ISO/IEC 27001 is the global standard for Information Security Management Systems (ISMS). Version 2022 is the current mandatory standard, defining 93 controls across 4 domains for protecting information assets.
ISO 27001 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).
The standard uses a risk-based approach. Organisations identify the information assets they need to protect, assess the risks to those assets, and select appropriate controls from Annex A (the 93-control catalogue) to treat those risks. The CISO owns the ISMS; Asset Owners are accountable for the assets and controls under their management.
ISO 27001:2022 โ released in October 2022 โ replaced the 2013 version. It restructured Annex A from 114 controls across 14 domains to 93 controls across 4 domains, and introduced 11 new controls addressing cloud security, threat intelligence, data masking, and physical security monitoring.
93 controls restructured into 4 domains in the 2022 revision. Our engine maps and tracks all 93 with full evidence management.
The largest domain. Covers governance, policies, asset management, access control strategy, supplier relationships, incident management, business continuity and legal compliance. Sets the strategic ISMS framework.
Controls covering the human element of information security. Screening before employment, security responsibilities in employment terms, awareness and training, disciplinary process and off-boarding procedures.
Controls for physical and environmental security of information processing facilities. Physical perimeters, entry controls, equipment security, clear desk policy, secure disposal of media and equipment.
The technical controls domain. User authentication, access control, cryptography, network security, vulnerability management, logging and monitoring, SIEM, data loss prevention, cloud security and web filtering.
Beyond the Annex A controls, ISO 27001 has mandatory requirements in Clauses 4โ10 that define how the ISMS must be structured and operated.
Define the internal and external issues relevant to the ISMS. Identify interested parties and their requirements. Define the ISMS scope.
Top management commitment to the ISMS. Establish an information security policy. Assign roles, responsibilities and authorities for information security.
Risk assessment and treatment process. Information security objectives and plans to achieve them. Statement of Applicability (SoA) for all Annex A controls.
Resources, competence, awareness, communication and documented information. All ISMS documentation requirements including policies, procedures and records.
Operational planning and control. Risk assessment and treatment implementation. Control of externally provided processes, products and services.
Monitoring, measurement, analysis and evaluation. Internal audits programme. Management review โ periodic top management review of the ISMS.
Improvement โ Nonconformity and corrective action. When a nonconformity occurs (raised in audit), the organisation must take action to control and correct it, evaluate the need to eliminate root causes, and review effectiveness of corrective actions taken. The platform's finding management workflow covers this entirely.
The 2022 revision was significant โ Annex A was completely restructured and 11 new controls were added. All new certifications must use the 2022 standard.
The 2013 standard had 114 controls across 14 domains. The 2022 standard reorganised these into 93 controls across 4 domains (Organisational, People, Physical, Technological) โ reducing duplication and improving clarity.
New controls addressing modern security threats: Threat intelligence, ICT readiness for business continuity, Physical security monitoring, Configuration management, Information deletion, Data masking, Data leakage prevention, Monitoring activities, Web filtering, Secure coding, and Cloud services security.
Each control now has 5 attributes: Control type (preventive/detective/corrective), Information security properties (CIA), Cybersecurity concepts (NIST CSF), Operational capabilities, and Security domains. Enables structured filtering and reporting.
Organisations previously certified to ISO 27001:2013 had until October 2025 to transition to the 2022 standard. All new certifications since 2022 use the new version. Our platform is built exclusively on ISO 27001:2022.
Certification is performed by an accredited Certification Body (CB). The process involves two audit stages plus ongoing surveillance.
The CB auditor reviews your ISMS documentation โ scope, policies, risk assessment, Statement of Applicability, and ISMS procedures. Identifies any major gaps before Stage 2.
The CB auditor assesses whether the ISMS is implemented and operating effectively. Evidence of control implementation, risk treatment, and ISMS operation is reviewed. Findings are raised and must be resolved.
After initial certification (valid 3 years), annual surveillance audits verify the ISMS continues to operate effectively and corrective actions from previous findings have been closed.
30-day free trial. All 93 controls. All 3 panels. Full ISMS governance from day one.