ISO/IEC 27001: The Complete Guide to the ISMS Standard, Controls, Cost & Certification

ISO/IEC 27001 is the leading international standard for an Information Security Management System (ISMS). The current edition, ISO/IEC 27001:2022, sets management-system requirements in clauses 4-10 and lists 93 information security controls in Annex A. Certification is earned only when an accredited certification body audits a working ISMS and issues a certificate -- buying documentation does not by itself make you certified, but it builds the policies and records auditors expect to see.

Free: The ISO 27001:2022 Starter Checklist (9 steps) →

What is ISO/IEC 27001?

ISO/IEC 27001 is the world's most widely recognized standard for managing information security risk. Its auditable requirements live in clauses 4-10 (context, leadership, planning, support, operation, performance evaluation, and improvement), while Annex A lists 93 reference controls grouped into four themes: 37 Organizational, 8 People, 14 Physical, and 34 Technological. The 2022 revision consolidated the previous edition's 114 controls across 14 domains down to 93 and introduced 11 new controls (such as threat intelligence, secure coding, and data leakage prevention). Crucially, you do not implement all 93 controls by default -- you select applicable controls based on a risk assessment and justify each inclusion or exclusion in a Statement of Applicability (SoA).

Who needs it?

ISO 27001 is for any organization that needs to prove, to international customers and regulators, that it manages information security systematically. It is the dominant credential outside North America, where SOC 2 is most common, so SaaS vendors, MSPs, law firms, and e-commerce or B2B companies selling into EU, UK, and global enterprise accounts are the most frequent adopters. It is voluntary rather than legally mandated, but enterprise procurement, RFPs, and security questionnaires increasingly require it, which turns a "nice to have" into a condition of closing deals. Many companies pursue ISO 27001 and SOC 2 together because a single, well-built control set can support both.

What does ISO/IEC 27001 readiness cost?

Typical timeline

1. 1. Define scope and context — Determine which parts of the business, systems, and locations the ISMS covers, and identify interested parties and their requirements (clause 4).
2. 2. Risk assessment and treatment — Identify information security risks, evaluate them, and decide treatments. This drives which Annex A controls apply.
3. 3. Build the documentation and Statement of Applicability — Write the mandatory policies, procedures, and records, and produce the SoA that addresses all 93 Annex A controls, marking each as included or excluded with justification. This is the longest stage to do from scratch -- where templates save the most time.
4. 4. Implement and operate the controls — Put the selected controls into practice and run the ISMS long enough to generate evidence (often 1-3+ months of operating records).
5. 5. Internal audit and management review — Conduct an internal audit and a management review to confirm the ISMS works and to fix nonconformities before the certification body arrives.
6. 6. Stage 1 and Stage 2 certification audit — An accredited body reviews documentation (Stage 1) then implementation (Stage 2) and issues the certificate, followed by annual surveillance audits and recertification every three years.

How editable templates speed this up

The single most time-consuming part of ISO 27001 is producing the documented ISMS -- the policies, procedures, risk register, and the Statement of Applicability that addresses all 93 Annex A controls. ComplianceDocs toolkits give you that entire document set, professionally structured to ISO/IEC 27001:2022, in editable Word and Excel with clearly marked placeholders you replace for your organization. That removes weeks of drafting and lets you focus on the parts only you can do: scoping, assessing your actual risks, and operating the controls. The templates accelerate readiness; certification itself still comes from an accredited body auditing your live ISMS.

Recommended ISO/IEC 27001 toolkits

Compare ISO/IEC 27001 with other frameworks

• ISO/IEC 27001 vs SOC 2: Certification or Attestation, Controls, Cost, and Which One You Need
• NIST CSF 2.0 vs ISO/IEC 27001

Frequently asked questions

Is ISO 27001 mandatory?

No. ISO 27001 is a voluntary international standard, not a law. However, it is frequently required contractually -- enterprise customers, RFPs, and security questionnaires often demand it before they will sign -- so for many vendors it is effectively a commercial requirement even though it is not a legal one.

How long does it take to get ISO 27001 certified?

For a small or mid-sized organization, typically three to twelve months. The variables are how much documentation already exists, how quickly you implement the selected controls, and how long the ISMS must operate to generate evidence before the Stage 1 and Stage 2 audits. Starting from a complete template set shortens the documentation stage, which is usually the longest.

What is the Statement of Applicability (SoA)?

The SoA is a required document that addresses all 93 Annex A controls and records, for each one, whether it applies to your ISMS, the justification, and its implementation status. It connects your risk assessment to the controls you have chosen. You do not have to implement every control -- but you must justify each inclusion and exclusion, and auditors review the SoA closely.

ISO 27001 vs SOC 2 -- what is the difference?

ISO 27001 is an internationally recognized certification of an information security management system, issued by an accredited certification body and most valued outside North America. SOC 2 is a US-centric attestation report on a service organization's controls, issued by a licensed CPA firm against the AICPA Trust Services Criteria. They overlap heavily, so many companies build one control set and pursue both; ISO 27001 results in a certificate, while SOC 2 produces an auditor's report.