We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / ISO 27001
ISO / IEC · Global

ISO/IEC 27001

The international standard for an Information Security Management System (ISMS).

ISO/IEC 27001: An Auditor's Deep-Dive Guide to the Information Security Management System Standard

ISO/IEC 27001 is the world's most widely adopted international standard for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Unlike a prescriptive control catalogue, ISO 27001 is a management-system standard: it defines a governance framework built around risk, leadership commitment, measurable objectives and the Plan-Do-Check-Act (PDCA) cycle of continual improvement. Certification against ISO 27001 provides independent, accredited assurance to customers, regulators, partners and boards that an organisation manages information security in a systematic, risk-driven manner. This guide is written from the perspective of a lead auditor and QSA-grade assessor, and walks through every clause of the management system, the full Annex A control set, scoping, phased implementation, maturity scoring, the audit lifecycle, evidence expectations, roles, KPIs, common gaps and cross-framework mappings.

The current edition is ISO/IEC 27001:2022, which superseded ISO/IEC 27001:2013. The 2022 revision retained the High-Level Structure (Harmonised Structure, formerly Annex SL) used across all ISO management-system standards, made minor clarifications to Clauses 4 to 10, and — most significantly — restructured Annex A to align with ISO/IEC 27002:2022, reducing the number of controls from 114 (across 14 domains) to 93 controls grouped into four themes, and introducing 11 genuinely new controls. Organisations certified against the 2013 edition were required to transition to the 2022 edition by 31 October 2025.

Copyright and licensing note
ISO/IEC 27001 and ISO/IEC 27002 are copyrighted works owned by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The full normative text — including exact clause wording and control statements — must be purchased from ISO, IEC or an authorised national standards body (for example BIS in India, BSI in the UK). This guide paraphrases requirements in original language for educational purposes and does NOT reproduce copyrighted standard text. Always obtain the licensed standard for authoritative wording before designing your ISMS or conducting a certification audit.

What is ISO/IEC 27001?

ISO/IEC 27001 specifies the requirements for an Information Security Management System — a coordinated set of policies, processes, roles, technologies and governance mechanisms through which an organisation systematically manages risks to the confidentiality, integrity and availability (the CIA triad) of its information assets. The standard is deliberately technology-neutral and sector-agnostic: it applies equally to a two-person fintech startup and a multinational bank, because it mandates outcomes (risk-based decision-making, documented objectives, monitoring, improvement) rather than specific technical implementations.

The standard is divided into two structural parts. First, the mandatory management-system clauses — Clause 4 (Context of the organisation), Clause 5 (Leadership), Clause 6 (Planning), Clause 7 (Support), Clause 8 (Operation), Clause 9 (Performance evaluation) and Clause 10 (Improvement). These clauses are non-negotiable: every requirement in Clauses 4 to 10 must be met to achieve certification. Second, Annex A, a reference set of information security controls. Annex A controls are selected on the basis of risk assessment and risk treatment; controls may be excluded only with documented justification, and the selection is recorded in a Statement of Applicability (SoA), which is the single most scrutinised document in any ISO 27001 audit.

Certification is granted by an accredited certification body following a two-stage external audit and is valid for a three-year cycle, punctuated by annual surveillance audits and a full recertification audit at the end of the cycle. ISO 27001 sits at the head of the ISO/IEC 27000 family, which includes ISO/IEC 27002 (implementation guidance for the controls), ISO/IEC 27005 (information security risk management), ISO/IEC 27017 (cloud security), ISO/IEC 27018 (PII in public clouds) and ISO/IEC 27701 (privacy information management extension).

AttributeDetail
Full nameISO/IEC 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements
Current editionISO/IEC 27001:2022 (third edition, published October 2022)
Previous editionISO/IEC 27001:2013 (transition deadline 31 October 2025)
Issuing bodiesISO (International Organization for Standardization) and IEC (International Electrotechnical Commission)
CertifiableYes — accredited third-party certification available
Certification validity3-year cycle with annual surveillance audits
Core mechanismRisk-based ISMS operated on the Plan-Do-Check-Act cycle
Companion standardISO/IEC 27002:2022 (control implementation guidance)
Annex A controls93 controls across 4 themes (down from 114 across 14 domains in 2013)

Who Must Comply with ISO 27001?

ISO 27001 certification is voluntary in the sense that no single global law mandates it; however, it has become a de facto commercial and regulatory expectation across a wide range of sectors. Organisations pursue certification because customers require it in procurement, regulators reference it as evidence of adequate controls, and it materially reduces the friction of security questionnaires and audits. The following table summarises the primary drivers by organisation type.

Organisation / SectorWhy ISO 27001 applies
IT services, SaaS and cloud providersCustomers demand certification in RFPs and MSAs as a precondition to handling their data; often the single biggest sales enabler
Business process outsourcing (BPO / KPO)Client contracts (especially US/EU/UK principals) contractually mandate a certified ISMS covering delivery centres
Financial services, fintech and banksRegulators (RBI, DPSS, EU DORA, PRA) expect a structured ISMS; certification supports supervisory assurance and third-party risk
Healthcare and health-techHandling of sensitive personal and health data; supports HIPAA and DPDP due-diligence obligations
Government and public-sector suppliersTenders frequently list ISO 27001 as a mandatory eligibility criterion
TelecommunicationsCritical national infrastructure obligations and interconnect partner requirements
Manufacturing with IP / OT exposureProtection of trade secrets, designs and increasingly operational technology environments
Data centres and colocation providersBaseline expectation for tenants and a differentiator in a competitive market
Any organisation handling personal data at scaleSupports demonstrable accountability under GDPR, UK GDPR, India's DPDP Act and similar laws
Enterprises with mature vendor-risk programmesCertification is required of their own suppliers, cascading the requirement down the supply chain
  • Contractual mandate — the most common trigger; a named customer requires certification within a fixed window.
  • Regulatory alignment — sector regulators cite ISO 27001 as evidence of appropriate technical and organisational measures.
  • Competitive differentiation — certification shortens sales cycles by pre-answering security due-diligence.
  • Risk reduction and board assurance — provides directors with independent evidence that information security is governed, not ad hoc.
  • Insurance — cyber-insurers increasingly offer improved terms to certified organisations.

Structure of ISO/IEC 27001:2022

ISO 27001 comprises the mandatory management-system clauses (Clauses 4 to 10) plus Annex A. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) are informative and set context but contain no auditable requirements. The auditable requirements begin at Clause 4. Annex A restates, in summary form, the 93 controls detailed in ISO/IEC 27002:2022, organised under four themes: Organisational, People, Physical and Technological. The table below maps the complete structure.

Clause / AnnexTitleWhat it requires
Clause 4Context of the organisationDetermine internal/external issues, interested parties and their requirements, and define the ISMS scope
Clause 5LeadershipTop-management commitment, an information security policy, and assignment of roles, responsibilities and authorities
Clause 6PlanningRisk assessment and risk treatment, the Statement of Applicability, and measurable information security objectives
Clause 7SupportResources, competence, awareness, communication and control of documented information
Clause 8OperationOperational planning and control, execution of risk assessments and implementation of the risk treatment plan
Clause 9Performance evaluationMonitoring, measurement, analysis, evaluation, internal audit and management review
Clause 10ImprovementContinual improvement and the handling of nonconformities and corrective actions
Annex A — Theme 5Organisational controls37 controls covering policies, roles, threat intelligence, supplier and cloud security, and continuity
Annex A — Theme 6People controls8 controls covering screening, terms of employment, awareness, discipline and remote working
Annex A — Theme 7Physical controls14 controls covering physical perimeters, secure areas, equipment and media
Annex A — Theme 8Technological controls34 controls covering access, cryptography, secure development, logging, networks and monitoring
The 11 new controls in the 2022 edition
ISO/IEC 27001:2022 introduced eleven controls not present in 2013: A.5.7 Threat intelligence; A.5.23 Information security for use of cloud services; A.5.30 ICT readiness for business continuity; A.7.4 Physical security monitoring; A.8.9 Configuration management; A.8.10 Information deletion; A.8.11 Data masking; A.8.12 Data leakage prevention; A.8.16 Monitoring activities; A.8.23 Web filtering; and A.8.28 Secure coding. Auditors pay particular attention to these during transition and initial certification audits.

Master Assessment Checklist

This is the core of the guide. It enumerates every mandatory clause requirement (Clauses 4 to 10) and every Annex A control theme, with, for each, what an auditor verifies and the typical evidence expected. Use it as a self-assessment tool before booking a Stage 1 audit. Every group is presented as an h3 with a dedicated table so that no control area is skipped.

Clause 4 — Context of the Organisation

What to verifyTypical evidence
4.1 Internal and external issues relevant to the ISMS are determinedContext analysis document, PESTLE/SWOT, strategy papers referencing security drivers
4.2 Interested parties and their information security requirements are identifiedInterested-parties register listing customers, regulators, staff, suppliers and their requirements
4.3 The ISMS scope is defined, documented and considers interfaces and dependenciesWritten scope statement covering locations, business units, assets, technologies and exclusions with justification
4.4 The ISMS is established, implemented, maintained and continually improvedISMS manual or master document, process maps, evidence the system operates end to end

Clause 5 — Leadership

What to verifyTypical evidence
5.1 Top management demonstrates leadership and commitment to the ISMSMeeting minutes, resourcing decisions, signed policy, management-review records showing engagement
5.2 An information security policy is established, documented and communicatedApproved information security policy, version control, distribution/acknowledgement records
5.3 Roles, responsibilities and authorities are assigned and communicatedRACI matrix, ISMS role descriptions, appointment of ISMS manager/CISO, org chart

Clause 6 — Planning

What to verifyTypical evidence
6.1.1 Actions to address risks and opportunities are plannedRisk and opportunity register, planning records
6.1.2 A defined, repeatable information security risk assessment process existsDocumented risk methodology (criteria for acceptance, likelihood/impact scales), risk assessment reports
6.1.3 A risk treatment process produces a Statement of Applicability and treatment planSoA listing all 93 Annex A controls with applicability, justification and status; risk treatment plan; risk owner sign-off
6.2 Information security objectives are measurable and plannedObjectives register with targets, owners, timelines and measurement method
6.3 Changes to the ISMS are planned in a controlled mannerChange planning records, ISMS change log

Clause 7 — Support

What to verifyTypical evidence
7.1 Resources needed for the ISMS are determined and providedBudget, staffing plans, tooling procurement records
7.2 Personnel are competent for their security rolesTraining records, certifications, competence matrix, job descriptions
7.3 Staff are aware of the policy, their contribution and consequences of nonconformityAwareness training completion logs, induction records, awareness campaigns
7.4 Internal and external communications relevant to the ISMS are plannedCommunication plan (what, when, whom, how), incident-communication procedures
7.5 Documented information is created, controlled and protectedDocument control procedure, version history, access controls, retention schedule

Clause 8 — Operation

What to verifyTypical evidence
8.1 Operational processes are planned, implemented and controlled, including outsourced processesOperating procedures, control-of-outsourced-process records, evidence controls run as designed
8.2 Information security risk assessments are performed at planned intervals and on significant changeDated risk-assessment reports, change-triggered reassessments
8.3 The risk treatment plan is implementedTreatment-plan progress tracking, evidence controls are operational, residual-risk acceptance records

Clause 9 — Performance Evaluation

What to verifyTypical evidence
9.1 The ISMS is monitored, measured, analysed and evaluated against defined metricsMetrics dashboards, measurement reports, KPI trend analysis
9.2 Internal audits are conducted at planned intervals against an audit programmeInternal audit programme, audit plans, auditor independence evidence, audit reports, findings
9.3 Management reviews are held covering the mandated inputs and produce documented outputsManagement-review minutes covering status of actions, feedback, risk changes, improvement decisions

Clause 10 — Improvement

What to verifyTypical evidence
10.1 The ISMS is continually improved in suitability, adequacy and effectivenessImprovement register, trend of closed improvements, evidence of proactive enhancement
10.2 Nonconformities are handled with root-cause analysis and corrective actionCorrective action reports (CARs), root-cause analysis, effectiveness verification, closure records

Annex A.5 — Organisational Controls (37 controls)

What to verifyTypical evidence
A.5.1 Policies for information security are defined, approved and reviewedPolicy suite, approval records, review dates
A.5.2–A.5.4 Security roles, segregation of duties and management responsibilities are definedRACI, SoD matrix, role descriptions
A.5.5–A.5.6 Contact with authorities and special interest groups is maintainedContact lists (CERT-In, regulators), membership records
A.5.7 Threat intelligence is collected and usedThreat-intel feed subscriptions, analysis reports, feed-into-risk evidence
A.5.8 Information security is addressed in project managementProject security checklists, security gates in project methodology
A.5.9–A.5.11 Asset inventory, acceptable use and return of assets are managedAsset register, acceptable-use policy, exit checklists
A.5.12–A.5.14 Information is classified, labelled and transferred securelyClassification scheme, labelling standard, secure-transfer agreements
A.5.15–A.5.18 Access control, identity, authentication and access rights are governedAccess-control policy, joiner-mover-leaver records, access reviews
A.5.19–A.5.23 Supplier and cloud-service relationships are securedSupplier security clauses, due-diligence records, cloud service agreements, SLAs
A.5.24–A.5.28 Incident management is planned, assessed, responded to and learned fromIncident response plan, incident log, post-incident reviews, evidence collection procedure
A.5.29–A.5.30 Continuity of information security and ICT readiness are ensuredBCP/DR plans, ICT continuity tests, RTO/RPO records
A.5.31–A.5.34 Legal, regulatory, IP, records and privacy requirements are identified and metLegal register, IP controls, records retention schedule, privacy notices
A.5.35–A.5.37 Independent reviews and documented operating procedures are maintainedIndependent review reports, documented procedures

Annex A.6 — People Controls (8 controls)

What to verifyTypical evidence
A.6.1 Background verification (screening) of candidates is performed proportionate to riskScreening/BGV records, policy on verification depth
A.6.2 Terms and conditions of employment include information security responsibilitiesEmployment contracts, NDAs, security clauses
A.6.3 Information security awareness, education and training are providedTraining calendar, completion records, phishing-simulation results
A.6.4 A disciplinary process for security breaches exists and is appliedDisciplinary policy, sanctioned-case records (anonymised)
A.6.5 Responsibilities remain valid after termination or change of employmentExit process, revocation records, post-employment obligations
A.6.6 Confidentiality and non-disclosure agreements are in place and reviewedSigned NDAs, review schedule
A.6.7 Remote working is securedRemote-working policy, VPN/MDM configuration, home-working risk assessment
A.6.8 Personnel report information security events through defined channelsReporting procedure, event log, awareness of reporting mechanism

Annex A.7 — Physical Controls (14 controls)

What to verifyTypical evidence
A.7.1–A.7.2 Physical security perimeters and entry controls are defined and enforcedSite plans, access-control logs, badge system records
A.7.3–A.7.4 Offices, secure areas are protected and physically monitoredSecure-area procedures, CCTV/monitoring records, visitor logs
A.7.5–A.7.6 Protection against physical/environmental threats and working in secure areasEnvironmental risk assessment, fire/flood controls, secure-area rules
A.7.7–A.7.8 Clear desk/clear screen and equipment siting/protectionClear-desk policy, walkthrough audit results, equipment placement standards
A.7.9–A.7.10 Security of assets off-premises and storage media handlingOff-site asset register, media handling and disposal procedure
A.7.11–A.7.12 Supporting utilities and cabling securityUPS/generator maintenance records, cabling protection evidence
A.7.13–A.7.14 Equipment maintenance and secure disposal/reuseMaintenance logs, secure-wipe/destruction certificates

Annex A.8 — Technological Controls (34 controls)

What to verifyTypical evidence
A.8.1–A.8.2 User endpoint devices and privileged access rights are controlledEndpoint policy, MDM config, privileged-access-management (PAM) records
A.8.3–A.8.5 Information access restriction, source-code access and secure authenticationAccess matrices, code-repository permissions, MFA configuration
A.8.6 Capacity is managedCapacity monitoring, forecasting reports
A.8.7 Protection against malware is implementedAV/EDR deployment coverage, update logs, detection reports
A.8.8 Technical vulnerabilities are managedVulnerability scan reports, patch cadence, remediation SLAs
A.8.9 Configuration management (including secure baselines) is enforcedHardening baselines (CIS), configuration-drift monitoring
A.8.10–A.8.11 Information deletion and data masking are appliedDeletion procedures, masking configuration in non-prod environments
A.8.12 Data leakage prevention is deployedDLP policy and tooling, blocked-event reports
A.8.13–A.8.14 Information backup and redundancy of processing facilitiesBackup schedule, restore-test evidence, redundancy architecture
A.8.15–A.8.16 Logging and monitoring of activitiesCentralised log retention, SIEM alerts, monitoring coverage
A.8.17 Clock synchronisation is in placeNTP configuration across systems
A.8.18–A.8.19 Privileged utility programs and software installation are controlledRestricted utility access, software allow-listing
A.8.20–A.8.22 Network security, network services and network segregationFirewall rulebase, network diagrams, segmentation/VLAN evidence
A.8.23 Web filtering is appliedWeb-filter/proxy configuration, category-block reports
A.8.24 Cryptography is used according to a key-management policyCrypto policy, key inventory, TLS/encryption-at-rest configuration
A.8.25–A.8.29 Secure development lifecycle, secure coding, security testing and separation of environmentsSDLC procedure, secure-coding standard, SAST/DAST results, environment separation
A.8.30 Outsourced development is supervised and securedThird-party dev security requirements, code-review evidence
A.8.31–A.8.34 Change management, test data protection and protection during audit testingChange tickets, test-data-management procedure, audit-tool controls

Scoping the ISMS

Scope definition (Clause 4.3) is the most consequential early decision in an ISO 27001 programme. The scope determines which parts of the organisation the certificate covers, and — critically — customers read the scope statement on the certificate to confirm it covers the service they are buying. A scope that is drawn too narrowly may be commercially worthless; one drawn too broadly may be unaffordable to certify and maintain. The scope must consider internal and external issues (4.1), the requirements of interested parties (4.2), and the interfaces and dependencies between activities performed by the organisation and those performed by others.

  • Define scope by business services, locations, organisational units, information systems and technologies — not vaguely by 'the company'.
  • State inclusions and exclusions explicitly; any Annex A control excluded must be justified in the Statement of Applicability, never in the scope statement.
  • Map interfaces and dependencies — cloud providers, data centres, shared services and group functions that sit outside the boundary but affect it.
  • Ensure the scope wording that will appear on the certificate matches what customers expect to see (name the service/product).
  • Avoid 'scope gaming' — carving out risky functions purely to ease certification will be challenged by a competent auditor and erodes trust.
  • Revisit scope at every management review and whenever the business changes materially (new product, acquisition, new region).

Implementation Approach

A first-time ISO 27001 implementation for a mid-sized organisation typically runs six to twelve months. The following phased approach mirrors the PDCA cycle and sequences activities so that each phase produces the deliverables the next depends upon.

Phase 1 — Initiation and Gap Analysis (Weeks 1–4)

Activities: secure top-management sponsorship and budget; appoint an ISMS manager and steering committee; conduct a gap analysis against Clauses 4–10 and Annex A; determine internal/external issues and interested parties; draft the initial scope. Deliverables: signed project mandate, gap-analysis report with a prioritised remediation backlog, draft scope statement, interested-parties register.

Phase 2 — Risk Assessment and Treatment (Weeks 4–10)

Activities: define the risk assessment methodology and acceptance criteria; build the asset/risk inventory; assess risks by likelihood and impact; determine risk treatment options; select Annex A controls; draft the Statement of Applicability and risk treatment plan. Deliverables: documented risk methodology, risk register with owners, risk treatment plan, first version of the SoA.

Phase 3 — Control Design and Documentation (Weeks 8–18)

Activities: write the information security policy and supporting topic-specific policies; document mandatory procedures; design and deploy technical and organisational controls identified in the treatment plan; establish document control. Deliverables: approved policy suite, documented procedures, deployed controls, control-ownership assignments.

Phase 4 — Operation and Awareness (Weeks 14–24)

Activities: operate the ISMS in production; deliver awareness and role-based training; run incident-management, access-review and change processes; begin collecting records and metrics. Deliverables: training records, operating evidence, populated metrics dashboards, incident log.

Phase 5 — Internal Audit and Management Review (Weeks 22–28)

Activities: conduct an independent internal audit across all clauses and applicable controls; log nonconformities and corrective actions; hold the first formal management review. Deliverables: internal audit report, corrective action records, management-review minutes with improvement decisions.

Phase 6 — Certification Audit (Weeks 26–36)

Activities: engage an accredited certification body; undergo the Stage 1 (documentation readiness) audit; remediate Stage 1 findings; undergo the Stage 2 (implementation effectiveness) audit; close any nonconformities. Deliverables: Stage 1 report, Stage 2 report, closure evidence, ISO 27001 certificate.

Maturity / Capability Scoring Model

While ISO 27001 certification is binary (conformant or not), organisations benefit from scoring the maturity of each control area to prioritise investment and demonstrate improvement over time. A five-level capability model adapted from CMMI is widely used in ISO 27001 programmes.

LevelNameDescriptionIndicative characteristics
0Non-existentNo control or process in placeAd hoc, undocumented, reactive; the requirement is not addressed at all
1Initial / Ad hocControl exists informally, inconsistently appliedDepends on individuals; no documentation; unpredictable outcomes
2RepeatableControl is documented but applied inconsistently across the scopeBasic procedures exist; some records; gaps between sites or teams
3DefinedControl is standardised, documented and consistently implementedOrganisation-wide procedures, defined ownership, routine records — the minimum for certification
4ManagedControl is measured and monitored with quantitative metricsKPIs and thresholds; performance trended; deviations trigger action
5OptimisedControl is continually improved based on measurement and feedbackProactive tuning, automation, benchmarking; feeds continual improvement

For certification, most controls should reach at least Level 3 (Defined). Levels 4 and 5 signal a mature ISMS and align with the Clause 9 (measurement) and Clause 10 (continual improvement) requirements that auditors increasingly probe.

Assessment and Audit Approach

The ISO 27001 certification audit follows a defined lifecycle. Internal audits (Clause 9.2) precede external certification and use the same techniques. The steps below describe an end-to-end assessment engagement.

  1. Confirm scope, objectives and criteria — agree the ISMS boundary, the applicable edition (2022) and the audit standard (ISO 19011 / ISO 17021).
  2. Stage 1 audit (documentation review) — the certification body reviews the ISMS documentation, scope, SoA, risk assessment and readiness, and identifies areas of concern for Stage 2.
  3. Remediate Stage 1 findings — close documentation gaps and confirm the ISMS is ready for effectiveness testing.
  4. Stage 2 audit (implementation and effectiveness) — auditors sample evidence, interview staff, walk through processes and test whether controls operate as documented across the scope.
  5. Classify findings — record major nonconformities (systemic failures), minor nonconformities (isolated lapses) and opportunities for improvement.
  6. Corrective action — the organisation performs root-cause analysis and submits corrective action plans; major nonconformities must be closed before certification.
  7. Certification decision — an independent reviewer at the certification body grants the certificate (valid three years) once nonconformities are resolved.
  8. Surveillance audits — conducted at least annually to confirm the ISMS continues to operate and improve.
  9. Recertification audit — a full reassessment at the end of the three-year cycle to renew the certificate.

Evidence Request List

Auditors sample evidence across the following categories. Preparing a well-organised evidence library dramatically shortens the audit and reduces the risk of nonconformities.

Governance and management-system evidence

  • ISMS scope statement and context/interested-parties analysis
  • Information security policy and topic-specific policies with approval and review records
  • Statement of Applicability (all 93 controls with applicability and justification)
  • Risk assessment methodology, risk register and risk treatment plan
  • Information security objectives with measurement evidence
  • Management-review minutes and internal audit reports

People and awareness evidence

  • Background verification / screening records
  • Employment contracts, NDAs and security clauses
  • Awareness training records and phishing-simulation results
  • Joiner-mover-leaver and access-revocation records
  • Disciplinary process documentation

Operational and technical evidence

  • Asset inventory and information classification records
  • Access-control matrices and periodic access-review evidence
  • Vulnerability scan and penetration test reports with remediation tracking
  • Patch and configuration/hardening records
  • Backup schedules and restore-test evidence
  • SIEM/log retention and monitoring evidence
  • Change management and incident-management records
  • Cryptography/key-management configuration

Third-party, physical and continuity evidence

  • Supplier security clauses, due-diligence and cloud-service agreements
  • Physical access logs, CCTV and visitor records
  • Media handling and secure-disposal certificates
  • Business continuity and disaster recovery plans with test results

Roles and Responsibilities

RoleISMS responsibility
Top management / BoardProvide leadership and resources, approve the policy and risk acceptance criteria, own accountability for the ISMS
ISMS Manager / CISOOwn day-to-day operation of the ISMS, maintain the SoA and risk register, coordinate audits and improvement
Risk ownersAccept residual risk, ensure treatment actions are implemented for risks they own
Control ownersImplement and operate assigned Annex A controls and maintain the associated records
Internal auditorsIndependently audit the ISMS against Clauses 4–10 and applicable controls, report findings
Asset ownersClassify information assets and ensure appropriate protection
HRDeliver screening, contracts, NDAs, awareness training and the disciplinary process
IT / Security operationsOperate technical controls — access, patching, monitoring, backup, cryptography
Line managers and all staffComply with policies, complete training, report security events promptly
Certification body (external)Conduct Stage 1/2 and surveillance audits and grant/renew certification

KPIs to Track

  • Percentage of Annex A applicable controls implemented and at Level 3+ maturity
  • Number of open nonconformities and mean time to closure
  • Percentage of staff completing security awareness training on schedule
  • Phishing-simulation click and report rates over time
  • Mean time to detect (MTTD) and mean time to respond (MTTR) to incidents
  • Number of security incidents by severity and trend
  • Percentage of critical/high vulnerabilities remediated within SLA
  • Patch compliance rate across in-scope systems
  • Percentage of access reviews completed on schedule
  • Backup restore-test success rate
  • Percentage of suppliers with completed security due-diligence
  • Number of overdue risk-treatment actions
  • Internal audit coverage against the audit programme
  • Number of management reviews held versus planned

Readiness Checklist

  • Top-management sponsorship and ISMS budget are secured and documented
  • ISMS scope is defined, documented and aligned to customer expectations
  • Internal/external issues and interested parties are identified and recorded
  • Information security policy is approved, communicated and acknowledged
  • Risk assessment methodology is defined with acceptance criteria
  • Risk register is populated with owners and treatment decisions
  • Statement of Applicability covers all 93 controls with justification
  • Risk treatment plan is being executed and tracked
  • All applicable Annex A controls are implemented and operating
  • Measurable information security objectives are set and being measured
  • Awareness training is delivered and completion is recorded
  • Documented information is version-controlled and access-restricted
  • Incident-management process is defined and an incident log exists
  • Business continuity and DR plans exist and have been tested
  • At least one full internal audit has been completed with findings closed
  • At least one management review has been held with documented outputs
  • Corrective action process is operating with root-cause analysis
  • An accredited certification body has been selected and Stage 1 booked

Common Gaps

  • Statement of Applicability out of sync with the risk assessment or listing controls as implemented when they are not.
  • Risk assessment treated as a one-off spreadsheet exercise rather than a living, repeatable process reviewed on change.
  • Scope drawn too narrowly to be commercially credible, or exclusions justified in the scope rather than the SoA.
  • Information security objectives that are vague and unmeasurable, failing Clause 6.2.
  • Management review held as a tick-box meeting without the mandated inputs or documented improvement decisions.
  • Internal audit performed by someone lacking independence from the area audited.
  • Awareness training delivered once at induction but never refreshed, with no completion tracking.
  • The 2022 new controls (threat intelligence, cloud security, DLP, secure coding, configuration management) implemented on paper only.
  • Supplier security clauses absent from contracts, with no due-diligence evidence for critical vendors.
  • Access reviews not performed regularly, leaving orphaned and over-privileged accounts.
  • Backups scheduled but restores never tested, so recoverability is unproven.
  • Nonconformities closed without genuine root-cause analysis, so the same issues recur.
  • Documentation that describes an idealised ISMS the organisation does not actually operate — the classic paper-vs-practice gap.

ISO 27001 Mapped to Other Frameworks

ISO 27001 is frequently operated alongside other frameworks. A single control environment can satisfy multiple requirements when mappings are understood. The table below shows indicative alignment; it is a planning aid, not a substitute for a formal crosswalk.

FrameworkRelationship to ISO 27001Notes
ISO/IEC 27002:2022Direct — implementation guidance for Annex A27002 details how to implement each of the 93 controls
ISO/IEC 27701Extension for privacy (PIMS)Adds privacy controls; certifiable as an extension to a 27001 ISMS
SOC 2 (AICPA TSC)Strong overlap on security/availability/confidentialityMany controls satisfy both; SOC 2 is attestation, ISO 27001 is certification
NIST Cybersecurity Framework 2.0ComplementaryNIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover) map to ISO clauses and controls
NIST SP 800-53Control-catalogue overlap800-53 is more prescriptive; useful for US federal alignment
PCI DSS v4.0Partial overlap on technical controlsPCI DSS is prescriptive and cardholder-data specific; ISO 27001 provides the governance wrapper
GDPR / UK GDPRSupports Article 32 (security of processing)ISO 27001 evidences appropriate technical and organisational measures
India DPDP Act 2023Supports 'reasonable security safeguards'ISO 27001 (with 27701) demonstrates accountability for personal data
CIS Critical Security Controls v8Technical control mappingCIS Controls implement many Annex A.8 technological controls
HIPAA Security RuleOverlap on safeguardsISO 27001 controls map to administrative, physical and technical safeguards
DORA (EU)Supports ICT risk management requirementsISO 27001 ISMS underpins DORA ICT governance for financial entities
How CyberSigma helps
CyberSigma provides end-to-end ISO/IEC 27001:2022 services — from gap analysis and scoping through risk assessment, Statement of Applicability development, policy and control design, awareness training, internal audit and certification-body coordination. As a CERT-In empanelled firm with PCI QSA and multi-framework expertise, we build a single, audit-ready control environment that satisfies ISO 27001 alongside SOC 2, PCI DSS, GDPR and India's DPDP Act — so you certify once and reuse the evidence everywhere. Our assessors run readiness audits that mirror the certification body's Stage 1 and Stage 2 approach, close the common gaps before they become nonconformities, and stand alongside you through the audit to certification and beyond. Talk to CyberSigma to build an ISMS that is genuinely operated, not merely documented.
Free 1-minute check
ISO 27001 Readiness Checker
See how close you are to ISO 27001 certification — free, in 5 questions.
Try it free →

Frequently asked questions

What changed in ISO 27001:2022?
Annex A was restructured into four themes with 93 controls (including new ones like threat intelligence and secure coding). Existing certified organisations transition to the 2022 version.
How long does ISO 27001 take?
Typically 3–6 months to first certification for a mid-sized organisation, driven by scope and how mature your controls already are.
Is ISO 27001 mandatory?
It is voluntary, but often contractually required by enterprise customers and a strong differentiator in sales.

Need help with ISO 27001?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.