What Is ISO 27001? The Complete Guide for 2026
ISO 27001 is the international standard for information security management. Learn what it covers, how it works, why 96,000+ organizations are certified, and how to get started.
What Is ISO 27001? The Complete Guide for 2026
ISO 27001 is the world's leading standard for information security management. In 2024, the number of valid ISO 27001 certificates nearly doubled — from 48,671 to 96,709 certified organizations across more than 150 countries [¹]. That growth is not accidental. Enterprise buyers require it. Regulators reference it. Cyber insurers reward it.
This guide explains exactly what ISO 27001 is, what it covers, how it works, and why it matters for your organization — whether you are just starting to research the standard or preparing to begin certification.
Key Takeaways
- ISO 27001 is an international standard for building and operating an Information Security Management System (ISMS). The current version is ISO/IEC 27001:2022.
- The standard certifies your entire approach to security — not just individual tools or controls. It covers people, processes, and technology.
- 93 Annex A controls are organized into four categories: Organizational, People, Physical, and Technological.
- Certification requires an audit by an accredited third party. The certificate is valid for three years with annual surveillance audits.
- 96,709 organizations were certified in 2024, with the market growing at 15.2% annually [¹][²].
- ISO 27001 aligns with NIS2, DORA, and GDPR, making it a strategic investment for EU companies rather than just a procurement checkbox.
What Is ISO 27001?
ISO 27001 (full name: ISO/IEC 27001) is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
In practical terms, ISO 27001 provides a structured framework for:
- Identifying what information you need to protect — data assets, systems, processes, and people
- Assessing the risks to that information — what could go wrong, how likely it is, and what the impact would be
- Implementing controls to reduce those risks to an acceptable level
- Measuring and improving the effectiveness of your security programme over time
The standard does not prescribe exactly which technologies to use or which specific policies to write. Instead, it provides a risk-based approach: your organization identifies its own threats, assesses their severity, and selects appropriate controls from a reference catalogue (Annex A).
Certification means an accredited, independent certification body has verified that your ISMS meets the standard's requirements. This independent verification is what distinguishes ISO 27001 certification from self-assessments, questionnaires, or vendor compliance claims.
ISO 27001: A Brief History
The ISO 27000 family of standards has its roots in British Standard BS 7799, first published in 1995. The key milestones:
| Year | Development |
|---|---|
| 1995 | BS 7799 published by the British Standards Institution |
| 2000 | BS 7799 Part 1 adopted as ISO/IEC 17799 |
| 2005 | ISO/IEC 27001:2005 published — the first ISO 27001 edition |
| 2013 | ISO/IEC 27001:2013 published — major revision, widely adopted globally |
| 2022 | ISO/IEC 27001:2022 published — current version; restructured Annex A from 114 to 93 controls |
| 2024 | Amendment 1 added — climate change consideration in Clause 4.1 |
| Oct 2025 | All 2013-based certifications expired; 2022 is now the only valid edition |
The 2022 revision was the most significant update in nearly a decade. All organizations that were certified under the 2013 version had until October 2025 to transition. By 2026, every ISO 27001 certification audit is conducted against the 2022 edition [³].
The ISO 27001 Framework: Two Core Components
ISO 27001 has two main parts that work together: the management system requirements and the Annex A reference controls.
Part 1: Management System Requirements (Clauses 4-10)
These seven clauses define how the ISMS must be structured and operated. They apply to every organization regardless of size, industry, or technology stack:
| Clause | Topic | Core Requirement |
|---|---|---|
| Clause 4 | Context of the Organization | Define ISMS scope; identify internal/external factors and interested parties |
| Clause 5 | Leadership | Establish information security policy; assign roles; demonstrate management commitment |
| Clause 6 | Planning | Conduct risk assessment; set risk treatment plan; define security objectives |
| Clause 7 | Support | Allocate resources; build awareness; manage documentation |
| Clause 8 | Operation | Execute risk assessment and risk treatment plans |
| Clause 9 | Performance Evaluation | Monitor effectiveness; conduct internal audits; hold management reviews |
| Clause 10 | Improvement | Address non-conformities; drive continual improvement |
The management system clauses follow the Plan-Do-Check-Act (PDCA) cycle — a universal quality management methodology. Plan the ISMS (Clauses 4-6), Do the implementation (Clauses 7-8), Check its effectiveness (Clause 9), Act to improve it (Clause 10).
Part 2: Annex A Reference Controls
Annex A provides 93 reference controls organized into four categories. These are not mandatory in their entirety — your risk assessment determines which controls apply to your situation. However, if you choose to exclude a control, you must document your justification in the Statement of Applicability (SoA).
Organizational Controls (37 controls)
Governance and management processes, including:
- Information security policies and procedures
- Asset management and information classification
- Access control policies
- Supplier and third-party security management
- Incident management processes
- Business continuity and disaster recovery
- Compliance and legal requirements
People Controls (8 controls)
The human dimension of security:
- Pre-employment screening
- Terms and conditions of employment (including confidentiality)
- Security awareness training and education
- Disciplinary process
- Responsibilities after employment termination
- Remote working policies
Physical Controls (14 controls)
Physical security measures:
- Physical security perimeters and entry controls
- Securing offices, rooms, and data processing facilities
- Equipment protection and maintenance
- Clear desk and clear screen policies
- Secure storage media handling and disposal
Technological Controls (34 controls)
Technical security implementation:
- User authentication, authorization, and access rights
- Encryption and key management
- Security event logging and monitoring
- Network security and segmentation
- Secure software development lifecycle (SDLC)
- Data protection, masking, and leakage prevention
- Vulnerability management and patch management
- Backup and redundancy
The 11 New Controls Added in 2022
The ISO/IEC 27001:2022 revision introduced 11 new controls reflecting modern security challenges:
| Control | Topic |
|---|---|
| A.5.7 | Threat intelligence |
| A.5.23 | Information security for cloud services |
| A.5.30 | ICT readiness for business continuity |
| A.7.4 | Physical security monitoring |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.16 | Monitoring activities |
| A.8.23 | Web filtering |
| A.8.28 | Secure coding |
These additions reflect the security reality of 2022 onwards: cloud-native infrastructure, modern development practices, and more sophisticated threat landscapes. Organizations that had been operating under the 2013 edition needed to assess and implement these new controls as part of their transition [³].
What Is an ISMS?
ISO 27001 certifies your Information Security Management System (ISMS). Understanding what an ISMS actually is helps clarify what certification really means.
An ISMS is not a software product or a technical tool — it is a management system: a set of policies, processes, roles, and controls that work together to systematically manage information security risks.
Think of it like a quality management system (ISO 9001) for security. Just as a quality management system ensures consistent product quality through documented processes and continuous improvement, an ISMS ensures consistent information security through structured risk management.
An ISMS contains:
- Scope definition — what information assets, systems, and processes are in scope
- Risk assessment methodology — how you identify and evaluate risks
- Risk treatment plan — what you do about each risk (mitigate, accept, transfer, avoid)
- Statement of Applicability (SoA) — which Annex A controls apply and how they are implemented
- Policies and procedures — the rules your organization follows
- Control evidence — proof that controls operate effectively
- Internal audit programme — regular checks that the ISMS works
- Management review records — evidence of leadership engagement
- Corrective action tracking — how you respond to and learn from problems
For a detailed guide to building an ISMS, see What Is an ISMS?.
Why ISO 27001 Matters in 2026
Enterprise Buyers Require It
The most direct business reason for certification: enterprise procurement processes increasingly require ISO 27001 as a baseline condition. This is particularly true in European markets, where German, Dutch, French, and Nordic buyers expect ISO 27001 certification before signing B2B software contracts.
The data reflects this: 81% of organizations reported having current or planned ISO 27001 certifications in 2025, up from 67% in 2024 — a 14-percentage-point increase in a single year [⁴]. The standard is becoming table stakes, not a differentiator.
NIS2 and DORA Create Regulatory Tailwinds
For organizations subject to the NIS2 Directive or the DORA regulation, ISO 27001 provides significant overlap with regulatory requirements:
- NIS2 Article 21 requires risk analysis, incident handling, business continuity, supply chain security, and other measures — all of which map to ISO 27001 controls
- DORA requires ICT risk management frameworks for financial entities that closely parallel ISO 27001's management system structure
ISO 27001 does not guarantee NIS2 or DORA compliance — both regulations have additional specific requirements that go beyond what an ISMS provides. But it provides approximately 70% of the foundation for NIS2 compliance and reduces the marginal effort of meeting DORA obligations significantly.
Competitive Advantage in Security Reviews
Certified organizations can share their ISO 27001 certificate — along with their scope, Statement of Applicability, and control evidence — through a Trust Center. This enables buyers to self-serve security due diligence without sending questionnaires. For B2B sales teams, this compresses deal cycles by eliminating weeks of back-and-forth security reviews.
Cyber Insurance Benefits
Cyber insurers have become increasingly rigorous about underwriting criteria. ISO 27001-certified organizations demonstrate a systematic approach to risk management, which directly reduces the insurer's exposure. Many policies now offer better premiums or terms for certified organizations [⁴].
Multi-Framework Efficiency
ISO 27001's 93 Annex A controls overlap 70-80% with SOC 2 Trust Services Criteria. Organizations that build their compliance programme around ISO 27001 establish a foundation that extends across multiple frameworks — reducing duplicate effort and cost significantly [⁵].
ISO 27001 vs Other Security Frameworks
ISO 27001 vs SOC 2
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Origin | International (ISO/IEC) | United States (AICPA) |
| Output | Certificate from accredited body | Attestation report from CPA firm |
| Approach | Risk-based with Annex A controls | Criteria-based (Trust Services Criteria) |
| Duration | 3-year certificate with annual surveillance | Annual report covering observation period |
| Cost | EUR 30,000-150,000 first year | USD 30,000-150,000 first year |
| Timeline | 6-12 months | Type II: 9-12 months |
| Geography | Dominant in Europe and internationally | Expected in the US market |
| Regulatory alignment | Strong EU alignment (NIS2, DORA, GDPR) | Strong US alignment |
| Control overlap | — | 70-80% overlap with SOC 2 |
Which should you choose? For European companies, ISO 27001 should be your foundation. For companies with US enterprise customers, consider adding SOC 2. Because of the 70-80% control overlap, pursuing both simultaneously costs 30-40% less than building them separately [⁵].
ISO 27001 vs ISO 27002
A common source of confusion: ISO 27001 is the certifiable standard; ISO 27002 is implementation guidance. Organizations certify against ISO 27001. ISO 27002 provides detailed, non-mandatory guidance on how to implement each of the 93 Annex A controls. You would use ISO 27002 as a reference while building your ISMS, but your certification audit is conducted against ISO 27001's requirements.
ISO 27001 vs NIST Cybersecurity Framework
The NIST CSF is a US framework organized around five functions: Identify, Protect, Detect, Respond, Recover. It is widely used in the United States but is not a certification standard — there is no "NIST CSF certified" equivalent. ISO 27001 and NIST CSF have significant conceptual overlap; ISO 27001's 2022 revision even introduced control attributes that map to NIST CSF's framework. Organizations pursuing global markets typically choose ISO 27001 for its internationally recognized certification and broader geographic acceptance.
What ISO 27001 Certification Proves — and What It Doesn't
What It Proves
ISO 27001 certification proves that, at the time of the audit:
- Your organization has defined the scope of its ISMS
- You have conducted a thorough, documented risk assessment
- You have implemented appropriate controls based on that risk assessment
- Your ISMS processes (internal audit, management review, corrective actions) are operating
- An accredited, independent certification body has verified all of the above through document review, interviews, and evidence testing
What It Doesn't Prove
Knowing what ISO 27001 certification does not guarantee is equally important:
- It does not mean your organization has never been breached. It means you have a systematic approach to managing risk. Breaches can still occur in certified organizations; certification demonstrates how you manage and respond to risk, not that risk is eliminated.
- It does not guarantee NIS2 or DORA compliance. Both regulations have specific requirements that go beyond what an ISMS covers — particularly around incident reporting timelines and management liability.
- It does not cover your entire organization by default. The scope of certification is defined by the organization. Buyers should check the certificate scope carefully.
- It is point-in-time. The certificate reflects your ISMS at the time of the audit. The annual surveillance audits verify continued operation, but significant changes after an audit may not be reflected until the next review.
The ISO 27001 Certification Process: Overview
Getting ISO 27001 certified involves building the ISMS, operating it for a period, and then having an accredited certification body audit it. Here is a high-level overview:
- Gap analysis — Assess your current security posture against ISO 27001 requirements
- Define scope — Determine what your ISMS will cover
- Risk assessment — Identify and evaluate risks to your in-scope assets
- Implement controls — Deploy the controls needed to treat identified risks
- Document the ISMS — Write policies, procedures, and the Statement of Applicability
- Operate the ISMS — Run it long enough to generate evidence (typically 3-6 months)
- Internal audit — Conduct an internal audit before the certification audit
- Management review — Hold a formal management review of ISMS performance
- Stage 1 audit — Certification body reviews your documentation
- Stage 2 audit — Certification body verifies implementation through interviews and evidence testing
- Certification — Certificate issued if no major non-conformities remain
- Maintenance — Annual surveillance audits; full recertification in year 3
For the complete step-by-step guide including costs, timelines, and common mistakes, see ISO 27001 Certification: The Complete Guide.
ISO 27001 and the ISO 27000 Family
ISO 27001 is the core of a broader ISO/IEC 27000 family of information security standards. Each standard in the family addresses a specific domain:
| Standard | Focus |
|---|---|
| ISO/IEC 27001 | ISMS requirements (certifiable) |
| ISO/IEC 27002 | Annex A control implementation guidance |
| ISO/IEC 27003 | ISMS implementation guidance |
| ISO/IEC 27004 | ISMS monitoring and measurement |
| ISO/IEC 27005 | Information security risk management |
| ISO/IEC 27017 | Cloud service security controls |
| ISO/IEC 27018 | Protection of personal data in cloud services |
| ISO/IEC 27701 | Privacy Information Management System (PIMS) — extends ISO 27001 for GDPR |
ISO/IEC 27701 is particularly relevant for EU companies. It extends ISO 27001 and ISO 27002 to cover privacy information management, providing a framework for demonstrating GDPR compliance as an extension of your ISMS. Organizations already certified to ISO 27001 can pursue ISO 27701 certification with relatively low incremental effort.
Who Certifies Organizations for ISO 27001?
Certification is conducted by accredited certification bodies — independent organizations that have been granted authority to issue ISO 27001 certificates by a national accreditation body.
National accreditation bodies by country:
| Country | Accreditation Body |
|---|---|
| Germany | DAkkS (Deutsche Akkreditierungsstelle) |
| United Kingdom | UKAS (United Kingdom Accreditation Service) |
| France | COFRAC (Comité Français d'Accréditation) |
| Netherlands | RvA (Raad voor Accreditatie) |
| United States | ANAB |
| International | IAF (International Accreditation Forum) members |
Well-known certification bodies include BSI Group, TÜV SÜD, TÜV Rheinland, Bureau Veritas, DNV, LRQA, and SGS. For European companies, certification by a DAkkS- or UKAS-accredited body typically carries more weight with enterprise buyers than certification by smaller or less well-known bodies.
What to check when selecting a certification body:
- Is it accredited by a recognized national accreditation body?
- Does it have auditors with experience in your industry (SaaS, cloud infrastructure, financial services)?
- Can it audit your geographic locations?
- Does it have references from organizations comparable to yours?
What Most Guides Don't Tell You About ISO 27001
After working with European B2B companies through ISO 27001 programmes, a few realities rarely appear in beginner guides:
1. The Risk Assessment Is Both the Hardest and Most Valuable Part
Most organizations underestimate the risk assessment. It is not a spreadsheet exercise where you copy someone else's template. A meaningful risk assessment forces you to understand your actual information assets, threats, and vulnerabilities — and creates the documented foundation for every control decision that follows. Organizations that do their risk assessments properly tend to build better, more coherent security programmes. Those that rush it end up with inappropriate controls and audit findings.
2. Evidence Quality Matters More in 2026 Than Ever Before
Auditors are becoming more demanding about evidence. Screenshots, spreadsheets, and point-in-time extracts are no longer sufficient for many certification bodies. Auditors want evidence that demonstrates continuous operation of controls over the full observation window (typically 6-12 months): timestamped logs, ticket histories, meeting minutes, and documentation showing that controls were applied consistently — not assembled before the audit [³].
3. Scope Decisions Are Strategic
The ISMS scope definition looks like an administrative step but has significant strategic implications. Scoping too narrowly (certifying only one product while running many) creates questions about what buyers' data is actually covered. Scoping too broadly makes implementation overwhelming. For most B2B SaaS companies, scoping to cover the core product, its infrastructure, and the teams who build and operate it is the right balance.
4. Maintenance Is Often Harder Than Initial Certification
Many organizations achieve certification and then lose momentum. The annual surveillance audits catch this: controls that were implemented for the initial audit start degrading, evidence collection becomes inconsistent, and the ISMS exists on paper more than in practice. The solution is building maintenance into regular operations — not treating the ISMS as a separate compliance project that runs in parallel with real work.
5. Automation Has Changed the Economics
Five years ago, ISO 27001 required extensive manual work: monthly spreadsheet exports, manually collected screenshots, hand-assembled audit packs. Compliance automation platforms now connect to your cloud providers, identity management, code repositories, and security tools to collect evidence continuously. Organizations using automation are achieving certification in 4-6 months rather than 9-12 months, with significantly lower internal resource requirements [⁴].
Getting Started with ISO 27001
If you are researching ISO 27001 for the first time, here is a practical starting path:
Step 1: Understand what you are protecting. Before any formal ISMS work, document your key information assets: customer data, intellectual property, infrastructure, and the systems that process them. This context-setting makes everything that follows more grounded.
Step 2: Run a gap analysis. Compare your current security controls and documentation against ISO 27001 requirements. Most organizations find they already have some controls in place (access management, backups, incident response) but lack the documentation, evidence, and management system structure that ISO 27001 requires.
Step 3: Estimate scope and budget. Use our ISO 27001 certification cost and timeline guide to build a realistic project plan based on your organization's size and complexity.
Step 4: Evaluate tooling. The decision between spreadsheet-based compliance and a dedicated ISMS platform is fundamentally an economics question: how much is your team's time worth, and how important is audit-ready evidence at all times?
Step 5: Choose a certification body early. Certification bodies book up quickly. Once you decide to pursue certification, contact potential certification bodies 3-4 months before your anticipated audit date. Get quotes from at least three bodies.
Frequently Asked Questions
What is ISO 27001 in simple terms?
ISO 27001 is an internationally recognized standard that tells organizations how to build, run, and improve a system for managing information security risks. Independent auditors verify compliance and issue a certificate valid for three years.
Who needs ISO 27001?
Any organization that handles sensitive information benefits from ISO 27001. It is especially critical for B2B software companies, cloud service providers, financial institutions, healthcare organizations, and government contractors selling to European enterprise buyers.
What does ISO 27001 certification prove?
It proves that an accredited, independent auditor has verified that your organization has assessed its information security risks, implemented appropriate controls, and established management processes to maintain and improve your security programme continuously.
How is ISO 27001 different from ISO 27002?
ISO 27001 is the certifiable standard organizations are audited against. ISO 27002 provides supplementary guidance on implementing the Annex A controls. You certify against ISO 27001; ISO 27002 helps you implement controls effectively.
Is ISO 27001 mandatory in the EU?
ISO 27001 is not legally mandatory, but it is effectively a market requirement for B2B companies in Europe. NIS2 references ISO 27001 controls, and enterprise procurement processes frequently require it.
What is the ISO 27001:2022 amendment?
Amendment 1 (2024) requires organizations to assess whether climate change is a relevant issue for their ISMS context — for example, whether extreme weather events could affect data centers or business continuity.
Further Reading
- ISO 27001 Certification: The Complete Guide — Step-by-step certification process, costs, and timeline
- What Is an ISMS? — The management system that ISO 27001 certifies
- SOC 2 Compliance — How ISO 27001 compares to SOC 2 for US market access
- Compliance Automation — Automating ISO 27001 evidence collection
- NIS2 Compliance — The EU directive that references ISO 27001 controls
- ISMS Software by Orbiq — Manage your ISO 27001 programme
Sources & References
[¹] HEIC — ISO 27001 Certifications Nearly Double in 2024: https://heic.eu/iso-27001-certifications-nearly-double-in-2024-as-global-organizations-prioritize-cybersecurity/
[²] Business Research Insights — ISO 27001 Certification Market Insights 2035: https://www.businessresearchinsights.com/market-reports/iso-27001-certification-market-120318
[³] Konfirmity — ISO 27001 What Changed in 2026: https://www.konfirmity.com/blog/iso-27001-what-changed-in-2026
[⁴] Secureframe — 130+ Compliance Statistics & Trends 2026: https://secureframe.com/blog/compliance-statistics
[⁵] SOC 2 Auditors — SOC 2 vs ISO 27001 (2026): https://soc2auditors.org/insights/soc-2-vs-iso-27001/
This guide is maintained by the Orbiq team. Last updated: March 2026.