ISO 27001 Certification in Numbers: The Latest ISO Survey Data
There were 96,709 valid ISO/IEC 27001 certificates covering 179,877 sites worldwide in the ISO Survey 2024 — the latest edition available as of July 2026 — up from 36,362 certificates in the 2019 survey, roughly a 2.7x increase in five years. China leads by a wide margin, information technology is the most-certified sector, and since October 31, 2025 every valid certificate is to the 2022 revision with its 93 Annex A controls.
The headline numbers
The ISO Survey is ISO’s official annual count of valid management-system certificates, and its 2024 edition (published September 2025) is the most recent available as of July 2026. One methodology note belongs next to every year-over-year comparison: 2024 was the first edition compiled from the IAF CertSearch database (76 accreditation bodies, 2,400+ certification bodies) rather than voluntary certification-body reporting, so part of the jump from the 2023 edition reflects better data coverage, not only new certifications — and Germany is understated in the 2024 data.
| Metric | Figure (ISO Survey 2024) |
|---|---|
| Valid ISO/IEC 27001 certificates worldwide | 96,709 |
| Certified sites worldwide | 179,877 |
| Certificates in the 2019 edition (five years earlier) | 36,362 (≈ 2.7x growth to 2024) |
| Certificates in the 2022 edition | 71,549 |
| ISO 9001, for scale | 1,474,118 certificates |
| ISO 14001, for scale | 676,232 certificates |
Source: The ISO Survey of Management System Standard Certifications 2024 (iso.org/the-iso-survey.html), compiled from IAF CertSearch; prior-year figures from the respective earlier ISO Survey editions.
Where ISO 27001 certificates are
By country, per the IAF CertSearch data underlying the ISO Survey 2024 (Germany understated due to a missing accreditation-body dataset):
| Rank | Country | Valid certificates (2024) |
|---|---|---|
| 1 | China | 33,359 |
| 2 | India | 6,758 |
| 3 | Japan | 6,644 |
| 4 | United Kingdom | 4,455 |
| 5 | United States | 4,260 |
Source: ISO Survey 2024 country data (IAF CertSearch basis). Sector reporting is incomplete in the survey — among certificates that do report a sector, information technology ranks first by a wide margin.
Every valid certificate is now ISO/IEC 27001:2022
ISO/IEC 27001:2022 was published on October 25, 2022, and under IAF MD 26 the transition window from the 2013 revision closed on October 31, 2025 — certificates still on ISO/IEC 27001:2013 expired or were withdrawn at that date. Practically, that means any organization holding a valid ISO 27001 certificate today is certified against the 2022 revision: 93 Annex A controls in four themes (organizational, people, physical, technological), with the management-system requirements in clauses 4–10 and a Statement of Applicability covering all 93 controls.
For anyone building an ISMS now, that removes a common point of confusion: there is no choice of revision to make. Documentation, risk registers and the SoA should be written to the 2022 control set from day one.
What about ISO/IEC 42001 (AI management)?
ISO/IEC 42001:2023 — the certifiable AI management system standard — is not yet tracked in the ISO Survey (the 2024 edition covers 16 standards, and 42001 is not among them), and no official worldwide certificate count exists as of July 2026. The standard was published in December 2023 and the first accredited certification programs launched in 2024, so it is early: organizations certifying now are ahead of the reporting, not behind it. Any specific global count you see quoted for ISO 42001 certificates currently has no official source.
Frequently asked questions
- How many ISO 27001 certificates are there worldwide?
- 96,709 valid ISO/IEC 27001 certificates covering 179,877 sites, per the ISO Survey 2024 — the latest edition available as of July 2026. Note the survey switched to IAF CertSearch data in 2024, so comparisons with earlier editions partly reflect improved coverage.
- Which countries have the most ISO 27001 certificates?
- China leads by a wide margin with 33,359 valid certificates in the ISO Survey 2024, followed by India (6,758), Japan (6,644), the United Kingdom (4,455) and the United States (4,260). Germany is understated in the 2024 data because one national accreditation dataset was missing.
- Is ISO 27001 certification growing?
- Yes. The ISO Survey counted 36,362 valid certificates in 2019, 71,549 in 2022 and 96,709 in 2024 — roughly 2.7x growth in five years. The 2024 figure benefits from a more complete data source (IAF CertSearch), but the underlying trend across editions is consistent growth.
- Is ISO 27001:2013 still valid?
- No. Under IAF MD 26, certificates to ISO/IEC 27001:2013 expired or were withdrawn by October 31, 2025. Every valid ISO 27001 certificate today is against the 2022 revision — 93 Annex A controls in four themes, with an updated Statement of Applicability.
- How many ISO 42001 certificates exist?
- No official count exists as of July 2026. ISO/IEC 42001 is not yet included in the ISO Survey, and accredited certification only began in 2024. Treat any specific worldwide number you encounter as unsourced.
Related guides: ISO/IEC 27001 · ISO 42001
Toolkits that help
ISO 27001 Complete Toolkit
All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.
ISO 27001 Policy Pack — Core
16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.
ISO 27001 + SOC 2 Dual Toolkit
47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.
ISO 42001 AI Management System Toolkit
14 editable ISO/IEC 42001:2023 policies and procedures — impact assessments, AI lifecycle, data governance, third-party AI — plus the Annex A Statement of Applicability, an AI risk register, and an audit evidence checklist.
