Skip to content

The Complete Guide to ISO 27001



ISO 27001 is the leading international standard focused on information security that was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System.

Want more?

Artificial Intelligence and Robust Content

Written by 6clicks CISO, Andrew Robinson, this eBook covers the interconnection of Artificial Intelligence and Machine Learning with GRC, the labor of maintaining mappings, how to utilize AI and ML in your GRC practice, AI and ML mapping opportunities for GRC consultants, and curating and maintaining robust GRC content.


AI and robust content

The basics

What is the meaning of ISO 27001?

ISO 27001 is an ISO framework that helps companies manage the risks to their business. It stands for International Standards Organization, an independent organization with representatives from various countries who agree on standards and policies.

ISO has developed ISO 27001 in response to the growing need for international standards, and this document is designed as a management tool against security risks, including intentional threats or accidental events.

ISO 27001 provides guidelines for security management systems to protect information assets at any time during their life cycle. An ISO 27001 Audit is also another way of assessing the effectiveness of a company’s security management system.

The ISO 27001 framework is a set of guidelines that helps companies manage the risks to their business. It provides guidelines for security management systems to protect information assets at any time during their life cycle and includes elements such as risk assessment, resource availability, or data classification.

An ISO audit can also be carried out by assessing the effectiveness of a company’s security management system - but what are we talking about? For more information, read:


What is the purpose of ISO 27001?

The ISO framework is a combination of policies and processes for organizations to use. This framework helps organizations of any size or industry to protect their information through the adoption of an Information Security Management System (ISMS). ISO 27001 is an ISO standard for ISMS that provides guidelines to an organization on how best to protect their information assets from intentional threats or accidental events, which can be broken down into three stages: 

  • The Design Stage - creating the policies and procedures to help you meet your objectives.
  • Implementation & Operation- ensuring that the ISO27001 security policies are carried out daily.
  • Assurance - taking ISO 27001 objectives and implementing them to ensure they work as expected. ISO 27001 ensures that your data is safe during any stage of its life cycle, from design through destruction.


Why is this standard so important?

The Standard is an important milestone for companies aiming to protect themselves and their data. Companies can also certify against ISO 27001, providing a valuable assurance of protection to clients and partners. 

ISO 27001 is a recognized standard worldwide; because of this, it will be easier for organizations to find more work opportunities. Individuals can get certified by attending a course and passing the exam. The certification proves their skills to potential employers. 

ISO27001 certificates can be achieved by adopting and implementing ISO 27001 standards in the company – also known as an ISO Audit, which will assess how well your security management system meets ISO requirements. An ISO audit consists of one or more internal audits (also called self-assessments) followed by a final independent assessment undertaken by an ISO27001-certified auditor. The internal audits will assess the organization’s ability to satisfy ISO requirements, while the final independent assessment determines whether ISO 27001 has been correctly implemented by conducting an audit of your ISMS against the ISO checklist document to see if the company can prove that its security management system meets ISO standards. 


What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:

  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.


Why do we need ISMS?

An Information Security Management System (ISMS) is a set of guidelines that companies need to establish to: 

  • Identify what stakeholders (specifically) want to know about the company's information security and how it meets their needs.
  • Use all the controls and other risk treatment methods.
  • Continuously monitor if the implemented controls work as expected.

  • Identify the potential risks for the information
  • Define controls and other mitigation methods to limit or eliminate the risks
  • Set clear objectives for the information security team
  • Make continuous improvements that will benefit the ISMS system.

These rules can be formally documented as policies, procedures, and other types of documents or established processes and technologies that are not documented. ISO 27001 identifies which documents must exist at a minimum. For more information read the article, 10 Benefits of Choosing ISO 27001 for Information Security.


How does ISO 27001 work?

The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment).

Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).

ISO 27001 requires a company to list all controls that are to be implemented in a document called the Statement of Applicability.

Two parts of the standard

The standard is separated into two parts. The first, main part consists of 11 clauses (0 to 10). The second part, called Annex A, provides a guideline for 114 control objectives and controls. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) set the introduction of the ISO 27001 standard. The following clauses 4 to 10, which provide ISO 27001 requirements that are mandatory if the company wants to be compliant with the standard, are examined in more detail further in this article.

For further information, please read this eBook:


What are the benefits of an ISMS?

An ISMS framework that complies with ISO 27001 requirements does not just ‘tick a box’.

It also gives you all of these excellent advantages:

  • Adaptability: It means you can make quick manoeuvres by responding to evolving security threats and changes both within your organisation and the outside environment. Say hello to threat reduction!
  • Reduced costs: You can reduce your costs spent on adding layers of technology and practices that might not work. This is thanks to the risk assessment and analysis approach of an ISMS.
  • Resilience: Curating and executing an ISMS can increase your company’s resilience to cyber attacks. As we say here at 6clicks, ‘compliance is not resilience’ (although it should be!).
  • Centralisation: An effective ISMS (contact us to get this done) gives you a fantastic centralised framework for securing your information…and keeping it.
  • Security-first company culture: Watch your company culture shift as the ISMS blankets your entire company, not just the IT department. Empower your staff to understand and tackle security issues within their respective domains. Let them embrace risk as part of their everyday attitude!
  • Forms: Not ‘that’ kind of form (please god no!). Whether your information is paper-based, sitting on the cloud or various other digital existences, an effective ISMS helps you protect it all (electronic, hard-copy, verbal etc.).
  • Protection: Remember the bit above when we talked about the ‘features’ of information? Well, an effective ISMS protects the intimate details  of your information. The purity, accessibility and privacy of your information is supported by an ISMS by way of it’s policies, procedures and technical and physical controls.

For further information, please read Business Origami: The Importance of Folding ISMS into Your GRC.

Requirements & security controls

What are the requirements for ISO 27001?

The requirements from sections 4 through 10 can be summarized as follows:

Clause 4: Context of the organization – One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organization. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.

With this in mind, the organization needs to define the scope of the ISMS. How extensively will ISO 27001 be applied to the company? 

Clause 5: Leadership – The requirements of ISO 27001 for an adequate leadership are manifold. The commitment of the top management is mandatory for a management system. Objectives need to be established according to the strategic objectives of an organization. Providing resources needed for the ISMS, as well as supporting persons to contribute to the ISMS, are other examples of the obligations to meet.

Furthermore, the top management needs to establish a policy according to the information security. This policy should be documented, as well as communicated within the organization and to interested parties.
Roles and responsibilities need to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.

Clause 6: Planning – Planning in an ISMS environment should always take into account risks and opportunities. An information security risk assessment provides a sound foundation to rely on. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned to the company`s overall objectives. Moreover, the objectives need to be promoted within the company. They provide the security goals to work towards for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in Annex A.

Clause 7: Support – Resources, competence of employees, awareness, and communication are key issues of supporting the cause. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as being controlled. A suitable set of documentation needs to be maintained in order to support the success of the ISMS.

Clause 8: Operation – Processes are mandatory to implement information security. These processes need to be planned, implemented, and controlled. Risk assessment and treatment – which needs to be on top management`s mind, as we learned earlier – has to be put into action.

Clause 9: Performance evaluation – The requirements of the ISO 27001 standard expect monitoring, measurement, analysis, and evaluation of the Information Security Management System. Not only should the department itself check on its work – in addition, internal audits need to be conducted. At set intervals, the top management needs to review the organization`s ISMS.

Clause 10: Improvement – Improvement follows up on the evaluation. Nonconformities needs to be addressed by taking action and eliminating the causes when applicable. Moreover, a continual improvement process should be implemented, even though the PDCA (Plan-Do-Check-Act) cycle is no longer mandatory. Still, the PDCA cycle is often recommended, as it offers a solid structure and fulfills the requirements of ISO 27001.

Annex A (normative) Reference control objectives and controls
Annex A is a helpful list of reference control objectives and controls. Starting with A.5 Information security policies through A.18 Compliance, the list offers controls by which the ISO 27001 requirements can be met, and the structure of an ISMS can be derived. Controls, identified through a risk assessment as described above, need to be considered and implemented.


What are the 14 domains of ISO 27001?

Annex A of the ISO 27001 standard consists of a list of security controls organizations can utilize to improve the security of their information assets. ISO 27001 comprises 114 controls divided into 14 sections, also known as domains. The sections are focused on information technology and beyond, taking into consideration the wide range of factors that can impact the security of an organization’s information environment. The 14 ISO domains cover organizational issues, human resources, IT, physical security, and legal issues. Organizations are not required to implement the entire list of ISO 27001’s controls but instead use it as a list of possibilities to consider based on their unique needs. 

Utilizing the 114 controls listed in Annex A, a company can select those applicable to its needs and the needs of its customers. The 14 domains are:

  • Information security policies (A.5)
  • Organization of information security and assignment of responsibility (A.6)
  • Human resources security (A.7)
  • Asset management (A.8)
  • User access control (A.9)
  • Encryption and management of sensitive information (A.10)
  • Physical and environmental security (A.11)
  • Operational security (A.12)
  • Communications security (A.13)
  • System acquisition, development, and maintenance (A.14)
  • Supplier relationships (A.15)
  • Information security incident management (A.16)
  • Information security aspects of business continuity management (A.17)
  • Compliance (A.18)


How do you implement ISO 27001 controls?

Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.

Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc.

Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.

Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.

Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.


Implementation & certification

ISO 27001 mandatory documents

ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.

ISO 27001 requires the following documents to be written:

  • Scope of the ISMS (clause 4.3)
  • Information Security Policy and Objectives (clauses 5.2 and 6.2)
  • Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk Treatment Plan (clauses 6.1.3 e and 6.2)
  • Risk Assessment Report (clause 8.2)
  • Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
  • Inventory of Assets (control A.8.1.1)
  • Acceptable Use of Assets (control A.8.1.3)
  • Access Control Policy (control A.9.1.1)
  • Operating Procedures for IT Management (control A.12.1.1)
  • Secure System Engineering Principles (control A.14.2.5)
  • Supplier Security Policy (control A.15.1.1)
  • Incident Management Procedure (control A.16.1.5)
  • Business Continuity Procedures (control A.17.1.2)
  • Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)

And these are the mandatory records:

  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal Audit Program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)

Of course, a company may decide to write additional security documents if it finds it necessary.

To see a more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).


What is "ISO 27001 certified?

A company can go for ISO 27001 certification by inviting an accredited certification body to perform the certification audit and, if the audit is successful, to issue the ISO 27001 certificate to the company. This certificate will mean that the company is fully compliant with the ISO 27001 standard.

An individual can go for ISO 27001 certification by going through ISO 27001 training and passing the exam. This certificate will mean that this person has acquired the appropriate skills during the course.


Other frameworks and standards

What are the other ISO 27000 standards?

Because it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO 27000 family of standards. But, because it mainly defines what is needed, but does not specify how to do it, several other information security standards have been developed to provide additional guidance. Currently, there are more than 40 standards in the ISO27k series, and the most commonly used ones are as follows:

ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.

ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001 Annex A. It can be quite useful, because it provides details on how to implement these controls.

ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well with ISO 27001, because it explains how to determine whether the ISMS has achieved its objectives.

ISO/IEC 27005 provides guidelines for information security risk management. It is a very good supplement to ISO 27001, because it gives details on how to perform risk assessment and risk treatment, probably the most difficult stage in the implementation.

ISO/IEC 27017 provides guidelines for information security in cloud environments.

ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments.

ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for Information and Communication Technologies (ICT). This standard is a great link between information security and business continuity practices.


What is ISO 27002?

ISO 27002 is a guideline for organizational information security standards and best practices for information security management. Considering the business’s information security risk environments, ISO 27002 focuses on the organization’s selection, implementation, and management of controls. It is meant to be used as a guide, based on ISO 27001, for identifying appropriate security controls in implementing an ISMS.

Ultimately, while ISO 27002 is more of a guideline to achieving best practices and has subtle differences from ISO 27001, it also serves to demonstrate the stability of your organization’s ISMS. The main difference is that ISO 27002 does not distinguish between controls applicable to your particular organization and those which are not. ISO 27002 is a reference for selecting security controls rather than a certification process.


What is the difference between ISO 27001 and ISO 27002?

The original version of ISO 27001 was published in 2005, with minor updates in 2013, and now finally a moderately sized update in 2022. That’s about one update per decade!

In a fast-changing industry like cyber and information security that could be seen as a bad thing. But ISO 27001 like ISO itself is a steady ship in a fast-changing environment.

So, what has changed in ISO 27002:2022, including control additions, the reasons behind those additions, and reductions (or rather merged or simmered controls).

So what has changed?

6clicks ISO Cert

For further information, please read these articles and eBooks:


What is the difference between ISO 27001 and NIST CSF?

The NIST frameworks were designed as flexible, voluntary frameworks. The fact that they are flexible makes it relatively easy to implement them in conjunction with ISO 27001.

This is largely due to both standards having a number of common principles, including; requiring senior management support, a continual improvement process, and a risk-based approach.

  • NIST was primarily created to help US federal agencies and organizations better manage their risk.
  • NIST frameworks have various control catalogs.
  • The NIST CSF contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfill each function.
  • NIST has a voluntary, self-certification mechanism.
  • The NIST framework uses five functions to customize cybersecurity controls.
ISO 27001
  • ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS.
  • ISO 27001 Annex A provides 14 control categories with 114 controls.
  • ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations for securing all information.
  • ISO 27001 relies on independent audit and certification bodies.
  • ISO 27001 has 10 clauses to guide organizations through their ISMS

For further information, please read the articles:


Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Circle Logo

Powered by artificial

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

6clicks Circle Logo

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

6clicks Circle Logo

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?