:2022 which modernized the Annex A control set from 114 controls to 93 grouped into four themes: Organizational, People, Physical, and Technological.

Why ISO 27001 matters in 2026

ISO 27001 is the passport standard for global enterprise sales especially EU, Japan, Middle East, and Latin America where buyers may not recognize SOC 2. An ISO 27001 certificate is a lightweight proof of a working ISMS, respected by regulators and procurement teams alike. It's also a natural foundation for GDPR compliance, ISO 27701 (privacy), and ISO 27017/27018 (cloud).

Who needs ISO 27001

Any organization that wants to demonstrate a systematic, risk-based approach to information security. Strong fit for SaaS serving EU/APAC, MSPs, fintech, healthtech, regulated industries, and any business pursuing global enterprise contracts. Company size ranges from 30-person startups to multi-thousand-employee enterprises.

Business impact

Unlocks tenders and RFPs across the EU, UK, Middle East, and APAC where SOC 2 isn't recognized. Demonstrates a mature ISMS to regulators under GDPR, DORA, and sectoral laws. Reduces cyber-insurance premiums. Serves as the control baseline for ISO 27017, ISO 27018, ISO 27701 stack over time instead of re-doing work.

Your learning path

Pick the depth that matches where you are today

Whether you’re evaluating ISO 27001 for the first time, deep in implementation, or running a continuous program, start in the lane that matches your current maturity.

Beginner · Learn the ISMS

Start here — the foundation

Understand what an ISMS is, how ISO 27001 differs from SOC 2, and whether certification makes sense for you.

What is ISO 27001? A Plain-English Primer
ISO 27001 vs SOC 2 Key Differences
ISMS Fundamentals Processes, Policies, Records
The 2022 Revision What Changed from 2013?
ISO 27001 vs ISO 27002 Standard vs Code of Practice

Intermediate · Implement the ISMS

Build your control set

You've committed. Now scope the ISMS, complete the risk assessment, and select Annex A controls.

Defining the ISMS Scope
ISO 27001 Risk Assessment Methodology
Selecting the Right Annex A Controls (Statement of Applicability)
Required ISO 27001 Policies & Documents
Internal Audit for ISO 27001

Advanced · Audit & Surveillance

Optimize and scale

Prepare for Stage 1 and Stage 2 audits and maintain certification across the 3-year cycle.

Stage 1 vs Stage 2 Audit Differences
Surveillance Audits Years 1 & 2
Recertification Year 3 and Beyond
Stacking ISO 27001 with ISO 27701 Privacy
ISO 27001 + SOC 2 Crosswalk (Save 40% of the Work)

Section A

What ISO/IEC 27001:2022 certifies and why ISMS is the centerpiece

ISO 27001 isn't a checklist — it certifies an Information Security Management System (ISMS) that runs on a plan-do-check-act cycle. Understand the structure before you hand a consultant a blank check.

What is ISO 27001?

An international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

The ISMS

A management system think of it like ISO 9001 for security. Plan, do, check, act. The ISMS sits above your controls and governs how they're run.

2022 Revision

The current version (27001:2022) aligns with ISO 27002:2022 and introduces 93 Annex A controls in 4 themes, down from 114 controls in 14 domains.

Who It Applies To

Any organization, any sector, any size. The standard is deliberately industry-agnostic scoping is where you tailor it.

ISO 27001 vs ISO 27002

27001 is the certifiable requirements standard. 27002 is the detailed code of practice a how-to guide for the Annex A controls.

Accredited Certification

Must be issued by a certification body accredited under ISO 17021-1. Certificates from unaccredited bodies carry no weight in enterprise procurement.

Section B

Clauses 4–10 and the 93 Annex A controls

Seven mandatory management clauses set the system in motion. Annex A, reorganized in the 2022 revision into four themes, gives you the control library to pick from — backed by your Statement of Applicability.

Clauses 4–10 (Mandatory)

Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement the management-system requirements you must meet.

Annex A Controls (93)

4 themes: Organizational (37), People (8), Physical (14), Technological (34). Not all are mandatory you select based on risk.

Statement of Applicability (SoA)

The single most important ISO 27001 document. Lists every Annex A control, whether it applies, and justification for exclusions.

Risk Assessment & Treatment

A documented, repeatable methodology. Identify risks, assess likelihood and impact, and apply controls (treat, transfer, accept, avoid).

ISMS Documentation

Information Security Policy, scope document, risk methodology, SoA, risk treatment plan, corrective-action records, management-review minutes.

Continual Improvement

Plan-Do-Check-Act is baked in. Internal audits, management reviews, and corrective actions keep the ISMS alive between audits.

Section C

Stage 1, Stage 2, surveillance, and recertification audits

ISO 27001 certification is a multi-year relationship with an accredited certification body. Plan for the documentation audit, the operational audit, yearly check-ins, and a full recert every three years.

Step 1 · ISMS Scoping (2–3 weeks)

Define which business units, locations, and information assets are in scope. Under-scoping is as risky as over-scoping.

Step 2 · Gap Analysis (4–6 weeks)

Map current controls to Annex A. Identify missing policies, controls, and processes.

Step 3 · Risk Assessment (3–5 weeks)

Run your risk methodology across in-scope assets. Produce the risk register and treatment plan.

Step 4 · Remediation (8–16 weeks)

Implement or update controls, train people, deploy monitoring, run internal audit.

Step 5 · Stage 1 Audit (3–5 days)

Documentation review. Auditor checks scope, SoA, risk assessment, and policies. Minor non-conformities expected.

Step 6 · Stage 2 Audit (5–10 days)

On-site (or remote) evidence and interviews. Covers every Annex A control in your SoA.

Step 7 · Certificate Issued + Surveillance (Year 1–2, Recertification Year 3)

Ongoing surveillance audits each year; full recertification every 3 years.

Section D

Implementation roadmap for a first certification

Most ISO 27001 programs take 4–9 months. The critical path is risk assessment, Statement of Applicability, and internal audit — three artefacts auditors open before anything else.

Gap Assessment

Identify the delta between your current security practices and ISO 27001 requirements before you commit to fieldwork.

Readiness Checklist

Scope defined, SoA complete, risk register live, policies published, internal audit done, management review held.

Documentation

Mandatory docs: scope, ISMS policy, risk methodology, SoA, risk treatment plan, statement of applicability, internal audit program.

Internal Audit Program

A prerequisite. You cannot be certified without having run at least one internal ISMS audit and management review.

Management Review

Leadership signs off on ISMS performance with documented outputs: objectives, risks, audit results, improvements.

Certification Body Selection

Choose an accredited body (UKAS, ANAB, DAC, JAB). Check sector experience and auditor backgrounds.

Section E

GRC platforms, evidence automation, and integrated control monitoring

ISO 27001 rewards automation because the evidence cycle never stops. The right platform ties policies, controls, risks, and audits together so your internal audit and surveillance visit take days, not weeks.

Manual vs Automated ISMS

Manual: SharePoint + spreadsheets. Automated: platforms that maintain Annex A evidence, run risk assessments, and generate SoAs.

Benefits of Automation

Annex A is 93 controls continuous evidence mapping saves hundreds of hours. Risk-register automation replaces bespoke Excel models.

When to Invest

Multi-entity scope, overseas offices, co-existing SOC 2/ISO/GDPR programs. Under 30 headcount? Document-only ISMS is still viable.

Platforms to Consider

Drata, Vanta, Secureframe, Sprinto, Scrut, Thoropass, ISMS.online, ControlCase. Evaluate Annex A templates and integrations.

Our Take

Automation speeds evidence. It does not replace a qualified ISMS Manager (internal or virtual) risk assessment and SoA still need human judgement.

Section F

ISO 27001 implementation toolkit

Downloadable ISMS templates, risk-assessment workbooks, and internal-audit checklists — the same artefacts we use in client engagements.

Resource

Where ISO 27001 moves the needle

Real business outcomes we see when clients adopt ISO 27001 with the right implementation partner.

SaaS (Global)

Enterprise procurement in EU, UK, Middle East, and APAC where SOC 2 isn't the default.

Fintech

Regulatory support under DORA (EU) and RBI guidelines (India); foundation for ISO 27701.

Healthcare Tech

Complements HIPAA globally; anchors ISO 27799 (health informatics) for life-sciences vendors.

MSPs & BPOs

Demonstrates ISMS maturity to enterprise clients outsourcing sensitive work.

Pain points

What usually goes wrong and how to avoid it

Patterns we’ve seen across 200+ ISO 27001 engagements. Spot these early and you’ll spare yourself months of rework.

Scope creep

Pulling the entire enterprise into scope when a single product line would suffice.

SoA confusion

Under-documenting exclusions or over-applying controls creates endless non-conformities.

Risk methodology paralysis

Teams debate risk scoring for months while real work stalls.

Certification body mismatch

Generalist auditors miss cloud/SaaS nuance sector expertise matters.

Explore further

Related frameworks, services & resources

Keep learning — or put ISO 27001 into action with a team that has done it before.

ISO 27001 Fundamentals

Implementation

Annex A Controls

Audit, Cost & Automation

What Enterprise Clients Say

What Clients Say About Our AI Development Services

“ISpectra expertly guided us through every step of the SOC 2 certification process, turning complex regulatory requirements into practical, actionable steps. Their partnership-centric approach and responsiveness made all the difference. Achieving SOC 2 certification with their help has significantly enhanced our credibility and trustworthiness in the market.”

Irina Zakharchenko

Chief Operations and People Officer

DocsDNA

SOC 2 Certified

“ISpectra Technologies brought deep expertise in cybersecurity and DevSecOps to our projects, playing a crucial role in our EDR Tool implementations and SOC 2 compliance. Their solutions were tailored to our business and their proactive approach improved both our agility and security posture. ISpectra felt more like an extension of our team than an external vendor.”

Sam K

CEO

Office Hub Tech LLC

SOC 2 + EDR Implementation

“Our Accounts Receivables have started to plummet since implementing RCMEdge. It provides electronic AR follow-up and identifies claims needing extra attention so we don't exhaust valuable resources on claims processing as normal. As a result, we're much more productive and cash flow favorable. Highly recommended!”

Brian Reese

Director of Business Development

24/7 Medical Billing Services

AR Significantly Reduced

“The VAPT report was presented in a structured and professional manner with clear categorization of vulnerabilities by severity. The depth of technical findings, along with practical remediation suggestions, provided our team with valuable insights. The clarity of documentation made it easy for our internal teams to translate recommendations into actionable steps.”

Karthik Vadivel

Lead System Engineer

ICS Pvt Ltd

VAPT Security Strengthened

“The VAPT assessment was thorough and well-documented, providing a clear view of identified vulnerabilities with practical remediation guidance. The prioritization of risks and actionable recommendations enabled our teams to take corrective measures with clarity and confidence. We truly appreciate the expertise and professionalism your team brought to this engagement.”

Kayden Vincent

Cybersecurity Lead

247 Medical Billing Services

VAPT Risk Mitigated

“We have successfully secured our ISO 27001 certification through GLOCERT, and ISpectra Technologies was pivotal throughout. Your team's contribution was exceptional, not only in navigating the audit process but in the structural refinement of our internal policies and the practical application of ISMS best practices. The attention to detail ensured that our procedures are not just compliant, but operationally sound. We value the high standard of consultancy ISpectra has maintained and look forward to a continued professional association.”

Chandan P

Business Analyst

Infocruise Solutions Private Limited

ISO 27001 Certified

Trusted by 200+ Global Enterprise Clients

Free ISO 27001 Consultation

Ready to
Protect Your Enterprise?

What Your Business Gets

Free AI use-case discovery workshop
Generative AI & LLM feasibility review
Model accuracy & cost benchmarks
MLOps maturity gap analysis
Responsible AI & governance roadmap
Pilot-to-production scaling plan

No obligation · Results in 48 hours · 100% confidential

Schedule a Call

Pick a time that works for you

Enable JavaScript to view the Calendly scheduler.

Open Calendly

Request Assessment

Our team responds within 24 hours

No spam. No obligations. We'll respond within 24 hours.

Encrypted & 100% confidential