Category / Standard

ISO/IEC 27001: complete guide, articles and resources

Information Security — expert articles, practical resources, and solutions to structure your certification project.

Version
ISO/IEC 27001:2022
Type
Certifiable standard
Articles
0 published
Definition

What is the ISO/IEC 27001 standard?

The ISO/IEC 27001 standard defines the requirements of an information security management system (ISMS). First published in 2005 and revised in 2022, it is the global benchmark for protecting data and information assets.

The standard is built on information security risk analysis, the definition of security objectives, and the implementation of 93 security controls (Annex A) covering organisational, people, physical, and technological aspects. It adopts the High Level Structure, making it compatible with ISO 9001 and ISO 14001.

The 2022 version deeply restructured Annex A: down from 114 to 93 controls, reorganised into 4 themes, and added explicit coverage of cloud security, threat intelligence, application security, and privacy. A transition period applies to organisations still certified under the 2013 version.

Who is ISO/IEC 27001 for?

The standard targets any organisation that handles sensitive information: software companies, hosting providers, SaaS vendors, banks, insurance, healthcare, telecoms, government agencies. It is increasingly required by enterprise customers and regulators (SOC 2 alignment, NIS 2 in Europe, US federal contracts).

Why get certified?

ISO 27001 certification helps to meet contractual requirements (RFPs, federal contracts), structure cybersecurity governance, reduce breach and ransomware risk, align with SOC 2, HIPAA, and NIS 2, and build trust with customers and partners.

Version
ISO/IEC 27001:2022
Certified
70,000+
Validity
3 years
Avg. timeline
6 to 12 months
Articles & guides

All our articles on ISO/IEC 27001

Articles coming soon. In the meantime, here is a selection from related standards.
Frequently asked questions

Everything you need to know about ISO/IEC 27001

What's new in ISO 27001:2022?
The 2022 version reduced controls from 114 to 93, reorganised into 4 themes (organisational, people, physical, technological). It introduces 11 new controls covering cloud security, threat intelligence, data leakage prevention, application security, and privacy.
How does ISO 27001 relate to SOC 2?
ISO 27001 is a certifiable international standard. SOC 2 is a US attestation framework based on the AICPA Trust Services Criteria. The two overlap heavily but are not equivalent. Many organisations pursue both for global and US market credibility.
Is ISO 27001 mandatory for NIS 2?
NIS 2 does not formally require ISO 27001, but the certification is widely recognised as an efficient way to demonstrate compliance with the cybersecurity measures the directive requires.
How much does ISO 27001 certification cost?
For a mid-sized company, expect $10,000 to $30,000 for the initial audit depending on scope. Implementation costs (consulting, documentation kit, security tooling) vary significantly with starting maturity.
How long does it take to obtain ISO 27001 certification?
Expect 6 to 12 months, sometimes more for organisations without prior security culture. Risk assessment and technical control implementation are the most time-consuming phases.

Ready to start your ISO/IEC 27001 project?

Download the documentation kit or speak with a consultant during a free 30-minute consultation.