Orbiq LogoOrbiq
ISO 27001 Certification: What It Is, What It Requires, and How to Get Certified
2026-03-07
By Orbiq Team

ISO 27001 Certification: What It Is, What It Requires, and How to Get Certified

A practical guide to ISO 27001 certification — what it covers, how the audit works, what Annex A controls require, how it relates to NIS2 and DORA, and what European companies need to know about achieving and maintaining certification.

ISO 27001
Certification
ISMS
Information Security
Annex A
NIS2
DORA

ISO 27001 Certification: What It Is, What It Requires, and How to Get Certified

ISO 27001 is the international gold standard for information security management. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines the requirements for building, operating, and improving an Information Security Management System (ISMS).

For European companies, ISO 27001 serves a dual purpose: it satisfies enterprise buyer requirements during procurement and provides a structured foundation for meeting regulatory obligations under NIS2 and DORA.

This guide covers what the standard requires, how the certification audit works, what the 2022 revision changed, and how ISO 27001 fits into the broader European compliance landscape.

What ISO 27001 Requires

ISO 27001 has two main parts: the management system requirements (Clauses 4-10) and the reference controls (Annex A).

Management System Requirements (Clauses 4-10)

These clauses define how your ISMS must operate:

  • Clause 4 — Context of the Organization: Define scope, understand interested parties, determine internal and external issues affecting information security
  • Clause 5 — Leadership: Establish information security policy, assign roles and responsibilities, demonstrate management commitment
  • Clause 6 — Planning: Conduct risk assessment, define risk treatment plan, set information security objectives, plan changes
  • Clause 7 — Support: Allocate resources, ensure competence, build awareness, establish communication channels, manage documented information
  • Clause 8 — Operation: Execute risk assessment and risk treatment, manage operational planning and control
  • Clause 9 — Performance Evaluation: Monitor and measure ISMS effectiveness, conduct internal audits, perform management reviews
  • Clause 10 — Improvement: Address non-conformities, implement corrective actions, drive continual improvement

Annex A Controls (ISO 27001:2022)

Annex A provides 93 reference controls organized into four categories:

Organizational Controls (37 controls)

Covering governance, policies, and management processes:

  • Information security policies and roles
  • Asset management and classification
  • Access control and identity management
  • Supplier and third-party security
  • Incident management and business continuity
  • Compliance and legal requirements

People Controls (8 controls)

Covering the human element of security:

  • Pre-employment screening
  • Terms and conditions of employment
  • Security awareness and training
  • Disciplinary process
  • Responsibilities after termination
  • Remote working and confidentiality agreements

Physical Controls (14 controls)

Covering physical security measures:

  • Physical security perimeters and entry controls
  • Securing offices, rooms, and facilities
  • Equipment protection and maintenance
  • Clear desk and clear screen policies
  • Storage media handling and disposal

Technological Controls (34 controls)

Covering technical security measures:

  • User authentication and access rights
  • Encryption and key management
  • Security logging and monitoring
  • Network security and segregation
  • Secure development lifecycle
  • Data protection and privacy
  • Vulnerability management and patch management
  • Backup and redundancy

Statement of Applicability (SoA)

The SoA is one of the most critical ISO 27001 documents. It lists every Annex A control and states:

  • Whether the control is applicable or excluded
  • Justification for inclusion or exclusion
  • How the control is implemented
  • Reference to supporting documentation

The SoA links your risk assessment to your control implementation — auditors examine it carefully.

The Certification Process

Choosing a Certification Body

Select an accredited certification body (CB). Key considerations:

  • Accreditation: Ensure the CB is accredited by a national accreditation body (e.g., DAkkS in Germany, UKAS in the UK, COFRAC in France)
  • Industry experience: Choose a CB with auditors experienced in your industry and technology stack
  • Geographic coverage: For multi-location companies, ensure the CB can audit all sites
  • Reputation: The CB's reputation affects how buyers perceive your certification

Stage 1 Audit (Documentation Review)

The Stage 1 audit is a readiness check:

  1. Document review — The auditor examines your ISMS documentation: policies, risk assessment, SoA, procedures, and records
  2. Scope verification — Confirms the ISMS scope is appropriate and clearly defined
  3. Readiness assessment — Evaluates whether the ISMS is sufficiently implemented for Stage 2
  4. Planning — Identifies focus areas for the Stage 2 audit

Duration: Typically 1-2 days on-site or remote

Output: Stage 1 report identifying any areas of concern and confirming readiness (or not) for Stage 2

Stage 2 Audit (Implementation Verification)

The Stage 2 audit verifies that your ISMS operates effectively:

  1. Control testing — Auditors test controls through interviews, observation, inspection of evidence, and re-performance
  2. Process verification — Verifies that ISMS processes (risk assessment, internal audit, management review) are functioning
  3. Evidence sampling — Reviews samples of records, logs, and documentation across the audit period
  4. Staff interviews — Speaks with personnel at various levels to verify awareness and compliance
  5. Findings classification — Issues are classified as:
    • Major non-conformity — Significant failure requiring correction before certification
    • Minor non-conformity — Isolated failure requiring a corrective action plan
    • Observation — Area for improvement (does not block certification)

Duration: Typically 3-10 days depending on organization size and scope

Output: Stage 2 report with findings and recommendation for certification

Certification Decision

After Stage 2:

  • If no major non-conformities: certification is recommended
  • If major non-conformities exist: you must address them and provide evidence before certification is granted
  • Minor non-conformities require a corrective action plan within an agreed timeframe
  • The certification body's review panel makes the final certification decision

Maintaining Certification

ISO 27001 certification is valid for three years with ongoing obligations:

  • Surveillance audits — Annual audits (typically in years 1 and 2) verify continued ISMS operation. Smaller in scope than the initial audit.
  • Continual improvement — You must demonstrate that the ISMS is improving, not just maintained
  • Re-certification audit — Full audit in year 3 to renew the certificate for another three-year cycle
  • Ongoing operation — The ISMS must operate continuously between audits — risk assessments updated, incidents managed, controls monitored, internal audits conducted

ISO 27001:2022 — What Changed

The 2022 revision brought significant changes to Annex A while keeping the management system clauses largely intact:

Restructured Control Categories

ISO 27001:2013ISO 27001:2022
14 control categories4 control categories
114 controls93 controls
A.5-A.18 numberingA.5-A.8 numbering

11 New Controls

The 2022 revision added controls reflecting modern security challenges:

  1. A.5.7 Threat intelligence — Collecting and analyzing threat information
  2. A.5.23 Information security for cloud services — Managing cloud-specific risks
  3. A.5.30 ICT readiness for business continuity — Ensuring technology supports continuity plans
  4. A.7.4 Physical security monitoring — Surveillance and detection systems
  5. A.8.9 Configuration management — Managing system configurations securely
  6. A.8.10 Information deletion — Secure deletion when no longer needed
  7. A.8.11 Data masking — Protecting sensitive data through masking techniques
  8. A.8.12 Data leakage prevention — Preventing unauthorized data exfiltration
  9. A.8.16 Monitoring activities — Security event monitoring and analysis
  10. A.8.23 Web filtering — Managing access to external websites
  11. A.8.28 Secure coding — Applying secure development principles

Control Attributes

The 2022 version introduces five attributes for each control, enabling organizations to create different views:

  • Control type: Preventive, Detective, Corrective
  • Information security properties: Confidentiality, Integrity, Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover
  • Operational capabilities: Governance, Asset management, etc.
  • Security domains: Governance and ecosystem, Protection, Defence, Resilience

ISO 27001 and European Regulations

NIS2 Alignment

ISO 27001 maps well to NIS2 Article 21 requirements, but gaps exist:

NIS2 Article 21 MeasureISO 27001 Coverage
Risk analysis and security policiesStrong — Clauses 6, 8, Annex A.5
Incident handlingPartial — A.5.24-A.5.28 cover management but not NIS2's 24-hour reporting
Business continuityStrong — A.5.29-A.5.30
Supply chain securityPartial — A.5.19-A.5.22 cover supplier security but NIS2 requires deeper supply chain assessment
System acquisition securityStrong — A.8.25-A.8.31
Effectiveness assessmentStrong — Clause 9
Cyber hygiene and trainingStrong — A.6.3, A.6.4
CryptographyStrong — A.8.24
HR security and access controlStrong — A.6, A.8.1-A.8.5
Multi-factor authenticationPartial — A.8.5 addresses authentication but doesn't mandate MFA

Key gap: NIS2 incident reporting requires a 24-hour early warning to the CSIRT, a 72-hour incident notification, and a final report within one month. ISO 27001 requires incident management but does not prescribe specific reporting timelines.

DORA Alignment

For financial entities, ISO 27001 provides a foundation for DORA's ICT risk management requirements:

  • ICT risk management framework (DORA Articles 5-16) aligns with ISO 27001 Clauses 6-8
  • ICT-related incident management (DORA Articles 17-23) extends beyond ISO 27001's incident controls
  • Digital operational resilience testing (DORA Articles 24-27) requires more structured testing than ISO 27001's internal audit
  • ICT third-party risk management (DORA Articles 28-44) demands deeper vendor oversight than ISO 27001 A.5.19-A.5.22

GDPR Synergies

ISO 27001 supports GDPR compliance through:

  • Risk-based approach to protecting personal data
  • Access control and data classification controls
  • Incident management (supporting breach notification obligations)
  • Supplier management (supporting processor requirements under Article 28)
  • ISO 27701 (Privacy Information Management) extends ISO 27001 specifically for privacy

Common Certification Mistakes

  1. Treating certification as the goal rather than security. Organizations that build an ISMS solely to pass the audit create fragile systems. When the auditor arrives, gaps show. Build the ISMS because it makes your organization more secure, and certification follows naturally.

  2. Underestimating the risk assessment. The risk assessment drives everything — your control selection, your SoA, and your audit scope. A superficial risk assessment leads to inappropriate controls and audit findings. Invest time in a thorough, honest assessment.

  3. Ignoring internal audit requirements. Internal audits are mandatory and must be conducted by auditors independent of the areas being audited. Many organizations delay or skip internal audits, then face major non-conformities during the certification audit.

  4. Insufficient management involvement. ISO 27001 requires demonstrated management commitment — not just a policy signature. Management review meetings must be held, resourced, and documented with clear decisions and actions.

  5. Not maintaining evidence continuously. Evidence must be collected throughout the year, not assembled before the audit. Automated evidence collection through compliance platforms eliminates this problem and provides continuous audit readiness.

  6. Choosing scope that's too narrow. A narrow scope (e.g., certifying only one product while the company operates many) can damage credibility with buyers. Buyers want to see that the ISMS covers the systems that handle their data.

How Orbiq Supports ISO 27001 Certification

  • Trust Center: Publish your ISO 27001 certification status, scope, SoA summary, and security controls as a buyer-facing evidence hub
  • Continuous Monitoring: Track control effectiveness across all 93 Annex A controls and identify gaps before surveillance audits
  • Evidence Management: Automated evidence collection mapped to ISO 27001 clauses and Annex A controls for streamlined audit preparation
  • AI-Powered Questionnaires: Respond to buyer security questionnaires using evidence from your ISMS and ISO 27001 programme

Further Reading

This guide is maintained by the Orbiq team. Last updated: March 2026.