ISO/IEC 27001:2022 certification has three non-negotiable pieces. Build an Information Security Management System (ISMS) that satisfies the seven mandatory clauses (4-10), pick controls from the 93 in Annex A based on a documented risk assessment, and pass a two-stage audit by an accredited certification body. The 2013 transition window closed on 31 October 2025, so every live certificate is now issued against the 2022 standard.

What ISO 27001 Actually Requires

ISO 27001 is a management system standard, not a control checklist. At the center is the Information Security Management System (ISMS), meaning the policies, processes, risk decisions, and records that govern how your organization protects the confidentiality, integrity, and availability of information.

The standard splits into two parts:

• Clauses 4-10, the mandatory management system requirements. Every organization must meet all of them.
• Annex A, a reference set of 93 controls across four themes. You only implement the ones your risk assessment justifies, and you record every include/exclude decision in a Statement of Applicability.

Clauses 1-3 (scope, references, terms) are informational and not auditable. The “Harmonized Structure” used in the 2022 revision aligns ISO 27001 with ISO 9001, 14001, and 22301, which is why integrated audits are increasingly common.

Why an Accredited Certificate Pays for Itself

According to the ISO Survey, ISO/IEC 27001 remains one of the fastest-growing management system standards. The 2024 ISO Survey recorded 61,370 valid certificates covering 88,323 sites worldwide, a 44% site-count increase versus 2023.

In practice, that growth is happening because enterprise procurement teams, EU regulators under NIS2 and DORA, and US federal buyers now treat an accredited ISO 27001 certificate as the baseline for vendor risk assessment.

An ISO 27001 certificate from a non-accredited body (no UKAS, ANAB, or other IAF member backing it) is a participation trophy. Large tenders and regulated sectors will reject it.

The Pillars of ISO 27001 at a Glance

Component	Purpose	Key Focus Area
Mandatory Clauses (4-10)	Establish the ISMS framework	Context, leadership, planning, support, operation, evaluation, improvement
Annex A Controls (93)	Catalogue of selectable safeguards	Organizational, People, Physical, Technological
Risk Assessment	Drive control selection	Threats, vulnerabilities, likelihood, impact
Statement of Applicability	Document control decisions	Which of the 93 controls apply, why, and how
Continual Improvement	Keep the ISMS effective	Monitoring, audits, management review, corrective action

The rest of this guide walks each of these in the order an auditor will assess them.

The Mandatory Clauses: 4 Through 10

Clauses 4 through 10 are where auditors spend the bulk of Stage 2. Each one uses “shall” language, meaning every sub-requirement is mandatory. You cannot exclude any of them.

Clause 4: Context of the Organization

Clause 4 forces you to define the ground your ISMS stands on. Four sub-clauses must be documented:

• 4.1 Internal and external issues that affect the ISMS (often a PESTLE or SWOT output).
• 4.2 Interested parties, meaning customers, regulators, investors, and employees, plus their requirements.
• 4.3 The ISMS scope: locations, services, systems, and people in and out of the boundary.
• 4.4 A process view showing how the ISMS operates end-to-end.

If your scope statement is vague, the auditor will widen it for you. Keep it precise and defensible.

Clause 5: Leadership Is Audited by Interview, Not Policy PDF

Clause 5 holds top management personally accountable. It is not something you can delegate to a CISO and walk away from. Leadership must:

• Approve a written Information Security Policy.
• Assign ISMS roles, responsibilities, and authorities.
• Provide resources: budget, people, tooling.
• Promote continual improvement.

Auditors test Clause 5 by interviewing executives. If the CEO can’t articulate the security policy in their own words, that is a finding, regardless of how good your documentation looks.

Clause 6: Planning Is Where Most Programs Underinvest

Clause 6 is the analytical core of the ISMS and the clause most companies under-invest in. It requires a defined risk assessment methodology, a documented risk treatment process, a Statement of Applicability that covers every one of the 93 Annex A controls, and measurable information security objectives. For a deeper dive on methodology, see our guide to security risk management.

The 2022 revision adds Clause 6.3 (“Planning of changes”), requiring you to plan and control ISMS changes rather than drifting. Typical objectives look like “reduce Sev 1 incidents by 30% year-over-year” or “achieve 100% MFA coverage on production admin accounts by Q3.”

Clause 7: Support

Clause 7 is the supply line for the ISMS. You must maintain evidence of:

• Resources: budget, headcount, and technology allocated to security.
• Competence: defined role requirements plus records proving people meet them.
• Awareness: every employee understands the policy, their responsibilities, and the consequences of non-conformance.
• Communication: internal and external comms channels for security topics.
• Documented information: version-controlled, access-controlled, and retained per policy.

Clause 8: Operation

Clause 8 is where plans become reality. You perform the risk assessments and risk treatment plans from Clause 6 on a defined cadence, control outsourced processes, and retain evidence that controls operated as designed. This is also the clause where change management bites, because unplanned changes to the ISMS create non-conformities fast.

Clause 9: Performance Evaluation

Clause 9 is how you prove the ISMS works. It requires three distinct activities:

• Monitoring, measurement, analysis, and evaluation against defined metrics. Teams that invest in continuous compliance monitoring close this clause with far less manual effort.
• Internal audits on a planned schedule covering all clauses and applicable controls before Stage 2.
• Management review meetings with mandatory inputs (audit results, risk changes, objective performance) and documented outputs.

Clause 10: Improvement

Clause 10 closes the loop. When nonconformities appear, whether from internal audit, customer complaints, incidents, or surveillance findings, you must react, contain, root-cause, correct, and verify the fix. The 2022 revision reorders the sub-clauses so that “Continual Improvement” (10.1) comes before “Nonconformity and corrective action” (10.2), emphasizing that improvement is proactive, not just reactive.

For a deeper walk-through of how these clauses fit together in practice, see our guide on Information Security Management Systems.

Annex A: The 93 Controls in Four Themes

Annex A is the control catalogue, not a mandate. The 2022 revision consolidated the old 114 controls from 14 domains into 93 controls organized under four themes, and added 11 new controls covering threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

ISO’s own guidance on the restructure is available from the ISO 27001 standard page. If you want the control-by-control view, our ISO 27001 compliance checklist walks every Annex A item.

Organizational Controls (A.5): 37 Controls

The largest theme. Organizational controls set governance and rules of engagement: the information security policy (A.5.1), roles and responsibilities (A.5.2), segregation of duties (A.5.3), contact with authorities (A.5.5), threat intelligence (A.5.7, new in 2022), information security in supplier relationships (A.5.19-A.5.23), and incident management (A.5.24-A.5.28).

Supplier controls in particular have sharpened post-NIS2. If a vendor breach knocks you over, the auditor will ask what A.5.19 evidence you collected beforehand.

People Controls (A.6): 8 Controls

People controls cover the employee lifecycle: screening (A.6.1), employment terms (A.6.2), awareness and training (A.6.3), disciplinary process (A.6.4), responsibilities after termination (A.6.5), confidentiality agreements (A.6.6), remote working (A.6.7), and information security event reporting (A.6.8). Remote working as its own control is a 2022 addition that recognizes how hybrid work reshaped the threat model.

Annual click-through training is not awareness. Auditors increasingly ask for phishing simulation results, role-specific training logs, and evidence that managers review completion.

Physical Controls (A.7): 14 Controls

Physical controls secure offices, data centers, equipment, and media. Highlights include physical security perimeters (A.7.1), physical entry (A.7.2), protection against environmental threats (A.7.5), secure disposal or re-use of equipment (A.7.14), and physical security monitoring (A.7.4, new in 2022).

Cloud-first startups often assume physical controls don’t apply. But your offices, badge systems, and any on-prem equipment are still in scope, and you must evidence due diligence on your data center providers.

Technological Controls (A.8): 34 Controls

The second-largest theme and the one most engineering teams recognize. It covers user endpoints (A.8.1), privileged access (A.8.2), access restrictions (A.8.3), authentication (A.8.5), capacity management (A.8.6), malware (A.8.7), vulnerability management (A.8.8), which should be backed by one of the best vulnerability management tools, configuration management (A.8.9, new), information deletion (A.8.10, new), data masking (A.8.11, new), data leakage prevention (A.8.12, new), logging (A.8.15), monitoring activities (A.8.16, new), cryptography (A.8.24), secure development (A.8.25-A.8.28), and web filtering (A.8.23, new). For guidance on drafting the foundational A.5.15 policy, see access control policy.

The Statement of Applicability Is the Document Auditors Live In

The Statement of Applicability (SoA) is the single most scrutinized document in a Stage 2 audit. For each of the 93 Annex A controls it must state:

1. Whether the control is applicable.
2. The justification for inclusion or exclusion, tied to a specific risk or legal requirement.
3. How the control is implemented (policy, system, process, or evidence reference).

“Not applicable because we are cloud-only” is not a valid exclusion. Every decision must trace back to the Clause 6 risk assessment.

How the Accredited Certification Audit Works

ISO does not issue certificates. Certification is granted by a Certification Body (CB) that is itself accredited by a national Accreditation Body (AB): UKAS in the UK, ANAB in the US, DAkkS in Germany, or another member of the International Accreditation Forum (IAF).

CBs operate under ISO/IEC 17021-1 and ISO/IEC 27006, and the IAF’s MLA means an accredited certificate is recognized across jurisdictions. Always verify accreditation directly through the AB’s public directory. Our end-to-end certification process breakdown maps each stage to the documents you must produce.

Stage 1: Documentation and Readiness Review

Stage 1 is a readiness review, not pass/fail. The auditor evaluates:

• The ISMS scope statement.
• The risk assessment and treatment methodology and results.
• The Statement of Applicability.
• Evidence of leadership commitment.
• Core documented information (policies, procedures).

You receive a report listing “areas of concern” that must be resolved before Stage 2. Stage 1 is typically conducted 4-12 weeks before Stage 2 to give you time to close gaps.

Stage 2: Implementation Audit

Stage 2 is the certification audit. The auditor validates that the ISMS operates as documented by interviewing staff, sampling records, observing processes, and testing controls. Duration is driven by mandatory audit-day tables in IAF MD 5 based on your employee count and scope complexity, typically 2-10 days for SMBs. Teams using automated evidence collection tend to shorten sampling time dramatically. The output is a recommendation for certification, subject to resolution of any findings.

Findings and What They Mean

1. Major nonconformity: a systemic failure or complete absence of a required process. Blocks certification until closed with a full corrective action (root cause, fix, evidence).
2. Minor nonconformity: an isolated lapse. You submit a corrective action plan, usually within 90 days. Does not block certification.
3. Opportunity for improvement: advisory only, no response required.

The 3-Year Cycle and Surveillance

An accredited certificate is valid for three years. To keep it, you undergo annual surveillance audits (usually 1/3 the time of Stage 2), and a full recertification audit before the three-year expiry. This cycle is mandated by IAF mandatory documents. See our end-to-end walkthrough in How to Get ISO 27001 Certified.

The 2013-to-2022 Transition Is Over

Per IAF MD 26:2023, the three-year transition window closed on 31 October 2025. Any certificate still referencing ISO/IEC 27001:2013 is invalid as of 1 November 2025. If you missed the window, you start a new initial certification against 27001:2022. There is no grace period.

Common Implementation Headaches and How to Clear Them

Most first-time certifications stumble on the same three issues. Name them early and you save months.

Getting Leadership to Actually Invest

Executives who view security as a cost center will underfund the project and it will fail at Clause 5. Translate the ask into outcomes they already care about:

• Revenue unlock: enterprise RFPs increasingly require an accredited certificate, not a self-attested questionnaire. The wider business case is laid out in the benefits of ISO 27001 certification.
• Regulatory cover: ISO 27001 materially simplifies NIS2, DORA, and UK Cyber Essentials Plus mappings.
• Breach avoidance: the IBM Cost of a Data Breach Report 2024 put the global average at USD 4.88M, with organizations running mature security programs saving around USD 2.22M per incident.

Defining a Realistic Scope

Too narrow and enterprise customers will discount the certificate. Too broad and the project collapses under its own weight.

Start with the products, teams, and systems that process your customers’ data, the assets tied to your revenue, and exclude legacy or peripheral services you can credibly fence off. You can widen scope at surveillance.

Running a Risk Assessment That Isn’t Theater

A risk assessment that lists “malware” and “insider threat” at generic-impact-Medium will fail. Tie each risk to a specific asset, a concrete threat scenario, a quantified impact, and an owner.

Example: “Ransomware encryption of the customer Postgres cluster causes 48 hours of SaaS downtime and triggers DORA Article 19 incident reporting for three financial-sector customers.” That level of specificity drives defensible control selection.

Common Hurdles and Proactive Solutions

Challenge	Potential Impact	Proactive Solution
Lack of employee engagement	Controls fail at the human layer despite tooling in place.	Role-based training with real phishing data; publish metrics quarterly.
Thin documentation	Auditors cannot verify and issue major nonconformities.	Document as you build; use a compliance automation platform to keep artefacts versioned.
“Set and forget” ISMS	Controls drift from reality between surveillance audits.	Quarterly internal audits and management reviews, not annual.
Unmanaged vendor risk	A supplier breach turns into your customer’s incident.	Formal A.5.19-A.5.23 program: pre-contract assessment, annual review, evidence retention.

Your Top ISO 27001 Questions

How Long Does ISO 27001 Certification Take?

For a startup with decent existing hygiene, 6 months is achievable. For a mid-market company with legacy systems and no prior framework, plan on 9-15 months. Enterprise implementations regularly run 18+ months. The two biggest accelerators are executive sponsorship and a dedicated project owner with the authority to make decisions across engineering, HR, and legal.

What Is the Difference Between ISO 27001 and SOC 2?

ISO 27001 is a certification against a management system standard. SOC 2 is an attestation report prepared by a CPA firm under the AICPA Trust Services Criteria. ISO 27001 proves you have the system; SOC 2 reports on how specific controls operated over a defined window. They overlap significantly, and many companies pursue both. The full comparison lives in ISO 27001 vs SOC 2.

ISO 27001 reports on the existence and effectiveness of the risk management framework. SOC 2 reports on the effectiveness of service-commitment controls.

Do I Have to Implement Every Annex A Control?

No. You assess each of the 93 controls against your risk assessment, include the ones that apply, and record the rationale in the Statement of Applicability. Exclusions are allowed but must be justified by absence of the underlying risk, not by inconvenience or cost. Most SMBs end up applying 75-90 of the 93 controls.

How Much Does ISO 27001 Certification Cost?

Total first-year spend breaks into three buckets:

1. Implementation: internal time, consultants, and tooling. Varies widely; USD 15k-60k is typical for SMBs.
2. Audit fees: Stage 1 and Stage 2 from an accredited CB. Expect USD 10k-25k for a 50-200 headcount company, more for wider scope.
3. Ongoing maintenance: surveillance audits (roughly 1/3 of Stage 2 fee annually), internal audit effort, and platform costs.

A reasonable SMB total first-year range in 2026 is USD 25,000 to USD 80,000+ depending on how much you staff internally versus outsource.

Comp AI gets companies audit-ready in days, not months. Evidence collection is automated, the Statement of Applicability builds itself from your risk register, and every artefact is audit-traceable. See how Comp AI handles ISO 27001.