What is ISO 27001? A Plain Guide to the ISMS Standard
ISO/IEC 27001 is the international standard that specifies the requirements for an Information Security Management System, or ISMS. It is the most widely recognized way for an organization to prove, to itself and to others, that it manages information security in a structured, repeatable way rather than by good intentions.
ISO/IEC 27001 is the international standard that specifies the requirements for an Information Security Management System, or ISMS. It is the most widely recognized way for an organization to prove, to itself and to others, that it manages information security in a structured, repeatable way rather than by good intentions.
The standard is deliberately generic. It applies to any organization, regardless of type, size, or sector, and it scales to the needs of the business adopting it.
What ISO 27001 is, and what an ISMS is
An Information Security Management System is a systematic approach to managing sensitive information so that it stays secure. It covers people, processes, and technology, and it ties them together with a formal risk management process. The goal is to preserve the confidentiality, integrity, and availability of information, and to give customers, regulators, and partners confidence that risks are actually being managed.
The heart of the standard is a management system, not a list of technical fixes. Adopting an ISMS is described as a strategic decision, because it has to be integrated into how the organization is run, not bolted on as an IT project.
[[INSIGHT: The single most useful idea in ISO 27001 is that security becomes a managed system with owners, evidence, and review cycles. That is what turns a pile of controls into something a customer can trust and an auditor can verify.]]
The management system: Clauses 4 to 10
The requirements live in Clauses 4 through 10. Excluding any of them is not acceptable when an organization claims conformity to the standard. Together they form a continual improvement loop: understand the context, lead, plan, support, operate, evaluate, and improve.
Annex A: the control set
| Annex A theme | Clause | Controls |
|---|---|---|
| Organizational | 5 | 37 |
| People | 6 | 8 |
| Physical | 7 | 14 |
| Technological | 8 | 34 |
| Total | 5-8 | 93 |
Beyond the management-system clauses, ISO 27001 includes Annex A, a reference set of information security controls drawn from ISO/IEC 27002:2022. The 2022 version has 93 controls, organized into four themes.
You do not apply all 93 by default. You select the controls your risk treatment calls for, then check them against Annex A to make sure none were missed. The controls you choose, and the ones you leave out, are recorded with justification in the Statement of Applicability.
From risk assessment to the Statement of Applicability
Define a repeatable process, identify risks to confidentiality, integrity, and availability, assign risk owners, and evaluate likelihood and consequence to prioritize.
Select treatment options, determine the necessary controls, compare them against Annex A so none are missed, and record decisions in the Statement of Applicability.
The standard is risk-driven. Clause 6.1.2 requires a repeatable risk assessment, and Clause 6.1.3 requires a risk treatment process that selects controls to address those risks. The output is the Statement of Applicability, the document an auditor will reach for first.
[[EXAMPLE: A 40-person software company scopes its ISMS to its product and customer data, assesses risks, selects 60 of the 93 Annex A controls, and documents in the Statement of Applicability why the other 33 do not apply. That single document carries most of a Stage 1 audit.]]
See it in action: the ISMS at work
An ISMS earns its keep in the moments that decide deals and contain incidents. The scenarios below are illustrative, but every step maps to a real ISO 27001 requirement or control.
- Evidence is scattered across teams and inboxes.
- Answers to the questionnaire are inconsistent.
- The review drags on and the deal stalls.
- SoAThe Statement of Applicability lists every control and its status.
- Cl.9Internal audit and management review evidence is ready.
- CertThe certificate satisfies the buyer’s requirement and the deal proceeds.
- There is no asset inventory, so no one is sure what was on it.
- There is no incident or improvement process.
- The same gap causes a repeat months later.
- A.5.9The asset inventory shows exactly what the device held.
- A.8.24Encryption limits what an attacker can actually read.
- Cl.10Corrective action closes the gap so it does not recur.
How to get certified
Certification is a formal, audited process. The typical path runs through two audit stages, then ongoing surveillance.
After certification, the organization continues to run internal audits and management reviews, because the standard requires the ISMS to be maintained and continually improved, not certified once and forgotten.
- ISO 27001 certifies a management system, the ISMS, not a one-time checklist.
- Clauses 4 to 10 are mandatory. You cannot pick and choose among them.
- Annex A offers 93 controls in four themes. You select what your risk treatment needs and justify the rest in the Statement of Applicability.
- The Statement of Applicability is the central evidence document, and certification is an ongoing cycle, not a single event.
Frequently asked questions
Is ISO 27001 certification required by law?
No. It is voluntary. But customers, partners, and contracts frequently require it, so in practice it is often a condition of doing business.
How many controls are in Annex A?
The 2022 version has 93 controls across four themes: Organizational (37), People (8), Physical (14), and Technological (34).
What is the Statement of Applicability?
A required document that lists the necessary controls, the justification for including them, whether each is implemented, and the justification for excluding any Annex A control.
Can we exclude requirements we do not like?
No. Excluding any of the requirements in Clauses 4 to 10 is not acceptable when you claim conformity. You can, however, justify excluding individual Annex A controls in the Statement of Applicability.
