ISO/IEC 27001:2022 — a practitioner reference

ControlForge free guide · 2026-05-23 · Reflects ISO/IEC 27001:2022 with Amendment 1:2024 (climate action changes)

Quick reference

Applies to: any organisation, any size, any sector, anywhere — voluntarily adopted as the global ISMS baseline.
Mandatory or voluntary: voluntary at the standard level. Certification is contractually mandatory in many supplier relationships, procurement frameworks, and as an input to ISO 42001, ISO 27701, SEBI CSCRF, and EU DORA/NIS 2 evidence packs.
Year published: ISO/IEC 27001:2022 (third edition, October 2022). Amendment 1:2024 (February 2024) added climate-change considerations to Clauses 4.1 and 4.2.
Transition deadline: organisations holding ISO/IEC 27001:2013 certification had to transition to the 2022 edition by 31 October 2025.
Issuing body: International Organization for Standardization (ISO) jointly with the International Electrotechnical Commission (IEC), through joint technical committee ISO/IEC JTC 1/SC 27.
Penalties: none under the standard itself. Loss of certification creates commercial and contractual exposure rather than statutory penalty.
ControlForge density: 93 Annex A controls curated; 47 cross-framework clusters reference ISO 27001 — the highest framework density in the KB after NIST CSF.

What it is

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS — a documented, risk-based system for protecting the confidentiality, integrity, and availability of information.

The standard's history is long. The lineage runs from BS 7799-1 (1995, UK) through BS 7799-2 (1999), then ISO/IEC 27001:2005, then 2013, and now 2022. The 2022 edition was the most substantive rewrite since 2005: Annex A was restructured from 14 domains and 114 controls into 4 themes and 93 controls, with 11 controls newly introduced, 24 merged from existing controls, and the remaining mapped one-to-one to predecessors.

ISO 27001 is the certifiable management-system standard. Its companion ISO/IEC 27002:2022 provides implementation guidance for the Annex A controls — not certifiable in itself, but referenced extensively by auditors evaluating control design. Together they form the security-management backbone that most large enterprise procurement processes assume by default.

The Amendment 1:2024 added a single textual requirement at Clauses 4.1 and 4.2: the organisation shall determine whether climate change is a relevant issue, and interested parties may have climate-related requirements. For most ISMS scopes this is a documented review producing a short determination — substantively minor, but auditors do check it from May 2024 onwards.

Structure at a glance

ISO 27001 follows ISO's Harmonized Structure (formerly Annex SL), giving it the same shape as ISO 9001, ISO 14001, ISO 22301, ISO 42001, and ISO 27701. The body of the standard is Clauses 4–10:

Clause 4 — Context of the organisation. Internal/external issues (now including climate change), interested parties, ISMS scope.
Clause 5 — Leadership. Top-management commitment, information security policy, organisational roles.
Clause 6 — Planning. Risk assessment methodology, risk treatment, Statement of Applicability (SoA), information security objectives.
Clause 7 — Support. Resources, competence, awareness, communication, documented information.
Clause 8 — Operation. Operational planning and control; risk assessment in operation; risk treatment in operation.
Clause 9 — Performance evaluation. Monitoring, measurement, analysis, evaluation; internal audit; management review.
Clause 10 — Improvement. Continual improvement; nonconformity and corrective action.

Annex A — 93 controls in 4 themes (with the 2022 restructure):

A.5 Organisational controls (37 controls): policies, roles, supplier management, incident management, BCM, legal/regulatory, threat intelligence, cloud services, ICT readiness.
A.6 People controls (8 controls): screening, terms of employment, awareness, disciplinary, termination, NDAs, remote working, reporting.
A.7 Physical controls (14 controls): perimeters, entry, offices, security monitoring, equipment, environmental, cabling, maintenance, off-premises, secure disposal, clear desk, supporting utilities.
A.8 Technological controls (34 controls): endpoint, access, authentication, capacity, malware, vulnerabilities, configuration, backups, redundancy, logging, monitoring, clock sync, network controls, segregation, web filtering, cryptography, secure development, change management.

The 11 new controls in 2022: A.5.7 Threat intelligence, A.5.23 Cloud services, A.5.30 ICT readiness for BCM, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 DLP, A.8.16 Monitoring activities, A.8.23 Web filtering, A.8.28 Secure coding. These controls reflect the threat landscape evolution since 2013: cloud-first architectures, ransomware-driven recovery requirements, modern attack surfaces (web filtering, monitoring activities), and the shift toward intelligence-driven security operations. Auditors specifically test implementation depth of these 11 in surveillance audits, because they are the most common gap-filler controls carried in the SoA without operational substance.

Statement of Applicability (SoA) — the keystone artefact. Clause 6.1.3(d) requires an SoA listing every Annex A control, the applicability decision (yes / no), justification for inclusion or exclusion, and the current implementation status. The SoA is the single most-tested document at certification audits — it is the evidence index that auditors use to plan sampling. The 2022 transition required SoA refresh against the new 4-theme structure; many transitioning organisations re-papered the SoA but kept stale implementation narratives — a recurring finding in 2025 surveillance audits.

Who must comply

ISO 27001 applies to any organisation that wants — or is contractually required — to demonstrate a managed approach to information security. Procurement-driven adoption is the dominant route:

SaaS vendors serving regulated buyers (financial services, healthcare, government) are commonly required to hold ISO 27001 certification.
Cloud providers and managed-service providers serving enterprise buyers in EMEA, APAC, and increasingly the Americas treat ISO 27001 as table stakes.
Indian regulated entities under SEBI CSCRF can use ISO 27001 certification to satisfy specific control-set requirements (SEBI's Aug 2025 technical clarifications confirmed equivalence in defined areas).
EU NIS 2 / DORA implementers use ISO 27001 as the underlying ISMS even though those regulations are not themselves certifiable standards.

There is no statutory "must" tier. The decision to certify is commercial: weigh the cost of certification (initial Stage 1 + Stage 2 audit plus three years of surveillance audits) against contract-win value, RFP screening pass-rates, and reduction in customer security questionnaire burden.

Core obligations / control families

The audit examines compliance against two layers: Clauses 4–10 (the management system), and Annex A controls in scope per the Statement of Applicability.

ISMS clauses (Clauses 4–10). The management system is where 80% of audit attention sits. The auditor walks the lifecycle: documented scope, leadership-approved policy, risk methodology, risk register with linked controls, Statement of Applicability listing every Annex A control with applicability decision and justification, operational evidence (training records, internal audits, management reviews), and continual improvement evidence (corrective actions closed with root cause). The Harmonized Structure means an organisation already running ISO 9001 or ISO 14001 reuses 60–70% of the management-system machinery. Maps into ControlForge clusters cl-policy, cl-risk-assessment, cl-roles-responsibilities, cl-mandatory-audit, and cl-management-review.

Organisational controls (A.5, 37 controls). Policy structure, role definitions, segregation of duties, contact with authorities and special interest groups, threat intelligence (new), project management security, asset inventory, classification, labelling, transfer rules, access policy, identity management, authentication, supplier relationship and security, monitoring of supplier services (new emphasis), cloud services security (new), incident management lifecycle, learning from incidents, evidence collection, BCM information security continuity (renamed), ICT readiness for BCM (new), compliance with legal and contractual requirements, intellectual property, records protection, privacy and PII, information security review, documented operating procedures. Anchors clusters cl-policy, cl-access-rights, cl-supplier-policy, cl-cloud-shared-responsibility, cl-incident-response-execution, cl-bcp-ict-readiness, cl-asset-inventory, and cl-data-classification.

People controls (A.6, 8 controls). Screening before employment proportionate to role sensitivity; terms and conditions referencing security obligations; awareness and competence (Clause 7.2 + 7.3); disciplinary process; responsibilities after termination/change; confidentiality agreements; remote-working security; event-reporting channels. Maps into cl-awareness, cl-personnel-security, cl-remote-work, and cl-joiner-mover-leaver.

Physical controls (A.7, 14 controls). Perimeters, entry controls, secure offices/rooms/facilities, physical security monitoring (new), protection against environmental threats, working in secure areas, clear desk and clear screen, equipment siting/protection, supporting utilities, cabling security, equipment maintenance, removal of assets, off-premises assets, secure disposal/reuse of equipment, storage media. Less audited at SaaS-only organisations but still in scope where physical premises exist. Maps into cl-physical-security, cl-secure-disposal, and cl-environmental-protection.

Technological controls (A.8, 34 controls). User endpoint devices, privileged access rights, restriction of access, identity, authentication, capacity management, protection against malware, technical vulnerability management, configuration management (new), information deletion (new), data masking (new), DLP (new), information backup, redundancy of information processing facilities, logging, monitoring activities (new), clock synchronisation, use of privileged utility programs, installation of software on operational systems, network security/controls, security of network services, segregation in networks, web filtering (new), use of cryptography, secure development life cycle, application security requirements, secure system architecture and engineering principles, secure coding (new), security testing in development and acceptance, outsourced development, separation of development/test/production, change management, test information, protection of information systems during audit testing. Heavily audited; this is where evidence depth varies widely between certified organisations. Maps into cl-authentication, cl-multi-factor-authentication, cl-malware, cl-vuln-identification, cl-backup, cl-logging, cl-monitoring-activities, cl-cryptography, cl-secure-development, cl-change-management, and cl-data-leakage-prevention.

Risk methodology and treatment. Clause 6.1.2 requires a documented risk assessment methodology that produces consistent, valid, and comparable results across iterations. Clause 6.1.3 requires risk treatment: selection of options (modify, share, retain, avoid), determination of necessary controls, comparison against Annex A as a baseline, and the SoA. The treatment plan must be approved by risk owners. In practice, auditors look for traceability from identified risks → treatment decisions → specific Annex A controls → operational evidence — and find weakness in the linkages most often where the methodology was set years ago and risk assessments are now performed mechanically against the old template.

How auditors test it

Certification audits are conducted by accredited certification bodies (e.g. BSI, DNV, TÜV SÜD, Lloyd's Register, BV) operating under ISO/IEC 17021-1 and accredited by national accreditation bodies (UKAS, ANAB, NABCB, JAS-ANZ). The audit cycle is 3 years:

Stage 1 audit — documentation review and ISMS readiness check; typically 1–2 days on-site or remote.
Stage 2 audit — operational effectiveness audit; typically 3–8 days depending on scope and headcount. Results in the certification decision.
Surveillance audits — annual, smaller scope than Stage 2, sampling critical controls and corrective-action closure.
Re-certification audit — at year 3, full scope re-audit.

Auditor evidence patterns:

Documentation review: ISMS scope document, information security policy, risk methodology, risk register, Statement of Applicability, internal audit reports, management review minutes, awareness training records, supplier security register, incident register, change records, vulnerability scan reports, penetration test reports, backup test reports, BCM test reports.
Sampling: typically 2–5 records per control, across timeframes and across business units/departments.
Walkthrough: trace an end-to-end scenario — for example a new joiner from HR through identity provisioning, access review, training, and into operations.
Interviews: top management for leadership clauses; control owners for Annex A controls; users for awareness and operational adherence.

Maturity progression in practice: organisations new to ISO 27001 typically achieve certification at "documented and consistently followed" level. Sustained discipline through surveillance audits drives the next maturity step — metrics-driven control effectiveness, with KPIs feeding management review and corrective action loops. Year-3 re-certification commonly catches organisations that drifted: SoA out of sync with control reality, risk register stale, internal audit findings reopened.

The transition cycle and surveillance dynamics. First-time certification typically takes 9–14 months from initial gap analysis to certificate issuance: 3–4 months building ISMS documentation, 2–3 months running the management system to generate evidence, 1–2 months remediation, then Stage 1 + Stage 2 audits. Cost ranges by certification body and scope but typically £15,000–£60,000 GBP / $20,000–$80,000 USD for the initial 3-year cycle inclusive of surveillance, with material variation by employee count and number of physical locations. The biggest predictor of audit smoothness is the depth of internal audit performed in the months before Stage 2 — organisations that ran a credible internal audit and closed findings before Stage 2 routinely report no major nonconformities; organisations that relied on the external audit to surface gaps routinely accumulate findings that delay certification by 60–120 days.

How it relates to other frameworks

ISO 27001's strength is its position as the lingua franca of security management. Almost every adjacent framework cross-walks to it:

NIST CSF 2.0 — concept-aligned, not directly mapped. CSF organises by function (Govern/Identify/Protect/Detect/Respond/Recover); ISO 27001 organises by management-system clauses + Annex A controls. NIST publishes informative reference mappings. Both fit together: ISO 27001 = certifiable backbone; CSF = strategic communication layer. ControlForge bridges them through cl-policy, cl-asset-inventory, cl-risk-assessment, and cl-monitoring-activities.
ISO/IEC 27002:2022 — implementation guidance for Annex A controls. Not certifiable but referenced by auditors and by ControlForge synthesis.
ISO/IEC 27017 (cloud) and ISO/IEC 27018 (cloud PII) — sector extensions. Auditable jointly with 27001 by accredited bodies.
ISO/IEC 27701:2025 — privacy information management standalone certification. Layered on top of 27001 historically; the 2025 edition decoupled it as a standalone. Cross-walks GDPR Articles 5–32 and Indian DPDPA controls.
ISO/IEC 42001:2023 — AI management system. Same Harmonized Structure as 27001; reuses Clauses 4–10 substantially.
SOC 2 Trust Services Criteria — concept-overlap, control-overlap, but different audit regimes (AICPA attestation vs accredited certification). Many organisations hold both: SOC 2 for US sales motion, ISO 27001 for EMEA/APAC.
SEBI CSCRF — ISO 27001 certification is recognised as equivalent for specific control sets under the Aug 2025 technical clarifications.
PCI DSS v4.0.1 — payment-card-specific; ISO 27001 covers the general security baseline that PCI assumes but does not test directly.
EU NIS 2 / DORA / GDPR — non-certifiable regulations that use ISO 27001 as the underlying ISMS evidence base.

Increasingly, EU DORA (Digital Operational Resilience Act, applicable from January 2025) and NIS 2 (transposed into Member State law through 2024–2025) treat ISO 27001 certification as material evidence of operational resilience and risk-management practice. Neither regulation prescribes ISO 27001 certification, but both reference its risk-management methodology and control taxonomy. For EU-regulated entities in scope of DORA (financial services), the management-system overhead of running ISO 27001 yields direct DORA evidence value — the same scope, controls, and audit cycle that produce the ISO certificate produce a substantial portion of DORA's required ICT risk-management documentation.

Most cross-framework density in ControlForge sits in the organisational controls (A.5) and technological controls (A.8) themes. People (A.6) and physical (A.7) controls have lower cross-framework redundancy because adjacent frameworks (NIST CSF, SOC 2) treat people and physical security at coarser granularity.

Common pitfalls

Five recurring failure patterns auditors find:

Statement of Applicability out of sync with operational reality. SoA lists controls "applicable" but the implementation evidence is thin or absent. Common with the 2022 new controls (A.5.7 threat intelligence, A.8.16 monitoring activities, A.8.28 secure coding) — SoA carries them through inertia from earlier templates without genuine implementation. Fix: SoA review tied to internal audit cycle, not annual refresh in isolation.
Risk methodology disconnect. Risks identified in the register; Annex A controls listed in SoA; but no traceable link between specific risks and the specific controls treating them. Auditor question that exposes this: "Show me the risks that drove your decision to make A.8.12 (DLP) applicable." Fix: explicit risk-treatment plan linking each control selection to specific risks.
Internal audit performative. Internal audit conducted by the same team that operates the controls; findings light; corrective actions closed by self-attestation. Surveillance auditors flag this consistently. Fix: independent internal audit (different reporting line, different personnel from operations); rotation across Annex A themes year-over-year.
Supplier security inventory missing the long tail. Top-10 critical suppliers documented; the other 200 invisible. The 2022 standard sharpened supplier security (A.5.19–A.5.22) and auditors are testing for it. Fix: integrated supplier register tied to procurement; tiered due diligence proportionate to data sensitivity.
Climate-change determination skipped or boilerplate. Amendment 1:2024 added the requirement in February 2024; many organisations either ignored it or copy-pasted a "not relevant" line without analysis. Auditors from May 2024 onwards check the determination. Fix: documented analysis at Clauses 4.1 and 4.2 reviewing climate-related risks to information processing (data-centre cooling, geographic risk, regulatory-driven sustainability requirements from buyers).

Two further patterns worth flagging:

Management review reduced to a calendar event. Held quarterly; agenda templated; outputs vague. The review must demonstrably consider performance metrics, internal audit results, risk changes, and continual improvement opportunities — and produce actions. Fix: structured agenda mapped to Clause 9.3 inputs and outputs; minute the decisions, not the discussion.
Cryptography drift. Cryptography policy approved years ago; current systems still using TLS 1.0/1.1 in legacy paths, MD5 or SHA-1 in security-sensitive uses, or unrotated keys. A.8.24 (cryptography) is tested via SSL Labs-style scans on internet-facing endpoints in modern audits.
Awareness training one-and-done. Annual mandatory training delivered; no role-specific content for developers, administrators, or executives; no measurement of effectiveness beyond completion rate. A.6.3 (awareness, education, training) is increasingly tested against measurable outcomes — phishing-simulation click rates, role-specific competency, refresher cadence — rather than just attendance records.
ICT readiness (A.5.30) treated as IT availability rather than information security continuity. A.5.30 is a new 2022 control specifically about ICT readiness for business continuity — designed to harmonise with ISO 22301 (BCM standard). Auditors find organisations conflating it with general BCP/DR, missing the information-security-specific scenarios (ransomware, destructive attack, supply-chain compromise). Fix: explicit ICT readiness analysis covering cyber-specific scenarios with documented recovery objectives and tested procedures.

When to use this framework

ISO 27001 is the right anchor when:

You sell to enterprise buyers in EMEA, APAC, or regulated US sectors — RFP screening pass-rates jump with certification.
You're building a multi-regime compliance programme — ISO 27001 is the management-system backbone that ISO 27701, ISO 42001, SOC 2, SEBI CSCRF, and NIST CSF all plug into without duplication.
You need a recognised standard for board-level reporting — the management-system structure is naturally board-readable.
You're a SaaS provider mid-stage — Series B onwards is the typical sweet spot; pre-Series B the cost-benefit is weaker unless a specific contract demands it.

ISO 27001 is less appropriate as the primary framework when:

You operate exclusively in US enterprise B2B — SOC 2 Type II often gets you further with less audit overhead.
You're a regulated entity with a sectoral framework that supersedes — RBI ITGRCA, SEBI CSCRF, IRDAI 2026 take primacy; ISO 27001 layers underneath for control-set credit, not above.
You're a small organisation (<25 staff) without procurement-driven need — the management-system overhead is disproportionate; lighter alternatives (Cyber Essentials Plus in UK, baseline CIS Controls) may serve.