ISO 27001 Implementation: Information Security Management System

ISO 27001 is the world's most widely recognised information security management standard, with over 70,000 organisations certified globally. Unlike prescriptive regulations such as GDPR or PCI DSS, ISO 27001 provides a risk-based framework for systematic information security management — adaptable to organisations of any size, industry, or geography. A valid ISO 27001 certification signals to customers, partners, regulators, and insurers that your organisation manages information security risks through a structured, audited, and continuously improving management system.

The current version is ISO/IEC 27001:2022, published in October 2022, which replaced ISO/IEC 27001:2013. Organisations with 2013 certifications had until October 31, 2025 to transition to the 2022 version. All new certifications are issued against 2022.

Key Takeaways

• ISO 27001:2022 reduced Annex A controls from 114 to 93, reorganised into four themes: Organisational (37), People (8), Physical (14), Technological (34)
• New 2022 controls include: threat intelligence, ICT readiness for business continuity, physical security monitoring, secure coding, web filtering, DLP, and data masking
• The ISMS (Information Security Management System) must be scoped, documented, risk-assessed, and certified by an accredited certification body
• Certification requires: Stage 1 (documentation review) and Stage 2 (implementation audit) — typically 3–6 months from readiness to certification
• Continuous improvement is mandatory: quarterly internal audits, annual management review, three-year certification cycle with annual surveillance audits
• Statement of Applicability (SoA) is the critical document linking your risk treatment decisions to Annex A controls
• ISO 27001 certification is increasingly required for EU public procurement, enterprise sales, and insurance underwriting

---

ISO 27001 Framework Structure

ISO 27001:2022 follows the High-Level Structure (HLS) — the common framework shared by all ISO management system standards (ISO 9001, ISO 14001, ISO 22301, etc.). This enables integrated management systems for organisations implementing multiple ISO standards simultaneously.

Main clauses (4–10) — mandatory requirements:

Annex A — Reference control objectives: 93 controls across four themes that represent best practice security controls. The SoA determines which Annex A controls apply to your ISMS scope.

---

Step 1 — Define ISMS Scope

The scope defines the boundaries of your ISMS — what is included and excluded. Scope decisions fundamentally affect the cost and complexity of certification.

Scope definition considerations:

• Geographic boundaries: specific offices, data centres, remote workers
• Organisational boundaries: specific business units, departments, or subsidiaries
• Information assets in scope: specific systems, data sets, processes
• Interfaces with out-of-scope systems and third parties

Common scoping approaches:

Narrow scope: Cover only the systems and processes directly related to a specific customer segment or product. Faster and cheaper to certify but limited assurance value to customers.

Broad scope: Cover the entire organisation. Maximum assurance but highest implementation cost.

Cloud-hosted service scope: For SaaS companies, scope typically covers the cloud infrastructure, application code, and operational processes supporting the service — leveraging cloud provider SOC 2/ISO 27001 certifications for physical and infrastructure controls.

The scope must be documented and included in certification documentation. Auditors will test controls within the scope boundary and verify interfaces with out-of-scope elements.

---

Step 2 — Information Security Risk Assessment

Risk assessment (Clause 6.1.2) is the methodological foundation of ISO 27001. The standard requires a documented risk assessment process that:

1. Establishes and applies an information security risk assessment process
2. Identifies risks associated with loss of confidentiality, integrity, and availability of information within the ISMS scope
3. Analyses and evaluates the risks

Asset-based risk assessment approach:

1. Asset inventory: List all information assets within scope (systems, databases, physical documents, people, processes, third-party services)
2. Threat identification: For each asset, identify potential threats (external attack, insider threat, accidental deletion, hardware failure, natural disaster, etc.)
3. Vulnerability identification: Identify vulnerabilities that could be exploited by threats (unpatched software, weak passwords, lack of access controls, etc.)
4. Impact assessment: For each threat/vulnerability combination, assess the potential impact to confidentiality, integrity, and availability using a defined scale (e.g., 1–5)
5. Likelihood assessment: Assess the probability of the threat exploiting the vulnerability using a defined scale
6. Risk rating: Calculate risk = Impact × Likelihood. Establish risk acceptance criteria (e.g., risks above a certain score require treatment)

Risk register format:

---

Step 3 — Risk Treatment Plan and Statement of Applicability

For each risk above your acceptance threshold, select a risk treatment option:

• Mitigate: Implement security controls to reduce the risk
• Accept: Document acceptance of the risk (typically for low-impact, low-likelihood risks)
• Transfer: Transfer risk to a third party (insurance, outsourcing)
• Avoid: Discontinue the activity that generates the risk

Statement of Applicability (SoA): The central compliance document. For each of the 93 Annex A controls, the SoA records:

• Whether the control is applicable to your scope
• Whether it is currently implemented
• Justification for inclusion or exclusion

The SoA is what auditors scrutinise most closely. Every exclusion must be justified — and justified convincingly. Common legitimate exclusions: Physical security controls for cloud-only organisations (data centres managed by cloud provider), supplier management controls if no significant third-party relationships exist.

---

Step 4 — Implement Annex A Controls

ISO 27001:2022 Annex A organises 93 controls into four themes. Key controls for technology-oriented organisations:

Organisational Controls (37 controls)

Key controls include:

• 5.1 Policies for information security: Documented, approved, communicated security policy and topic-specific policies
• 5.2 Information security roles and responsibilities: Defined CISO/security officer role; documented security responsibilities
• 5.7 Threat intelligence (new in 2022): Collect and analyse threat intelligence relevant to the organisation
• 5.9 Inventory of information and other associated assets: Maintained asset inventory with ownership
• 5.15 Access control: Access control policy; least privilege; formal access management procedures
• 5.16 Identity management: Full identity lifecycle management (provisioning, modification, deprovisioning)
• 5.17 Authentication information: Password/authentication credential management policy and procedures
• 5.20 Addressing security within supplier agreements: Security requirements in contracts with suppliers and partners
• 5.23 Information security for use of cloud services (new in 2022): Cloud security policies, cloud service selection, monitoring

People Controls (8 controls)

• 6.1 Screening: Background checks before and during employment
• 6.2 Terms and conditions of employment: Security-related terms in employment contracts
• 6.3 Information security awareness, education, and training: Annual training programme, role-specific training, phishing simulations
• 6.4 Disciplinary process: Formal process for security policy violations
• 6.6 Confidentiality or non-disclosure agreements: NDAs with employees and contractors

Physical Controls (14 controls)

• 7.1 Physical security perimeters: Defined security perimeters; access control to secure areas
• 7.4 Physical security monitoring (new in 2022): CCTV, intrusion detection, access logs
• 7.7 Clear desk and clear screen: Policy and implementation; screen locks; clean desk at end of day
• 7.10 Storage media: Management of removable media; secure disposal

Technological Controls (34 controls)

• 8.2 Privileged access rights: Privileged account management; just-in-time access; monitoring of privileged sessions
• 8.4 Access to source code: Restricted access to source code; code review requirements
• 8.5 Secure authentication: MFA; secure authentication protocols
• 8.7 Protection against malware: Anti-malware on all endpoints; mail and web filtering
• 8.8 Management of technical vulnerabilities: Vulnerability scanning; patching SLA; penetration testing
• 8.9 Configuration management (new in 2022): Documented security baselines; configuration management processes
• 8.10 Information deletion (new in 2022): Secure deletion when no longer needed
• 8.11 Data masking (new in 2022): Masking of sensitive data in non-production environments
• 8.12 Data leakage prevention (new in 2022): DLP tools to prevent unauthorised data exfiltration
• 8.15 Logging: Comprehensive audit logging; log protection; log review
• 8.16 Monitoring activities (new in 2022): Network and system monitoring; SIEM
• 8.23 Web filtering (new in 2022): Web content filtering to protect against malicious content
• 8.25 Secure development life cycle: Secure SDLC policy; security requirements in development; code review; SAST/DAST
• 8.26 Application security requirements: Security requirements definition for new and enhanced applications
• 8.27 Secure system architecture and engineering principles (new in 2022): Security by design; defence in depth
• 8.28 Secure coding (new in 2022): Secure coding standards; code review; static analysis
• 8.29 Security testing in development and acceptance: Security testing as part of SDLC; penetration testing before go-live
• 8.34 Protection of information systems during audit testing: Coordination of audit activities to minimise disruption

---

Step 5 — Documentation and Records

ISO 27001 requires specific documented information (policies and records). Minimum documentation set:

Mandatory documents:

• ISMS scope document
• Information security policy
• Information security risk assessment methodology
• Risk register and risk treatment plan
• Statement of Applicability
• Internal audit programme and reports
• Management review records
• Records of training and awareness

Recommended topic-specific policies:

• Access control policy
• Acceptable use policy
• Asset management policy
• Business continuity and DR policy
• Change management policy
• Cryptography and key management policy
• Incident response policy
• Remote working policy
• Supplier security policy
• Vulnerability management policy

---

Step 6 — Internal Audit Programme

Clause 9.2 requires a programme of internal audits conducted at planned intervals covering all ISMS requirements and Annex A controls. Internal auditors must be competent and objective (not auditing their own work).

Internal audit approach:

• Annual internal audit plan covering all ISMS clauses and all applicable Annex A controls over a defined cycle
• Risk-based sampling: test more frequently in higher-risk areas
• Document evidence collection and nonconformity recording
• Report to management; track corrective actions to closure

Internal auditors should be certified (ISO 27001 Lead Auditor or internal auditor training) for credibility. Many organisations use a second-department approach (IT auditing security, security auditing IT) or engage an external firm for objectivity.

---

Step 7 — Management Review

Clause 9.3 requires top management to review the ISMS at planned intervals (typically annually). Management review must cover:

• Status of actions from previous reviews
• Changes in external and internal issues relevant to the ISMS
• Feedback on ISMS performance (security incidents, audit results, monitoring, KPIs)
• Feedback from interested parties
• Results of risk assessment and risk treatment plan status
• Opportunities for continual improvement

Management review output: Decisions on continual improvement opportunities, ISMS changes, resource needs.

---

Certification Process

Select a certification body: Must be accredited by a national accreditation body (UKAS in UK, DAkkS in Germany, ANAB in US, JAS-ANZ in Australia/NZ). Check IAF recognition for global acceptance.

Stage 1 audit (Documentation review): Auditor reviews your ISMS documentation — scope, SoA, risk assessment, policies — to confirm readiness for Stage 2. Typically 1–2 days. Output: list of findings/gaps to address before Stage 2.

Gap remediation: Address Stage 1 findings. May take 4–8 weeks depending on gaps identified.

Stage 2 audit (Implementation audit): On-site (or remote) audit of actual ISMS implementation. Auditors test controls, interview staff, review evidence records. Typically 3–10 audit days depending on scope and organisation size. Nonconformities (major or minor) must be addressed.

Certification decision: Certification body issues ISO 27001:2022 certificate, valid for 3 years. Certificate includes scope statement.

Surveillance audits: Annual surveillance audits in years 1 and 2 of the certificate cycle (lighter-touch than certification audit). Recertification audit in year 3 covers the full ISMS.

---

ISO 27001 Implementation Checklist

• ISMS scope defined and documented
• Information security policy approved by top management
• Risk assessment methodology documented and applied
• Risk register complete with risk ratings for all significant risks
• Risk treatment plan developed for all unacceptable risks
• Statement of Applicability completed for all 93 Annex A controls
• All applicable Annex A controls implemented
• Documentation set complete (policies, procedures, records)
• Internal audit programme established and first audit completed
• Corrective actions from internal audit tracked to closure
• Management review completed with records
• Staff security awareness training completed and documented
• Accredited certification body selected and Stage 1 audit scheduled
• Stage 1 findings addressed
• Stage 2 certification audit completed

---

Frequently Asked Questions

How long does ISO 27001 implementation take?

For a medium-sized technology company starting from reasonable security baseline, implementation typically takes 6–12 months from kickoff to certification. Organisations with mature security practices may achieve certification in 4–6 months. Large enterprises with complex scope, multiple locations, or extensive legacy documentation may take 12–18 months. Key drivers of timeline: scope complexity, existing documentation maturity, resource availability, and certification body scheduling.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the management system standard against which organisations are certified — it specifies requirements for establishing, implementing, maintaining, and improving an ISMS. ISO 27002 is a guidance document providing best practice advice on implementing each of the 93 Annex A controls. ISO 27001 Annex A contains the controls (normatively); ISO 27002 explains how to implement them (informatively). ISO 27001 certification is the requirement; ISO 27002 is the implementation handbook. You cannot be "ISO 27002 certified" — only ISO 27001 certification exists.

Can we achieve ISO 27001 certification for just part of our organisation?

Yes — ISO 27001 allows scoping to a specific service, product line, department, or location. A SaaS company might scope its ISO 27001 certification to its cloud-hosted product platform excluding back-office HR and finance systems. The certification certificate will specify the scope, and customers and auditors understand that controls apply within the stated scope boundary. A narrow scope means faster, cheaper certification but provides less assurance to customers who want confidence across your entire organisation.

How is ISO 27001 different from SOC 2?

Both address information security but from different frameworks and audiences. ISO 27001 is an international management system standard producing a three-year certificate; audits are conducted by accredited certification bodies; it is widely recognised in Europe, Asia-Pacific, and Middle East procurement. SOC 2 is a US-origin attestation framework producing a report (Type I or Type II) reviewed by customer auditors; it focuses on Trust Service Criteria; it is predominantly required by US enterprise buyers. The controls overlap substantially. Many organisations pursue both — SOC 2 for US enterprise sales, ISO 27001 for international and government procurement.

What are the key changes in ISO 27001:2022 compared to 2013?

Key changes: (1) Annex A restructured from 14 categories/114 controls to 4 themes/93 controls; (2) 11 new controls added: threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and information security for cloud services; (3) No controls were deleted — existing controls were merged and reorganised; (4) Clause 6.3 added "Planning of changes" for managed ISMS changes; (5) Wording updates throughout for clarity. The fundamental management system structure (Clauses 4–10) is largely unchanged.

How much does ISO 27001 certification cost?

Total costs vary significantly by organisation size and scope: Certification body audit fees: $8,000–$50,000+ depending on scope and audit days; Consultancy (optional): $30,000–$150,000 for assisted implementation; Internal staff time: 200–1,000+ hours across implementation and documentation; Tooling (GRC platform, vulnerability scanning, SIEM): $10,000–$100,000/year; Annual surveillance audits: approximately 30–50% of Stage 2 cost. Small organisations with narrow scope can achieve certification for $40,000–$80,000 total. Mid-sized organisations typically invest $100,000–$300,000 in their first certification cycle.

---

Next Steps

ISO 27001 certification is a strategic investment that pays back through enhanced customer trust, enterprise sales acceleration, reduced cyber insurance premiums, and structured security improvement. For technology companies, implementing ISO 27001 alongside SOC 2 provides comprehensive global coverage of enterprise buyer security requirements.

ECOSIRE's team helps technology companies implement ISO 27001-aligned security management programmes, with expertise in technical control implementation across cloud environments, application security, and managed service delivery.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only. ISO 27001 certification requirements should be confirmed with an accredited certification body. Specific implementation requirements vary by organisation size, scope, and industry.