HomeInfosec Essentials

ISO 27001: What It Is and How Certification Works

July 10, 2026
1 min
ISO 27001: What It Is and How Certification Works
In This Article
Key takeaways:
  • ISO 27001 defines requirements for an information security management system (ISMS), a risk-based framework organizations can be formally certified against.
  • The 2022 revision organizes Annex A into 93 controls across four themes, replacing the 2013 version's 114 controls across 14 domains.
  • Certification requires a two-stage audit and stays valid for three years, subject to annual surveillance audits and a full recertification cycle.
  • No public registry lists every ISO 27001 certified company, so verifying a vendor's claim means checking the certificate directly.
  • New 2022 controls like data masking and data leakage prevention target exactly the data visibility gap that shadow AI use widens.

What Is ISO 27001?

ISO 27001 is the international standard specifying requirements for building and operating an information security management system (ISMS), a risk-based framework of policies and controls that protects sensitive information.

Organizations can pursue formal certification against it, unlike related standards that offer guidance only. The 2022 revision added controls for cloud services and data handling risks the prior version did not address.

ISO 27001, formally ISO/IEC 27001, traces its origin to the British Standard BS 7799, first published in 1995. The International Organization for Standardization and the International Electrotechnical Commission adopted it as a joint international standard in 2005, then revised it in 2013 and again in 2022, broadening its formal scope to span information security, cybersecurity, and privacy protection rather than IT security alone.

Unlike a data compliance requirement tied to one law or industry, ISO 27001 applies across sectors, including technology companies, healthcare providers, financial institutions, government agencies, and cloud service providers all use it to structure their information security programs.

The standard does not mandate specific technology. Instead, it requires organizations to run a management system, meaning documented policies, defined roles, ongoing risk assessment, and evidence that controls actually operate as intended, which is what separates ISO 27001 certification from simply following a security checklist.

How ISO 27001 Works: Risk Assessment and Annex A Controls

ISO 27001 works by requiring organizations to run a continuous risk assessment and treatment cycle, then select controls to address the risks identified, rather than following a fixed checklist. Under clauses 6.1.2 and 6.1.3, organizations identify information security risks against defined criteria, analyze and evaluate them, then choose a risk treatment option: mitigate, avoid, transfer, or accept. For every risk an organization decides to mitigate, it selects a control, drawing on Annex A as the standard's reference set but not limited to it.

Annex A in the current ISO/IEC 27001:2022 version contains 93 controls organized into four themes, down from 114 controls across 14 domains in the 2013 edition. No organization is required to implement every control. Instead, each inclusion or exclusion decision, along with its justification, must be recorded in the Statement of Applicability (SoA), a mandatory deliverable under clause 6.1.3(d) and the document auditors reference most often during certification.

Annex A themeNumber of controlsWhat it covers
Organizational37Policies, roles, supplier relationships, threat intelligence, cloud services security
People8Screening, training, remote working, disciplinary process
Physical14Secure areas, equipment, physical security monitoring
Technological34Access control, cryptography, data masking, data leakage prevention, monitoring activities

The 2022 revision introduced 11 new controls, including data masking, information deletion, data leakage prevention, and monitoring activities: additions that reflect how much of today's information security risk lives in data movement rather than network perimeters.

ISO 27001 Certification and Accreditation: How the Audit Process Works

ISO 27001 certification confirms, through independent third-party audit, that an organization's ISMS meets the standard's requirements and is actually operating as documented.

The process includes:

  • An optional gap analysis
  • A mandatory two-stage initial audit

Stage 1 is a documentation and readiness review: the auditor checks the ISMS scope, policy, risk assessment, Statement of Applicability, and risk treatment plan.

Stage 2 tests whether the ISMS is implemented and effective in practice, not just documented on paper

A passed Stage 2 audit results in a certificate valid for three years, subject to annual surveillance audits and a full recertification audit before expiry. Certification bodies do not certify themselves. They must hold accreditation from a national accreditation body, UKAS in the U.K. or ANAB in the U.S., operating under ISO/IEC 17021-1 and ISO/IEC 27006, and accredited certificates carry mutual recognition internationally through the International Accreditation Forum's Multilateral Recognition Arrangement.

That accreditation chain is what separates a genuinely ISO 27001 accredited certificate from one issued by an unaccredited body, a distinction worth checking before treating one vendor's certification claim as equivalent to another's.

Timelines vary. A well-prepared organization, particularly one with existing ISO 9001 experience, can sometimes complete initial certification in two to three months, though six months or longer is common for organizations building an ISMS from scratch.

Why ISO 27001 Matters for Data Security

ISO 27001 matters for data security because it forces organizations to document where their information security responsibilities actually begin and end, then prove those controls work.

Regulators and customers increasingly treat certification as a baseline signal of due diligence: it supports data governance programs, helps demonstrate alignment with regulations like GDPR, and gives procurement teams a recognized answer when a customer or partner asks how sensitive data is protected.

Several Annex A controls, particularly around access control and identity verification, also reflect zero trust principles such as least-privilege access and strict identity checks before a request reaches sensitive data.

The harder problem for enterprise organizations in 2026 is not the paperwork, it is scope. Most ISO 27001 programs are built around the sanctioned SaaS and cloud stack an organization audited when it built its Statement of Applicability. But employees now regularly move regulated data outside that documented boundary: pasting source code or customer records into public AI assistants, using browser-based AI extensions with standing access to sensitive tabs, or letting agentic workflows query internal data stores without an audit trail. Security teams often describe this pattern as shadow AI, and none of that activity is likely to surface in a policy review, yet all of it falls within the information security risks Clause 6 and Annex A's technological controls were written to cover.

The real ISO 27001 gap for many organizations today is not a missing control on paper, it is the distance between what a security team believes is in scope for its ISMS and where sensitive data is actually flowing in practice.

Common Challenges in ISO 27001 Certification

Organizations preparing for ISO 27001 certification consistently underestimate a few things:

  • Scope creep after certification: Many organizations treat Stage 2 as the finish line, then skip the internal audits and management reviews that keep the ISMS current, one of the most common reasons certificates lapse at recertification.
  • Key personnel turnover: When the person who built the ISMS and owns the Statement of Applicability leaves, institutional knowledge of why specific controls were excluded often leaves with them.
  • Treating Annex A as a checklist: Some teams implement all 93 controls regardless of relevance, adding overhead without reducing risk, rather than using the risk assessment to decide which controls actually apply.
  • Assuming certification proves a specific vendor's security: There is no public, central registry of ISO 27001 certified companies. Verifying a claim requires checking the certificate itself or contacting the certification body that issued it, not taking a logo on a website at face value.
  • Ignoring environmental change: New cloud services, acquisitions, or AI tools adopted after certification can quietly expand the organization's actual risk surface beyond what the original risk assessment covered.

ISO 27001 vs. SOC 2 and ISO/IEC 42001: How the Standards Relate

ISO/IEC 27001 is frequently compared to SOC 2, and increasingly to ISO/IEC 42001, because organizations often need more than one to satisfy different customers and regulators.

ISO 27001SOC 2
Type of assuranceCertification against an international standardAttestation report against Trust Services Criteria
Governing bodyISO and IEC (international)AICPA (United States based)
ScopeFull information security management systemSecurity, plus up to four optional criteria
ValidityThree years, with annual surveillance auditsTypically renewed every 12 months
Global recognitionBroad, especially outside the United StatesStrongest in the United States market

Neither standard replaces the other. A company selling into European or government procurement channels often needs ISO 27001; a company selling primarily to United States enterprise customers often needs SOC 2 as well, and many organizations maintain both.

ISO/IEC 42001, published in 2023, is a newer and separate standard: the first international standard specifying requirements for an AI management system, covering how an organization governs the development and use of artificial intelligence rather than information security broadly. It shares structural similarities with ISO 27001, including a Statement of Applicability style approach to controls, which makes the two standards easier to run in parallel than most coverage of either one acknowledges. For an organization already managing an ISMS, extending governance to cover AI systems through ISO/IEC 42001 closes a gap that ISO 27001 alone was never designed to address.

How to Prepare for ISO 27001 Certification

Organizations preparing for ISO 27001 certification typically follow a similar sequence, regardless of certification body:

  1. Define the ISMS scope
    Decide which parts of the organization, which locations, and which systems the certification will cover.
  2. Run a risk assessment
    Identify information security risks against documented criteria, then analyze and evaluate each one.
  3. Build the Statement of Applicability
    Select the Annex A controls that apply, document why others do not, and record supporting evidence.
  4. Implement the controls and train staff
    Roll out policies, technical controls, and awareness training, then let the ISMS operate long enough to generate audit evidence.
  5. Run an internal audit and management review
    Test the ISMS against its own documentation before an external auditor does.
  6. Complete Stage 1 and Stage 2 audits

Address any nonconformities the certification body identifies, then receive the certificate.

  1. Maintain the ISMS
    Schedule annual surveillance audits and update the risk assessment as new systems, vendors, or AI tools enter the environment.

Organizations still operating under an ISO/IEC 27001:2013 certificate should note that the transition deadline to the 2022 version was 31 October 2025. Certificates that did not migrate by that date expired, and those organizations must restart the certification process rather than simply update a document.

How Cyberhaven Addresses ISO 27001 Data Security Requirements

Cyberhaven addresses the data-centric side of ISO 27001 compliance through a unified AI and data security platform that combines data discovery, data loss prevention, and AI activity monitoring to close the gap between what an ISMS documents and where sensitive data actually moves. Unlike tools that address individual Annex A controls in isolation, Cyberhaven's platform tracks data from creation through every copy, transformation, and destination, giving security and compliance teams a live record they can map directly to the data leakage prevention, monitoring activities, and information deletion controls introduced in the 2022 revision.

Data Security Posture Management (DSPM) capabilities discover and classify sensitive data, including data classification, across cloud and SaaS environments, supporting the risk assessment and Statement of Applicability work that underpins every ISO 27001 audit. Data Lineage traces how that data moves and transforms over time, producing the kind of evidence auditors look for during Stage 2 testing. AI Security extends that visibility to AI assistants, browser extensions, and agentic workflows, the exact activity most ISMS scope documents do not yet account for.

Frequently Asked Questions

What is ISO 27001?

ISO 27001 is the international standard that specifies requirements for establishing and operating an information security management system (ISMS). It gives organizations a risk-based framework for protecting sensitive information, and organizations can pursue formal third-party certification against it. The current version, ISO/IEC 27001:2022, includes updated Annex A controls addressing cloud services, data masking, and data leakage prevention.

What does ISO 27001 accreditation mean?

ISO 27001 accreditation refers to the certification body itself, not the organization being audited. A certification body becomes accredited when a national accreditation body, such as UKAS in the United Kingdom or ANAB in the United States, confirms it meets ISO/IEC 17021-1 and ISO/IEC 27006 requirements. Choosing an accredited certification body ensures the resulting certificate carries international recognition through the IAF Multilateral Recognition Arrangement.

How do organizations become ISO 27001 certified?

Organizations become ISO 27001 certified by building an ISMS, completing a risk assessment, documenting a Statement of Applicability, and passing a two-stage audit performed by an accredited certification body. Stage 1 reviews documentation and readiness; Stage 2 tests whether the ISMS operates as documented. A passed audit results in a certificate valid for three years, subject to annual surveillance audits.

How can I verify if a company is ISO 27001 certified?

There is no public, central registry listing every ISO 27001 certified company. Verifying a certification claim requires checking the certificate itself, which lists its scope, issuing certification body, and expiry date, or contacting that certification body directly to confirm the certificate is current and has not lapsed.

What is the difference between ISO/IEC 27001 and ISO/IEC 27002?

ISO/IEC 27001 specifies the requirements for an ISMS and is the only standard in the family an organization can be formally certified against. ISO/IEC 27002 provides implementation guidance for the Annex A controls that ISO 27001 references, but it is a guidance document, not a certifiable standard on its own.

Is ISO 27001 outdated?

No. ISO 27001 was most recently revised in 2022, adding controls for cloud services, threat intelligence, and data handling risks that the 2013 edition did not cover. Organizations still certified under the 2013 version needed to transition by 31 October 2025, and the standard continues to be maintained and updated by the International Organization for Standardization and the International Electrotechnical Commission.