ISO/IEC 27001: An Auditor's Deep-Dive Guide to the Information Security Management System Standard
ISO/IEC 27001 is the world's most widely adopted international standard for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Unlike a prescriptive control catalogue, ISO 27001 is a management-system standard: it defines a governance framework built around risk, leadership commitment, measurable objectives and the Plan-Do-Check-Act (PDCA) cycle of continual improvement. Certification against ISO 27001 provides independent, accredited assurance to customers, regulators, partners and boards that an organisation manages information security in a systematic, risk-driven manner. This guide is written from the perspective of a lead auditor and QSA-grade assessor, and walks through every clause of the management system, the full Annex A control set, scoping, phased implementation, maturity scoring, the audit lifecycle, evidence expectations, roles, KPIs, common gaps and cross-framework mappings.
The current edition is ISO/IEC 27001:2022, which superseded ISO/IEC 27001:2013. The 2022 revision retained the High-Level Structure (Harmonised Structure, formerly Annex SL) used across all ISO management-system standards, made minor clarifications to Clauses 4 to 10, and — most significantly — restructured Annex A to align with ISO/IEC 27002:2022, reducing the number of controls from 114 (across 14 domains) to 93 controls grouped into four themes, and introducing 11 genuinely new controls. Organisations certified against the 2013 edition were required to transition to the 2022 edition by 31 October 2025.
What is ISO/IEC 27001?
ISO/IEC 27001 specifies the requirements for an Information Security Management System — a coordinated set of policies, processes, roles, technologies and governance mechanisms through which an organisation systematically manages risks to the confidentiality, integrity and availability (the CIA triad) of its information assets. The standard is deliberately technology-neutral and sector-agnostic: it applies equally to a two-person fintech startup and a multinational bank, because it mandates outcomes (risk-based decision-making, documented objectives, monitoring, improvement) rather than specific technical implementations.
The standard is divided into two structural parts. First, the mandatory management-system clauses — Clause 4 (Context of the organisation), Clause 5 (Leadership), Clause 6 (Planning), Clause 7 (Support), Clause 8 (Operation), Clause 9 (Performance evaluation) and Clause 10 (Improvement). These clauses are non-negotiable: every requirement in Clauses 4 to 10 must be met to achieve certification. Second, Annex A, a reference set of information security controls. Annex A controls are selected on the basis of risk assessment and risk treatment; controls may be excluded only with documented justification, and the selection is recorded in a Statement of Applicability (SoA), which is the single most scrutinised document in any ISO 27001 audit.
Certification is granted by an accredited certification body following a two-stage external audit and is valid for a three-year cycle, punctuated by annual surveillance audits and a full recertification audit at the end of the cycle. ISO 27001 sits at the head of the ISO/IEC 27000 family, which includes ISO/IEC 27002 (implementation guidance for the controls), ISO/IEC 27005 (information security risk management), ISO/IEC 27017 (cloud security), ISO/IEC 27018 (PII in public clouds) and ISO/IEC 27701 (privacy information management extension).
| Attribute | Detail |
|---|---|
| Full name | ISO/IEC 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements |
| Current edition | ISO/IEC 27001:2022 (third edition, published October 2022) |
| Previous edition | ISO/IEC 27001:2013 (transition deadline 31 October 2025) |
| Issuing bodies | ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) |
| Certifiable | Yes — accredited third-party certification available |
| Certification validity | 3-year cycle with annual surveillance audits |
| Core mechanism | Risk-based ISMS operated on the Plan-Do-Check-Act cycle |
| Companion standard | ISO/IEC 27002:2022 (control implementation guidance) |
| Annex A controls | 93 controls across 4 themes (down from 114 across 14 domains in 2013) |
Who Must Comply with ISO 27001?
ISO 27001 certification is voluntary in the sense that no single global law mandates it; however, it has become a de facto commercial and regulatory expectation across a wide range of sectors. Organisations pursue certification because customers require it in procurement, regulators reference it as evidence of adequate controls, and it materially reduces the friction of security questionnaires and audits. The following table summarises the primary drivers by organisation type.
| Organisation / Sector | Why ISO 27001 applies |
|---|---|
| IT services, SaaS and cloud providers | Customers demand certification in RFPs and MSAs as a precondition to handling their data; often the single biggest sales enabler |
| Business process outsourcing (BPO / KPO) | Client contracts (especially US/EU/UK principals) contractually mandate a certified ISMS covering delivery centres |
| Financial services, fintech and banks | Regulators (RBI, DPSS, EU DORA, PRA) expect a structured ISMS; certification supports supervisory assurance and third-party risk |
| Healthcare and health-tech | Handling of sensitive personal and health data; supports HIPAA and DPDP due-diligence obligations |
| Government and public-sector suppliers | Tenders frequently list ISO 27001 as a mandatory eligibility criterion |
| Telecommunications | Critical national infrastructure obligations and interconnect partner requirements |
| Manufacturing with IP / OT exposure | Protection of trade secrets, designs and increasingly operational technology environments |
| Data centres and colocation providers | Baseline expectation for tenants and a differentiator in a competitive market |
| Any organisation handling personal data at scale | Supports demonstrable accountability under GDPR, UK GDPR, India's DPDP Act and similar laws |
| Enterprises with mature vendor-risk programmes | Certification is required of their own suppliers, cascading the requirement down the supply chain |
- Contractual mandate — the most common trigger; a named customer requires certification within a fixed window.
- Regulatory alignment — sector regulators cite ISO 27001 as evidence of appropriate technical and organisational measures.
- Competitive differentiation — certification shortens sales cycles by pre-answering security due-diligence.
- Risk reduction and board assurance — provides directors with independent evidence that information security is governed, not ad hoc.
- Insurance — cyber-insurers increasingly offer improved terms to certified organisations.
Structure of ISO/IEC 27001:2022
ISO 27001 comprises the mandatory management-system clauses (Clauses 4 to 10) plus Annex A. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) are informative and set context but contain no auditable requirements. The auditable requirements begin at Clause 4. Annex A restates, in summary form, the 93 controls detailed in ISO/IEC 27002:2022, organised under four themes: Organisational, People, Physical and Technological. The table below maps the complete structure.
| Clause / Annex | Title | What it requires |
|---|---|---|
| Clause 4 | Context of the organisation | Determine internal/external issues, interested parties and their requirements, and define the ISMS scope |
| Clause 5 | Leadership | Top-management commitment, an information security policy, and assignment of roles, responsibilities and authorities |
| Clause 6 | Planning | Risk assessment and risk treatment, the Statement of Applicability, and measurable information security objectives |
| Clause 7 | Support | Resources, competence, awareness, communication and control of documented information |
| Clause 8 | Operation | Operational planning and control, execution of risk assessments and implementation of the risk treatment plan |
| Clause 9 | Performance evaluation | Monitoring, measurement, analysis, evaluation, internal audit and management review |
| Clause 10 | Improvement | Continual improvement and the handling of nonconformities and corrective actions |
| Annex A — Theme 5 | Organisational controls | 37 controls covering policies, roles, threat intelligence, supplier and cloud security, and continuity |
| Annex A — Theme 6 | People controls | 8 controls covering screening, terms of employment, awareness, discipline and remote working |
| Annex A — Theme 7 | Physical controls | 14 controls covering physical perimeters, secure areas, equipment and media |
| Annex A — Theme 8 | Technological controls | 34 controls covering access, cryptography, secure development, logging, networks and monitoring |
Master Assessment Checklist
This is the core of the guide. It enumerates every mandatory clause requirement (Clauses 4 to 10) and every Annex A control theme, with, for each, what an auditor verifies and the typical evidence expected. Use it as a self-assessment tool before booking a Stage 1 audit. Every group is presented as an h3 with a dedicated table so that no control area is skipped.
Clause 4 — Context of the Organisation
| What to verify | Typical evidence |
|---|---|
| 4.1 Internal and external issues relevant to the ISMS are determined | Context analysis document, PESTLE/SWOT, strategy papers referencing security drivers |
| 4.2 Interested parties and their information security requirements are identified | Interested-parties register listing customers, regulators, staff, suppliers and their requirements |
| 4.3 The ISMS scope is defined, documented and considers interfaces and dependencies | Written scope statement covering locations, business units, assets, technologies and exclusions with justification |
| 4.4 The ISMS is established, implemented, maintained and continually improved | ISMS manual or master document, process maps, evidence the system operates end to end |
Clause 5 — Leadership
| What to verify | Typical evidence |
|---|---|
| 5.1 Top management demonstrates leadership and commitment to the ISMS | Meeting minutes, resourcing decisions, signed policy, management-review records showing engagement |
| 5.2 An information security policy is established, documented and communicated | Approved information security policy, version control, distribution/acknowledgement records |
| 5.3 Roles, responsibilities and authorities are assigned and communicated | RACI matrix, ISMS role descriptions, appointment of ISMS manager/CISO, org chart |
Clause 6 — Planning
| What to verify | Typical evidence |
|---|---|
| 6.1.1 Actions to address risks and opportunities are planned | Risk and opportunity register, planning records |
| 6.1.2 A defined, repeatable information security risk assessment process exists | Documented risk methodology (criteria for acceptance, likelihood/impact scales), risk assessment reports |
| 6.1.3 A risk treatment process produces a Statement of Applicability and treatment plan | SoA listing all 93 Annex A controls with applicability, justification and status; risk treatment plan; risk owner sign-off |
| 6.2 Information security objectives are measurable and planned | Objectives register with targets, owners, timelines and measurement method |
| 6.3 Changes to the ISMS are planned in a controlled manner | Change planning records, ISMS change log |
Clause 7 — Support
| What to verify | Typical evidence |
|---|---|
| 7.1 Resources needed for the ISMS are determined and provided | Budget, staffing plans, tooling procurement records |
| 7.2 Personnel are competent for their security roles | Training records, certifications, competence matrix, job descriptions |
| 7.3 Staff are aware of the policy, their contribution and consequences of nonconformity | Awareness training completion logs, induction records, awareness campaigns |
| 7.4 Internal and external communications relevant to the ISMS are planned | Communication plan (what, when, whom, how), incident-communication procedures |
| 7.5 Documented information is created, controlled and protected | Document control procedure, version history, access controls, retention schedule |
Clause 8 — Operation
| What to verify | Typical evidence |
|---|---|
| 8.1 Operational processes are planned, implemented and controlled, including outsourced processes | Operating procedures, control-of-outsourced-process records, evidence controls run as designed |
| 8.2 Information security risk assessments are performed at planned intervals and on significant change | Dated risk-assessment reports, change-triggered reassessments |
| 8.3 The risk treatment plan is implemented | Treatment-plan progress tracking, evidence controls are operational, residual-risk acceptance records |
Clause 9 — Performance Evaluation
| What to verify | Typical evidence |
|---|---|
| 9.1 The ISMS is monitored, measured, analysed and evaluated against defined metrics | Metrics dashboards, measurement reports, KPI trend analysis |
| 9.2 Internal audits are conducted at planned intervals against an audit programme | Internal audit programme, audit plans, auditor independence evidence, audit reports, findings |
| 9.3 Management reviews are held covering the mandated inputs and produce documented outputs | Management-review minutes covering status of actions, feedback, risk changes, improvement decisions |
Clause 10 — Improvement
| What to verify | Typical evidence |
|---|---|
| 10.1 The ISMS is continually improved in suitability, adequacy and effectiveness | Improvement register, trend of closed improvements, evidence of proactive enhancement |
| 10.2 Nonconformities are handled with root-cause analysis and corrective action | Corrective action reports (CARs), root-cause analysis, effectiveness verification, closure records |
Annex A.5 — Organisational Controls (37 controls)
| What to verify | Typical evidence |
|---|---|
| A.5.1 Policies for information security are defined, approved and reviewed | Policy suite, approval records, review dates |
| A.5.2–A.5.4 Security roles, segregation of duties and management responsibilities are defined | RACI, SoD matrix, role descriptions |
| A.5.5–A.5.6 Contact with authorities and special interest groups is maintained | Contact lists (CERT-In, regulators), membership records |
| A.5.7 Threat intelligence is collected and used | Threat-intel feed subscriptions, analysis reports, feed-into-risk evidence |
| A.5.8 Information security is addressed in project management | Project security checklists, security gates in project methodology |
| A.5.9–A.5.11 Asset inventory, acceptable use and return of assets are managed | Asset register, acceptable-use policy, exit checklists |
| A.5.12–A.5.14 Information is classified, labelled and transferred securely | Classification scheme, labelling standard, secure-transfer agreements |
| A.5.15–A.5.18 Access control, identity, authentication and access rights are governed | Access-control policy, joiner-mover-leaver records, access reviews |
| A.5.19–A.5.23 Supplier and cloud-service relationships are secured | Supplier security clauses, due-diligence records, cloud service agreements, SLAs |
| A.5.24–A.5.28 Incident management is planned, assessed, responded to and learned from | Incident response plan, incident log, post-incident reviews, evidence collection procedure |
| A.5.29–A.5.30 Continuity of information security and ICT readiness are ensured | BCP/DR plans, ICT continuity tests, RTO/RPO records |
| A.5.31–A.5.34 Legal, regulatory, IP, records and privacy requirements are identified and met | Legal register, IP controls, records retention schedule, privacy notices |
| A.5.35–A.5.37 Independent reviews and documented operating procedures are maintained | Independent review reports, documented procedures |
Annex A.6 — People Controls (8 controls)
| What to verify | Typical evidence |
|---|---|
| A.6.1 Background verification (screening) of candidates is performed proportionate to risk | Screening/BGV records, policy on verification depth |
| A.6.2 Terms and conditions of employment include information security responsibilities | Employment contracts, NDAs, security clauses |
| A.6.3 Information security awareness, education and training are provided | Training calendar, completion records, phishing-simulation results |
| A.6.4 A disciplinary process for security breaches exists and is applied | Disciplinary policy, sanctioned-case records (anonymised) |
| A.6.5 Responsibilities remain valid after termination or change of employment | Exit process, revocation records, post-employment obligations |
| A.6.6 Confidentiality and non-disclosure agreements are in place and reviewed | Signed NDAs, review schedule |
| A.6.7 Remote working is secured | Remote-working policy, VPN/MDM configuration, home-working risk assessment |
| A.6.8 Personnel report information security events through defined channels | Reporting procedure, event log, awareness of reporting mechanism |
Annex A.7 — Physical Controls (14 controls)
| What to verify | Typical evidence |
|---|---|
| A.7.1–A.7.2 Physical security perimeters and entry controls are defined and enforced | Site plans, access-control logs, badge system records |
| A.7.3–A.7.4 Offices, secure areas are protected and physically monitored | Secure-area procedures, CCTV/monitoring records, visitor logs |
| A.7.5–A.7.6 Protection against physical/environmental threats and working in secure areas | Environmental risk assessment, fire/flood controls, secure-area rules |
| A.7.7–A.7.8 Clear desk/clear screen and equipment siting/protection | Clear-desk policy, walkthrough audit results, equipment placement standards |
| A.7.9–A.7.10 Security of assets off-premises and storage media handling | Off-site asset register, media handling and disposal procedure |
| A.7.11–A.7.12 Supporting utilities and cabling security | UPS/generator maintenance records, cabling protection evidence |
| A.7.13–A.7.14 Equipment maintenance and secure disposal/reuse | Maintenance logs, secure-wipe/destruction certificates |
Annex A.8 — Technological Controls (34 controls)
| What to verify | Typical evidence |
|---|---|
| A.8.1–A.8.2 User endpoint devices and privileged access rights are controlled | Endpoint policy, MDM config, privileged-access-management (PAM) records |
| A.8.3–A.8.5 Information access restriction, source-code access and secure authentication | Access matrices, code-repository permissions, MFA configuration |
| A.8.6 Capacity is managed | Capacity monitoring, forecasting reports |
| A.8.7 Protection against malware is implemented | AV/EDR deployment coverage, update logs, detection reports |
| A.8.8 Technical vulnerabilities are managed | Vulnerability scan reports, patch cadence, remediation SLAs |
| A.8.9 Configuration management (including secure baselines) is enforced | Hardening baselines (CIS), configuration-drift monitoring |
| A.8.10–A.8.11 Information deletion and data masking are applied | Deletion procedures, masking configuration in non-prod environments |
| A.8.12 Data leakage prevention is deployed | DLP policy and tooling, blocked-event reports |
| A.8.13–A.8.14 Information backup and redundancy of processing facilities | Backup schedule, restore-test evidence, redundancy architecture |
| A.8.15–A.8.16 Logging and monitoring of activities | Centralised log retention, SIEM alerts, monitoring coverage |
| A.8.17 Clock synchronisation is in place | NTP configuration across systems |
| A.8.18–A.8.19 Privileged utility programs and software installation are controlled | Restricted utility access, software allow-listing |
| A.8.20–A.8.22 Network security, network services and network segregation | Firewall rulebase, network diagrams, segmentation/VLAN evidence |
| A.8.23 Web filtering is applied | Web-filter/proxy configuration, category-block reports |
| A.8.24 Cryptography is used according to a key-management policy | Crypto policy, key inventory, TLS/encryption-at-rest configuration |
| A.8.25–A.8.29 Secure development lifecycle, secure coding, security testing and separation of environments | SDLC procedure, secure-coding standard, SAST/DAST results, environment separation |
| A.8.30 Outsourced development is supervised and secured | Third-party dev security requirements, code-review evidence |
| A.8.31–A.8.34 Change management, test data protection and protection during audit testing | Change tickets, test-data-management procedure, audit-tool controls |
Scoping the ISMS
Scope definition (Clause 4.3) is the most consequential early decision in an ISO 27001 programme. The scope determines which parts of the organisation the certificate covers, and — critically — customers read the scope statement on the certificate to confirm it covers the service they are buying. A scope that is drawn too narrowly may be commercially worthless; one drawn too broadly may be unaffordable to certify and maintain. The scope must consider internal and external issues (4.1), the requirements of interested parties (4.2), and the interfaces and dependencies between activities performed by the organisation and those performed by others.
- Define scope by business services, locations, organisational units, information systems and technologies — not vaguely by 'the company'.
- State inclusions and exclusions explicitly; any Annex A control excluded must be justified in the Statement of Applicability, never in the scope statement.
- Map interfaces and dependencies — cloud providers, data centres, shared services and group functions that sit outside the boundary but affect it.
- Ensure the scope wording that will appear on the certificate matches what customers expect to see (name the service/product).
- Avoid 'scope gaming' — carving out risky functions purely to ease certification will be challenged by a competent auditor and erodes trust.
- Revisit scope at every management review and whenever the business changes materially (new product, acquisition, new region).
Implementation Approach
A first-time ISO 27001 implementation for a mid-sized organisation typically runs six to twelve months. The following phased approach mirrors the PDCA cycle and sequences activities so that each phase produces the deliverables the next depends upon.
Phase 1 — Initiation and Gap Analysis (Weeks 1–4)
Activities: secure top-management sponsorship and budget; appoint an ISMS manager and steering committee; conduct a gap analysis against Clauses 4–10 and Annex A; determine internal/external issues and interested parties; draft the initial scope. Deliverables: signed project mandate, gap-analysis report with a prioritised remediation backlog, draft scope statement, interested-parties register.
Phase 2 — Risk Assessment and Treatment (Weeks 4–10)
Activities: define the risk assessment methodology and acceptance criteria; build the asset/risk inventory; assess risks by likelihood and impact; determine risk treatment options; select Annex A controls; draft the Statement of Applicability and risk treatment plan. Deliverables: documented risk methodology, risk register with owners, risk treatment plan, first version of the SoA.
Phase 3 — Control Design and Documentation (Weeks 8–18)
Activities: write the information security policy and supporting topic-specific policies; document mandatory procedures; design and deploy technical and organisational controls identified in the treatment plan; establish document control. Deliverables: approved policy suite, documented procedures, deployed controls, control-ownership assignments.
Phase 4 — Operation and Awareness (Weeks 14–24)
Activities: operate the ISMS in production; deliver awareness and role-based training; run incident-management, access-review and change processes; begin collecting records and metrics. Deliverables: training records, operating evidence, populated metrics dashboards, incident log.
Phase 5 — Internal Audit and Management Review (Weeks 22–28)
Activities: conduct an independent internal audit across all clauses and applicable controls; log nonconformities and corrective actions; hold the first formal management review. Deliverables: internal audit report, corrective action records, management-review minutes with improvement decisions.
Phase 6 — Certification Audit (Weeks 26–36)
Activities: engage an accredited certification body; undergo the Stage 1 (documentation readiness) audit; remediate Stage 1 findings; undergo the Stage 2 (implementation effectiveness) audit; close any nonconformities. Deliverables: Stage 1 report, Stage 2 report, closure evidence, ISO 27001 certificate.
Maturity / Capability Scoring Model
While ISO 27001 certification is binary (conformant or not), organisations benefit from scoring the maturity of each control area to prioritise investment and demonstrate improvement over time. A five-level capability model adapted from CMMI is widely used in ISO 27001 programmes.
| Level | Name | Description | Indicative characteristics |
|---|---|---|---|
| 0 | Non-existent | No control or process in place | Ad hoc, undocumented, reactive; the requirement is not addressed at all |
| 1 | Initial / Ad hoc | Control exists informally, inconsistently applied | Depends on individuals; no documentation; unpredictable outcomes |
| 2 | Repeatable | Control is documented but applied inconsistently across the scope | Basic procedures exist; some records; gaps between sites or teams |
| 3 | Defined | Control is standardised, documented and consistently implemented | Organisation-wide procedures, defined ownership, routine records — the minimum for certification |
| 4 | Managed | Control is measured and monitored with quantitative metrics | KPIs and thresholds; performance trended; deviations trigger action |
| 5 | Optimised | Control is continually improved based on measurement and feedback | Proactive tuning, automation, benchmarking; feeds continual improvement |
For certification, most controls should reach at least Level 3 (Defined). Levels 4 and 5 signal a mature ISMS and align with the Clause 9 (measurement) and Clause 10 (continual improvement) requirements that auditors increasingly probe.
Assessment and Audit Approach
The ISO 27001 certification audit follows a defined lifecycle. Internal audits (Clause 9.2) precede external certification and use the same techniques. The steps below describe an end-to-end assessment engagement.
- Confirm scope, objectives and criteria — agree the ISMS boundary, the applicable edition (2022) and the audit standard (ISO 19011 / ISO 17021).
- Stage 1 audit (documentation review) — the certification body reviews the ISMS documentation, scope, SoA, risk assessment and readiness, and identifies areas of concern for Stage 2.
- Remediate Stage 1 findings — close documentation gaps and confirm the ISMS is ready for effectiveness testing.
- Stage 2 audit (implementation and effectiveness) — auditors sample evidence, interview staff, walk through processes and test whether controls operate as documented across the scope.
- Classify findings — record major nonconformities (systemic failures), minor nonconformities (isolated lapses) and opportunities for improvement.
- Corrective action — the organisation performs root-cause analysis and submits corrective action plans; major nonconformities must be closed before certification.
- Certification decision — an independent reviewer at the certification body grants the certificate (valid three years) once nonconformities are resolved.
- Surveillance audits — conducted at least annually to confirm the ISMS continues to operate and improve.
- Recertification audit — a full reassessment at the end of the three-year cycle to renew the certificate.
Evidence Request List
Auditors sample evidence across the following categories. Preparing a well-organised evidence library dramatically shortens the audit and reduces the risk of nonconformities.
Governance and management-system evidence
- ISMS scope statement and context/interested-parties analysis
- Information security policy and topic-specific policies with approval and review records
- Statement of Applicability (all 93 controls with applicability and justification)
- Risk assessment methodology, risk register and risk treatment plan
- Information security objectives with measurement evidence
- Management-review minutes and internal audit reports
People and awareness evidence
- Background verification / screening records
- Employment contracts, NDAs and security clauses
- Awareness training records and phishing-simulation results
- Joiner-mover-leaver and access-revocation records
- Disciplinary process documentation
Operational and technical evidence
- Asset inventory and information classification records
- Access-control matrices and periodic access-review evidence
- Vulnerability scan and penetration test reports with remediation tracking
- Patch and configuration/hardening records
- Backup schedules and restore-test evidence
- SIEM/log retention and monitoring evidence
- Change management and incident-management records
- Cryptography/key-management configuration
Third-party, physical and continuity evidence
- Supplier security clauses, due-diligence and cloud-service agreements
- Physical access logs, CCTV and visitor records
- Media handling and secure-disposal certificates
- Business continuity and disaster recovery plans with test results
Roles and Responsibilities
| Role | ISMS responsibility |
|---|---|
| Top management / Board | Provide leadership and resources, approve the policy and risk acceptance criteria, own accountability for the ISMS |
| ISMS Manager / CISO | Own day-to-day operation of the ISMS, maintain the SoA and risk register, coordinate audits and improvement |
| Risk owners | Accept residual risk, ensure treatment actions are implemented for risks they own |
| Control owners | Implement and operate assigned Annex A controls and maintain the associated records |
| Internal auditors | Independently audit the ISMS against Clauses 4–10 and applicable controls, report findings |
| Asset owners | Classify information assets and ensure appropriate protection |
| HR | Deliver screening, contracts, NDAs, awareness training and the disciplinary process |
| IT / Security operations | Operate technical controls — access, patching, monitoring, backup, cryptography |
| Line managers and all staff | Comply with policies, complete training, report security events promptly |
| Certification body (external) | Conduct Stage 1/2 and surveillance audits and grant/renew certification |
KPIs to Track
- Percentage of Annex A applicable controls implemented and at Level 3+ maturity
- Number of open nonconformities and mean time to closure
- Percentage of staff completing security awareness training on schedule
- Phishing-simulation click and report rates over time
- Mean time to detect (MTTD) and mean time to respond (MTTR) to incidents
- Number of security incidents by severity and trend
- Percentage of critical/high vulnerabilities remediated within SLA
- Patch compliance rate across in-scope systems
- Percentage of access reviews completed on schedule
- Backup restore-test success rate
- Percentage of suppliers with completed security due-diligence
- Number of overdue risk-treatment actions
- Internal audit coverage against the audit programme
- Number of management reviews held versus planned
Readiness Checklist
- Top-management sponsorship and ISMS budget are secured and documented
- ISMS scope is defined, documented and aligned to customer expectations
- Internal/external issues and interested parties are identified and recorded
- Information security policy is approved, communicated and acknowledged
- Risk assessment methodology is defined with acceptance criteria
- Risk register is populated with owners and treatment decisions
- Statement of Applicability covers all 93 controls with justification
- Risk treatment plan is being executed and tracked
- All applicable Annex A controls are implemented and operating
- Measurable information security objectives are set and being measured
- Awareness training is delivered and completion is recorded
- Documented information is version-controlled and access-restricted
- Incident-management process is defined and an incident log exists
- Business continuity and DR plans exist and have been tested
- At least one full internal audit has been completed with findings closed
- At least one management review has been held with documented outputs
- Corrective action process is operating with root-cause analysis
- An accredited certification body has been selected and Stage 1 booked
Common Gaps
- Statement of Applicability out of sync with the risk assessment or listing controls as implemented when they are not.
- Risk assessment treated as a one-off spreadsheet exercise rather than a living, repeatable process reviewed on change.
- Scope drawn too narrowly to be commercially credible, or exclusions justified in the scope rather than the SoA.
- Information security objectives that are vague and unmeasurable, failing Clause 6.2.
- Management review held as a tick-box meeting without the mandated inputs or documented improvement decisions.
- Internal audit performed by someone lacking independence from the area audited.
- Awareness training delivered once at induction but never refreshed, with no completion tracking.
- The 2022 new controls (threat intelligence, cloud security, DLP, secure coding, configuration management) implemented on paper only.
- Supplier security clauses absent from contracts, with no due-diligence evidence for critical vendors.
- Access reviews not performed regularly, leaving orphaned and over-privileged accounts.
- Backups scheduled but restores never tested, so recoverability is unproven.
- Nonconformities closed without genuine root-cause analysis, so the same issues recur.
- Documentation that describes an idealised ISMS the organisation does not actually operate — the classic paper-vs-practice gap.
ISO 27001 Mapped to Other Frameworks
ISO 27001 is frequently operated alongside other frameworks. A single control environment can satisfy multiple requirements when mappings are understood. The table below shows indicative alignment; it is a planning aid, not a substitute for a formal crosswalk.
| Framework | Relationship to ISO 27001 | Notes |
|---|---|---|
| ISO/IEC 27002:2022 | Direct — implementation guidance for Annex A | 27002 details how to implement each of the 93 controls |
| ISO/IEC 27701 | Extension for privacy (PIMS) | Adds privacy controls; certifiable as an extension to a 27001 ISMS |
| SOC 2 (AICPA TSC) | Strong overlap on security/availability/confidentiality | Many controls satisfy both; SOC 2 is attestation, ISO 27001 is certification |
| NIST Cybersecurity Framework 2.0 | Complementary | NIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover) map to ISO clauses and controls |
| NIST SP 800-53 | Control-catalogue overlap | 800-53 is more prescriptive; useful for US federal alignment |
| PCI DSS v4.0 | Partial overlap on technical controls | PCI DSS is prescriptive and cardholder-data specific; ISO 27001 provides the governance wrapper |
| GDPR / UK GDPR | Supports Article 32 (security of processing) | ISO 27001 evidences appropriate technical and organisational measures |
| India DPDP Act 2023 | Supports 'reasonable security safeguards' | ISO 27001 (with 27701) demonstrates accountability for personal data |
| CIS Critical Security Controls v8 | Technical control mapping | CIS Controls implement many Annex A.8 technological controls |
| HIPAA Security Rule | Overlap on safeguards | ISO 27001 controls map to administrative, physical and technical safeguards |
| DORA (EU) | Supports ICT risk management requirements | ISO 27001 ISMS underpins DORA ICT governance for financial entities |
Frequently asked questions
Need help with ISO 27001?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
