ISO 27001 Certification: How It Works
ISO 27001 is the international standard for managing information security, and certification is how you prove to clients and partners that you take it seriously. Unlike a one-time checklist, ISO 27001 asks you to build a living system, an Information Security Management System, or ISMS, that runs a risk management process and improves itself over time. Certification is the external confirmation that the system exists and works.
ISO 27001 is the international standard for managing information security, and certification is how you prove to clients and partners that you take it seriously. Unlike a one-time checklist, ISO 27001 asks you to build a living system, an Information Security Management System, or ISMS, that runs a risk management process and improves itself over time. Certification is the external confirmation that the system exists and works.
The standard is precise about what that system must contain. It is laid out in seven mandatory clauses, and you cannot skip any of them and still claim conformity.
The path through Clauses 4 to 10
Certification is really a tour through the mandatory clauses. Each one builds on the last, from understanding your context to continually improving the whole system.
Annex A: the control catalog
| Annex A theme | Controls | Covers |
|---|---|---|
| Organizational | 37 | Policies, roles, asset management, supplier relationships, incident planning |
| People | 8 | Screening, terms of employment, awareness training, remote working |
| Physical | 14 | Security perimeters, entry controls, equipment siting, storage media |
| Technological | 34 | Access rights, malware protection, cryptography, secure development |
Clauses 4 to 10 are the management system. Annex A is the menu of security controls you draw from to treat your risks. The 2022 version organizes 93 controls into four themes, and the Statement of Applicability is where you record which ones you chose and why.
[[INSIGHT: People think ISO 27001 is about the 93 controls in Annex A. It is not. It is about Clauses 4 to 10, the management system that decides which controls you need and proves you keep using them. The controls are the easy part. The system that governs them is the certification.]]
- ISO 27001 certifies an Information Security Management System, not a one-time checklist.
- Clauses 4 to 10 are mandatory: context, leadership, planning, support, operation, evaluation, improvement.
- The risk assessment and treatment process drives which controls you implement.
- Annex A holds 93 controls across organizational, people, physical, and technological themes.
- The Statement of Applicability records which controls you chose, and why you excluded the rest.
Frequently asked questions
What is ISO 27001 certification?
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Organizations build an ISMS and are certified by an external body to assure clients their information security processes are managed systematically.
What are the mandatory clauses of ISO 27001?
Clauses 4 to 10: context, leadership, planning, support, operation, performance evaluation, and improvement. Excluding any of these is not acceptable when claiming conformity.
What is the Statement of Applicability?
A required document listing the controls you determined necessary, the justification for including them, whether each is implemented, and the justification for excluding any Annex A control.
How many Annex A controls are there?
The 2022 version has 93 controls across four themes: 37 organizational, 8 people, 14 physical, and 34 technological. They are aligned with ISO/IEC 27002:2022.
