With bad actors targeting sensitive data, many organisations are looking for new ways to monitor and improve their data security — Enter: ISO/IEC 27001:2022. Earning your ISO 27001 certification is a useful way to establish credibility with stakeholders, customers, and partners, and in turn helps demonstrate your organisation's commitment to cybersecurity.
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) originally published ISO 27001 in October 2005, revised in 2013, and again in 2022. It focuses on building a strong information security management system (ISMS) within organisations.
As one of the most widely used security frameworks around the world, ISO 27001 is a risk-driven standard that focuses on data confidentiality, integrity, and availability. The standard aims to help organisations have a stronger, more holistic approach to data security.
Defines responsibilities and business processes for information security
Builds a culture of information security and diligence across the organisation
Reduces the potential for security incidents through implemented controls specific to your unique risks and assets
Meets additional security compliance requirements and satisfies customer due diligence
ISO 27001 isn't a legal requirement but may be a prerequisite to customers doing business with your organisation. Some industries are more likely to need ISO 27001 certification because of the type of data that companies store:
ISO 27001 and SOC 2 are two of the most popular cybersecurity assessments that verify an organisation's ability to mitigate risk and protect information. However, the two standards are not interchangeable.
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Output | Certification (issued by accredited CB, with IAF seal) | Attestation report (by licensed CPA firm) |
| Geographic reach | International standard, recognised globally | US-born; increasingly accepted globally |
| Framework | ISMS — pass/fail; all clauses and controls must be implemented | Five Trust Services Criteria; Security is mandatory, others optional |
| Renewal | Valid 3 years with annual surveillance audits | Valid 12 months; annual audit required |
| Report detail | One-page certificate | Detailed report with auditor opinion on each TSC |
Read our full SOC 2 Guide for more on how the two frameworks compare.
ISO 27001 provides a great foundation for ISO 42001, the newer standard for AI management systems. Here's how they differ:
Your organisation should take time to understand the standard, define goals, and research accredited certification bodies before jumping into an audit. Conducting a gap assessment to understand the state of your compliance journey is strongly recommended.
A review of your organisation's scope, policies, procedures, and processes to identify any gaps in conformance that need remediation before the formal audit begins. Highly recommended for first-time certifications.
An auditor reviews your ISMS to confirm it has been established and implemented in conformance with ISO 27001. This audit checks whether mandatory ISMS activities have been completed and determines readiness for Stage 2.
Tests the conformance of your ISMS against the ISO 27001 standard. Any nonconformities identified must be remediated before a certificate can be issued.
For the two years following certification, annual surveillance audits ensure ongoing compliance with ISO 27001 standards. Typically commences approximately nine months after initial certification.
ISO 27001 certification is valid for three years. Organisations must recertify before the certificate's expiration date. Recertification audits review the entire management system, similar to the Stage 2 audit.
Once an organisation decides to pursue ISO 27001, it must choose a certification body (CB). CBs come in two forms: accredited and unaccredited.
Accredited certification bodies must complete a rigorous evaluation process through an accreditation body. Organisations that use an accredited CB will receive their ISO 27001 certificate with the accreditation body represented on the certificate. For CBs that have entered the IAF Multilateral Recognition Arrangement (MLA), the IAF MLA mark will also appear — recognised globally for equivalency.
Unaccredited certification bodies are not audited to confirm compliance with IAF certification audit requirements. Many clients will only accept ISO 27001 certificates from accredited CBs. Always check your clients' specific accreditation requirements before starting the process.
Both the internal audit and management review are critical to the success of the ISMS. The internal audit and management review of the ISMS must be completed prior to the Stage 2 audit. Schedule these well in advance to allow time for continuous improvement activities.
If the person responsible for the ISMS leaves, the entire programme can fall apart. Ensure you have a redundant person with a basic understanding of the ISMS and maintain detailed documentation to support any transition.
ISO 27001 defines ongoing processes that should be in place throughout the year, not just during the audit itself. Management controls require maintenance for the ISMS to continue to function. Build the ISMS into your day-to-day operations.
ISO 27001 requires that all changes in the environment be considered through the risk assessment process. New or modified controls must be mentioned in the statement of applicability. If changes impact the scope of certification, notify your certification body and have a new certificate issued.
Acting as an extension of ISO 27001, ISO 27701 is the first international privacy standard to provide a certification path for organisations to demonstrate their privacy systems and controls. The ISO/IEC 27701:2019 standard details the requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
To receive an ISO 27701 accredited certificate, organisations must either already have ISO 27001 certification or must undergo the ISO 27001 certification audit with the ISO 27701 extension.
Combining ISO 27001 and ISO 27701:
In the 2022 update to ISO 27001, controls are placed into four themes (previously 14 domains in the 2013 version):
Key new controls introduced in the 2022 update (ISO Annex A):
Threat Intelligence — Requires organisations to gather and analyse threat information to take action and mitigate risk.
Information Security for Use of Cloud Services — Emphasises better information security in the cloud; requires organisations to set security standards and procedures specifically for cloud services.
ICT Readiness for Business Continuity — Requires organisations to ensure information and communication technology can be recovered when disruptions occur.
Physical Security Monitoring — Requires monitoring of sensitive physical areas (data centres, production facilities, etc.) to ensure only authorised access.
Configuration Management — Requires organisations to manage technology configuration to ensure it remains secure and to avoid unauthorised changes.
Information Deletion — Requires deletion of data when no longer needed to avoid sensitive information leaks and to comply with privacy requirements.
Data Masking — Requires use of data masking in accordance with the organisation's access control policy to protect sensitive information.
Data Leakage Prevention — Requires implementation of measures to prevent data leakage from systems, networks, and devices.
Monitoring Activities — Requires organisations to monitor systems for unusual activities and implement appropriate incident response procedures.
Web Filtering — Requires organisations to manage which websites users access to protect IT systems.
Secure Coding — Requires secure coding principles to be established within the software development process to reduce security vulnerabilities.
Achieving ISO 27001 certification can cover many aspects of the General Data Protection Regulation (GDPR) but it's impossible to fully swap a standard and a regulation. While ISO 27001 does not equal GDPR compliance, it's a great starting point. The two are complementary — ISO 27001 provides the security management framework, while GDPR adds specific requirements around personal data processing and individual rights.
ISO 27001 certifications are valid for a three-year period with annual surveillance audits.
Protectify AI is an accredited ISO 27001 certification body. We provide end-to-end services from pre-assessment to ongoing surveillance to recertification.
Book a working session →