ISO 27001 FAQ
Frequently asked questions about ISO 27001 certification, implementation, and information security management systems.
ISO 27001 is an internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive company and customer information through risk assessment and treatment processes.
An ISMS is a framework of policies, procedures, and technical controls that systematically manages an organization's information security risks. It encompasses people, processes, and technology to protect information assets against threats, ensuring confidentiality, integrity, and availability of data.
ISO 27001 certification costs typically range from $30,000 to $200,000+ depending on organization size and complexity. This includes gap analysis, implementation consulting, internal audit costs, and the external certification audit. Ongoing annual surveillance audits add approximately 30-40% of the initial certification cost each year.
Implementation typically takes 6-18 months depending on the organization's size, existing security maturity, and available resources. Small organizations with good existing practices may achieve certification in 6-9 months, while large enterprises with complex environments may need 12-18 months or more.
Annex A of ISO 27001:2022 contains 93 controls organized into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). Organizations select applicable controls based on their risk assessment and document them in a Statement of Applicability.
The Statement of Applicability is a mandatory document that lists all Annex A controls and indicates which are applicable to your organization, justifying the inclusion or exclusion of each control. It serves as a core document linking your risk assessment results to the controls you've implemented.
The certification audit occurs in two stages. Stage 1 is a documentation review to verify your ISMS documentation and readiness. Stage 2 is an on-site assessment evaluating the effectiveness of your ISMS implementation. After successful completion, the certification body issues a three-year certificate with annual surveillance audits.
ISO 27001 is the certification standard that specifies requirements for an ISMS. ISO 27002 is a supplementary code of practice that provides detailed implementation guidance for the controls referenced in ISO 27001 Annex A. You certify against ISO 27001, while ISO 27002 serves as a reference guide.
ISO 27001 is not legally mandatory in most jurisdictions, but it's increasingly required by customers, partners, and industry regulations. Many government contracts, especially in Europe and Asia, require ISO 27001 certification. It's also becoming a standard expectation in regulated industries like finance and healthcare.
The risk assessment process involves identifying information assets and their owners, identifying threats and vulnerabilities to those assets, evaluating the likelihood and impact of potential security incidents, determining risk levels, and selecting appropriate controls to mitigate risks to an acceptable level.
ISO 27001 certificates are valid for three years. Annual surveillance audits are conducted in years one and two to verify ongoing compliance. A full recertification audit is required in year three. Organizations must demonstrate continual improvement throughout the certification cycle.
The 2022 revision reorganized Annex A controls from 14 domains to 4 themes, reduced the total from 114 to 93 controls, and introduced 11 new controls addressing cloud security, threat intelligence, data masking, and other modern concerns. Organizations certified under the 2013 version must transition by October 2025.
Yes, ISO 27001 is scalable and applicable to organizations of any size. Small businesses benefit from the structured approach to security management. The scope and complexity of the ISMS can be tailored to match the organization's size and risk profile, making certification achievable and cost-effective.
ISO 27001 requires demonstrated leadership commitment from top management, including establishing the ISMS policy, ensuring adequate resources, defining roles and responsibilities, promoting continual improvement, and conducting management reviews. Without genuine leadership buy-in, certification efforts typically fail.
Mandatory documents include the ISMS scope, information security policy, risk assessment methodology and results, Statement of Applicability, risk treatment plan, and several procedures including internal audit, corrective action, and management review. Additional policies covering access control, asset management, and incident response are typically needed.