ISO 27001: The Complete Guide to Certification

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Unlike SOC 2, which is an attestation framework specific to service organizations, ISO 27001 is a certifiable standard applicable to any organization regardless of size, industry, or geography. Certification is granted by accredited certification bodies after a rigorous audit process and must be maintained through annual surveillance audits and recertification every three years.

ISO 27001 is particularly valued in international business. While SOC 2 is predominantly recognized in North American markets, ISO 27001 certification is recognized globally and is often a requirement for doing business with European, Asian, and government organizations.

The 2022 revision of ISO 27001 reorganized the Annex A controls from 114 controls across 14 domains to 93 controls across four themes: organizational, people, physical, and technological. This restructuring modernized the framework to better address cloud computing, remote work, and contemporary threat landscapes.

An ISMS is not a product or a technology — it is a management framework that encompasses policies, processes, people, and technology for managing information security risks systematically.

The foundation of an ISMS is the risk assessment process. ISO 27001 requires organizations to identify their information assets, assess the threats and vulnerabilities that could affect those assets, evaluate the likelihood and impact of potential incidents, and select controls to address unacceptable risks.

The standard follows a Plan-Do-Check-Act (PDCA) cycle. Plan involves establishing the ISMS policy, objectives, risk assessment methodology, and risk treatment plan. Do involves implementing the risk treatment plan and the controls necessary to manage identified risks. Check involves monitoring and measuring the performance of the ISMS against its objectives. Act involves taking corrective actions and continually improving the ISMS based on what the monitoring reveals.

The ISMS must be supported by documented information including the information security policy, risk assessment methodology, statement of applicability (which Annex A controls are implemented and why), risk treatment plan, and evidence of ISMS performance and effectiveness.

A common mistake is treating the ISMS as a documentation exercise. Auditors assess whether the system is actually operating, not just whether the documentation exists. The PDCA cycle must be demonstrably active, with evidence of regular risk reviews, management reviews, internal audits, and continuous improvement actions.

Annex A of ISO 27001:2022 contains 93 controls organized into four themes.

Organizational controls (37 controls) cover policies, roles, asset management, access control, supplier relationships, incident management, business continuity, and compliance. These controls establish the governance and operational framework for information security.

People controls (8 controls) address screening, employment terms, awareness and training, disciplinary processes, and post-employment responsibilities. These controls recognize that people are both the greatest asset and the greatest vulnerability in information security.

Physical controls (14 controls) cover physical security perimeters, office security, equipment protection, secure disposal, and clear desk policies. While often overlooked by technology companies, physical controls remain relevant for any organization with offices, data centers, or physical assets.

Technological controls (34 controls) address endpoint security, access rights, cryptography, secure development, network security, data protection, logging, monitoring, and vulnerability management. These controls are typically the most technically intensive and the most closely scrutinized during audits.

Organizations do not need to implement every Annex A control. The Statement of Applicability documents which controls are implemented based on the risk assessment results. Controls that are not applicable can be excluded with documented justification. However, auditors will challenge exclusions that appear to avoid rather than address identified risks.

Certification proceeds through two stages conducted by an accredited certification body.

Stage 1 is a readiness review. The auditor reviews your ISMS documentation, assesses whether your management system meets the requirements, and identifies any gaps that must be addressed before the Stage 2 audit. Stage 1 is typically conducted partly remotely and results in findings that you address before proceeding.

Stage 2 is the certification audit. Auditors conduct an on-site (or hybrid) assessment of whether your ISMS is effectively implemented and operating. They interview staff, observe processes, sample evidence, and test controls. Stage 2 typically takes three to five days depending on organizational size and scope.

If the audit is successful, the certification body issues an ISO 27001 certificate valid for three years. Ongoing maintenance requires annual surveillance audits (typically shorter than the initial certification audit) and a full recertification audit at the end of the three-year cycle.

Nonconformities identified during any audit are classified as major or minor. Major nonconformities must be resolved before certification can be granted or maintained. Minor nonconformities require corrective action plans with defined timelines.

The total timeline from ISMS implementation to certification typically ranges from six to twelve months for organizations with existing security programs, and twelve to eighteen months for organizations building from scratch. Engaging a certification body early in the process for a gap assessment can accelerate the timeline significantly.

ISO 27001 Annex A includes controls for cryptography (A.8.24), logging (A.8.15), information security event management (A.5.25), and evidence collection (A.5.28). These controls collectively require that organizations protect the integrity of logged information and collect evidence of information security events in a manner that supports investigation and legal proceedings.

The evidence collection control (A.5.28) specifically states that procedures for identification, collection, acquisition, and preservation of evidence shall be defined and implemented. For organizations processing high-stakes outputs — AI decisions, financial calculations, contractual documents — this control implicitly requires evidence preservation mechanisms that are tamper-evident.

Cryptographic proof infrastructure directly strengthens several Annex A controls simultaneously. It provides cryptographic integrity for logged information (A.8.15), implements appropriate cryptographic controls (A.8.24), creates tamper-evident evidence records (A.5.28), and supports information security incident investigation with immutable evidence.

During certification and surveillance audits, the ability to demonstrate cryptographic proof infrastructure signals operational maturity that distinguishes your ISMS from a documentation-only approach. Auditors recognize that tamper-evident evidence records represent a higher bar of integrity than standard application logs, and this often translates to fewer findings and more efficient audits.

For organizations pursuing both ISO 27001 and SOC 2, proof infrastructure provides shared evidence that satisfies requirements in both frameworks. The investment in proof infrastructure reduces the total cost of multi-framework compliance while strengthening each individual certification.