ISO/IEC 27001:2022

ISO 27001 compliance guide

ISO 27001 is the international standard for information security management. Whether required by customers or pursued voluntarily, we help you implement all 93 Annex A controls and achieve certification.

Start risk assessmentBook certification consultation

What is ISO 27001?

ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive company information based on risk assessment.

Latest version: ISO 27001:2022 replaced the 2013 version in October 2022. Organizations certified to the 2013 version must transition by October 31, 2025. The 2022 version restructured Annex A from 114 controls in 14 categories to 93 controls in 4 themes.

PDCA cycle

Plan-Do-Check-Act continuous improvement

Certification

Third-party audited and recognized globally

Complements SOC 2 for US markets and ISO 42001 for AI systems.

Who needs ISO 27001 certification?

Organizations handling sensitive data

Customer data, financial records, health information

Cloud service providers

SaaS, PaaS, IaaS providers requiring security certification

Financial services

Banks, fintech, payment processors

Healthcare organizations

Hospitals, clinics, health tech companies

Government contractors

Organizations working with public sector data

Global enterprises

Demonstrating security commitment to customers and partners

How VerifyWise supports ISO 27001 compliance

Purpose-built capabilities for ISMS implementation and certification

Asset inventory and information classification

Register all information assets with structured metadata covering ownership, classification and handling requirements. The platform captures the asset context required by A.5.9 and maintains the inventory mandated by A.5.1.

Addresses: A.5.1 Inventory of information, A.5.9 Asset classification

Risk assessment and treatment

Identify security risks using structured assessment methods aligned with ISO 27001 requirements. The platform tracks risk sources, treatment decisions and generates the documentation required by Clauses 6.1.2 and 8.2.

Addresses: Clause 6.1.2 Information security risk assessment, Clause 8.2 Risk treatment

ISMS policy and procedure management

Establish information security policies, define roles and generate procedures aligned with ISO 27001. The platform maintains policy versioning and approval workflows that satisfy Clause 5.2 and A.5.1.

Addresses: Clause 5.2 Information security policy, A.5.1 Policies for information security

Control implementation tracking

Track implementation of all 93 Annex A controls with evidence collection. The platform documents control status, responsible parties and maintains the audit trail required by Clause 6.1.3.

Addresses: Clause 6.1.3 Statement of Applicability, Clause 8.1 Operational planning

Continuous monitoring and metrics

Track ISMS performance with KPIs aligned to security objectives. The platform consolidates monitoring data, incident patterns and control effectiveness for ongoing visibility required by Clause 9.1.

Addresses: Clause 9.1 Monitoring and measurement, A.5.7 Threat intelligence

Internal audit and management review

Manage audit programs with structured workflows and feed findings into improvement cycles. The platform supports the Plan-Do-Check-Act cycle central to ISO 27001 certification and maintenance.

Addresses: Clause 9.2 Internal audit, Clause 9.3 Management review, Clause 10 Continual improvement

All ISMS activities maintain comprehensive audit trails with timestamps, assigned responsibilities and approval workflows. This demonstrates systematic information security management for certification audits.

Complete ISO 27001 requirements coverage

VerifyWise addresses all mandatory clauses and Annex A controls

93

Annex A controls in ISO 27001:2022

93

Controls with dedicated tooling

100%

Coverage across all 4 themes

Clause 4-107/7

ISMS mandatory clauses and PDCA cycle

Organizational37/37

Policies, roles, supplier relationships

People8/8

Screening, awareness, disciplinary

Physical14/14

Secure areas, equipment, disposal

Technological34/34

Access control, cryptography, logging

Built for ISO 27001:2022 certification

Statement of Applicability

Auto-generate SoA with control justifications and exclusions

Risk treatment plan

Track risk treatment decisions and residual risk acceptance

Internal audit program

Manage audit schedules, findings and corrective actions

Multi-framework mapping

Crosswalk to ISO 42001, SOC 2 and NIST requirements

ISMS mandatory clauses (4-10)

ISO 27001 follows the Plan-Do-Check-Act cycle across seven mandatory clauses

Clause 4

Context of the organization

Understand organizational context, interested parties, and define ISMS scope.

  • Internal and external issues
  • Interested parties and requirements
  • ISMS scope determination
  • Information security management system establishment
Clause 5

Leadership

Demonstrate leadership commitment and establish information security policy.

  • Leadership and commitment
  • Information security policy
  • Organizational roles and responsibilities
  • Assignment of authorities
Clause 6

Planning

Address risks and opportunities, set objectives and plan to achieve them.

  • Actions to address risks and opportunities
  • Information security risk assessment
  • Information security risk treatment
  • Information security objectives and planning
Clause 7

Support

Ensure resources, competence, awareness and documented information.

  • Resources provision
  • Competence requirements
  • Awareness training
  • Communication protocols
  • Documented information control
Clause 8

Operation

Implement and operate ISMS processes.

  • Operational planning and control
  • Information security risk assessment execution
  • Information security risk treatment implementation
Clause 9

Performance evaluation

Monitor, measure, analyze and evaluate ISMS performance.

  • Monitoring, measurement, analysis and evaluation
  • Internal audit program
  • Management review
Clause 10

Improvement

Address nonconformities and continually improve ISMS.

  • Nonconformity and corrective action
  • Continual improvement of ISMS

PDCA cycle

Continuous improvement model

Annex A: 93 security controls

ISO 27001:2022 organizes controls into 4 themes covering organizational, people, physical and technological security

Organizational controls

37 controls

Policies, procedures, roles, and organizational security measures.

Key controls

  • • A.5.1 Policies for information security
  • • A.5.7 Threat intelligence
  • • A.5.9 Inventory of information and other associated assets
  • • A.5.10 Acceptable use of information
  • • A.5.23 Information security for use of cloud services
  • • A.5.24 Information security incident management planning

Examples

Information security policy, asset classification, supplier security, incident response planning

People controls

8 controls

Human resource security throughout the employment lifecycle.

Key controls

  • • A.6.1 Screening
  • • A.6.2 Terms and conditions of employment
  • • A.6.3 Information security awareness, education and training
  • • A.6.4 Disciplinary process
  • • A.6.5 Responsibilities after termination
  • • A.6.6 Confidentiality agreements

Examples

Background checks, security awareness training, employment contracts, offboarding procedures

Physical controls

14 controls

Protection of physical areas, equipment and assets.

Key controls

  • • A.7.1 Physical security perimeters
  • • A.7.2 Physical entry
  • • A.7.4 Physical security monitoring
  • • A.7.7 Clear desk and clear screen
  • • A.7.10 Storage media
  • • A.7.14 Secure disposal of equipment

Examples

Access control to offices, visitor management, CCTV, equipment disposal, clean desk policy

Technological controls

34 controls

Technical security measures for systems and networks.

Key controls

  • • A.8.1 User endpoint devices
  • • A.8.2 Privileged access rights
  • • A.8.3 Information access restriction
  • • A.8.5 Secure authentication
  • • A.8.10 Information deletion
  • • A.8.24 Use of cryptography
  • • A.8.28 Secure coding

Examples

Access control, encryption, logging, vulnerability management, secure development, backup

Note: Not all 93 controls apply to every organization. Your Statement of Applicability documents which controls you implement and provides justification for any exclusions based on your risk assessment.

Start control assessment

ISO 27001:2022 vs 2013

Key changes in the latest version and transition requirements

AspectISO 27001:2022ISO 27001:2013
Structure
4 themes: Organizational, People, Physical, Technological14 categories organized by topic
Control count
93 controls (streamlined and consolidated)114 controls (more granular)
Naming convention
Attributes: Preventive, Detective, CorrectiveCategories only
Cloud focus
A.5.23 Cloud services explicit controlCloud covered implicitly
Threat intelligence
A.5.7 Dedicated threat intelligence controlPart of incident management
Transition deadline
October 31, 2025 (all certifications must transition)No longer valid after October 2025

Transition deadline: October 31, 2025

Organizations certified to ISO 27001:2013 must transition to ISO 27001:2022 by this date. After October 31, 2025, ISO 27001:2013 certificates will no longer be valid.

What changed: 11 new controls added, 24 controls merged, 58 controls updated. Focus on emerging risks including cloud security, threat intelligence, and information security for cloud services.

ISO 27001 certification process

Two-stage audit conducted by accredited certification bodies

Stage 1

Documentation review

Auditor reviews ISMS documentation to verify completeness

Key activities

  • Review ISMS scope and policies
  • Evaluate Statement of Applicability
  • Assess risk assessment methodology
  • Check documented procedures
Stage 2

Implementation audit

On-site assessment of ISMS implementation and operation

Key activities

  • Verify control implementation
  • Interview personnel
  • Review evidence and records
  • Test control effectiveness
  • Identify nonconformities
Initial

Stage 1 + Stage 2 audit

Certification valid 3 years

Annual

Surveillance audits

Years 1 and 2 after certification

Year 3

Recertification audit

Full reassessment

26-week implementation roadmap

Structured path from gap analysis to certification audit

Phase 1Weeks 1-4

Scoping and gap analysis

  • Define ISMS scope and boundaries
  • Conduct initial gap assessment
  • Identify key stakeholders
  • Establish project governance
Phase 2Weeks 5-12

Risk assessment and treatment

  • Identify information assets
  • Conduct risk assessment
  • Select Annex A controls
  • Develop Statement of Applicability
  • Create risk treatment plan
Phase 3Weeks 13-20

Implementation and documentation

  • Implement selected controls
  • Develop ISMS policies and procedures
  • Conduct security awareness training
  • Establish monitoring processes
Phase 4Weeks 21-26

Audit and certification

  • Conduct internal audit
  • Management review
  • Address findings
  • Stage 1 and Stage 2 certification audit
Policy templates

ISO 27001 policy and procedure templates

Access ready-to-use ISMS documentation aligned with ISO 27001:2022 requirements and compatible with ISO 42001 and SOC 2

Organizational

  • • Information Security Policy
  • • Asset Management Policy
  • • Supplier Security Policy
  • • Incident Response Plan
  • • Business Continuity Plan
  • • Cloud Security Policy
  • + 8 more policies

People & physical

  • • Security Awareness Training
  • • Acceptable Use Policy
  • • Access Control Policy
  • • Physical Security Policy
  • • Clear Desk Procedure
  • • Visitor Management
  • + 6 more policies

Technological

  • • Encryption Policy
  • • Backup & Recovery Policy
  • • Vulnerability Management
  • • Logging & Monitoring
  • • Secure Development Policy
  • • Network Security Policy
  • + 9 more policies
Browse all ISMS templates

Frequently asked questions

Common questions about ISO 27001 certification

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring confidentiality, integrity and availability. The latest version is ISO 27001:2022. See the official ISO 27001 page for complete details.
ISO 27001 focuses on information security management, while ISO 42001 focuses specifically on AI management systems. Organizations deploying AI systems often implement both: ISO 27001 for securing information assets and ISO 42001 for responsible AI governance. They share similar PDCA structures but address different domains.
A typical ISO 27001 certification project takes 6-12 months depending on organizational size, complexity and existing security maturity. Smaller organizations with good existing practices can move faster. The certification audit itself is a two-stage process conducted by accredited certification bodies.
ISO 27001:2022 contains 93 controls organized into 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). Not all controls apply to every organization. The Statement of Applicability documents which controls you implement and justifies exclusions.
ISO 27001 is voluntary but often required by contracts, regulations or industry standards. Many industries (financial services, healthcare, cloud providers) require it for vendor relationships. Some regulations reference ISO 27001 as an acceptable security framework. Customer contracts frequently require certification.
Organizations certified to ISO 27001:2013 must transition to ISO 27001:2022 by October 31, 2025. After this date, ISO 27001:2013 certificates will no longer be valid. New certifications since October 2022 use the 2022 version. Transition audits assess the 21 new/changed controls.
PDCA is the continuous improvement model underlying ISO 27001. Plan: Establish ISMS (Clauses 4-6). Do: Implement and operate (Clauses 7-8). Check: Monitor and review (Clause 9). Act: Maintain and improve (Clause 10). This cycle ensures your ISMS evolves with changing threats and business needs.
ISO 27001 is an international standard with third-party certification, while SOC 2 is a US-based audit framework. ISO 27001 has prescriptive Annex A controls; SOC 2 uses Trust Services Criteria. Many organizations pursue both: ISO 27001 for global recognition and SOC 2 for US customer requirements.
ISO 27001 requires documented information including: ISMS scope, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, procedures for operations, monitoring and audit programs, competence records and management review minutes. The standard doesn't mandate specific formats.
Certification costs vary widely based on organizational size, scope complexity and chosen certification body. Budget for certification body fees (typically $10,000-50,000 annually), consultant fees if used, training costs and internal staff time. Ongoing surveillance audits occur annually with recertification every 3 years.
No, ISO 27001 certification requires an independent audit by an accredited certification body. You can implement ISO 27001 controls without certification, but to claim certification, you must undergo the formal two-stage audit process. Search for accredited certification bodies through national accreditation organizations.
ISO 27001 addresses many GDPR security requirements through controls like access management, encryption, incident response and data protection. GDPR Article 32 requires appropriate technical and organizational measures; ISO 27001 provides a recognized framework. However, ISO 27001 doesn't cover all GDPR requirements (like data subject rights and privacy impact assessments).
After initial certification, certification bodies conduct annual surveillance audits to verify ISMS maintenance and improvement. These are shorter than the initial Stage 2 audit and focus on: ongoing control effectiveness, management review outputs, internal audit results, handling of incidents and nonconformities, and changes to the ISMS. Recertification occurs every 3 years.
Yes, VerifyWise provides dedicated tooling for ISO 27001 implementation. Our platform helps you conduct risk assessments, track Annex A control implementation, manage ISMS documentation, run internal audits and generate evidence for certification audits. We also provide crosswalks to ISO 42001, NIST AI RMF and EU AI Act for organizations implementing multiple frameworks.

Ready to achieve ISO 27001 certification?

Start your ISMS implementation with our guided assessment and certification preparation tools.

Start ISMS assessmentSchedule certification consultation
ISO 27001:2022 Annex A controls and compliance guide