← Knowledge Base
ISO 27001 Guide

ISO 27001 Overview: What It Is and What It Requires

A practical breakdown of ISO 27001 — the structure of the standard, what certification actually proves, and what you're committing to before you start.

In this guide
Resources
Need help with this?

Our team can walk you through this in plain English.

Book a Free Chat

What ISO 27001 Actually Is

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving a system for managing information security risk.

Certification means an accredited third-party auditor has verified that your ISMS meets the standard. It doesn’t mean you’re unbreachable — it means you have a documented, tested, and managed approach to security.

The Structure of the Standard

ISO 27001:2022 is organised into two main parts:

The management system clauses (4–10): These define how you build and run your ISMS — context, leadership, planning, support, operation, evaluation, and improvement. This is the framework that holds everything together.

Annex A controls: 93 controls across four themes — Organisational, People, Physical, and Technological. You don’t have to implement all 93. You document which ones apply in your Statement of Applicability (SoA), with justification for anything excluded.

What Certification Proves

When you achieve ISO 27001 certification, you’re demonstrating:

  • You’ve identified and assessed your information security risks
  • You have controls in place to treat those risks
  • Those controls are documented, tested, and monitored
  • You have a process for reviewing and improving your ISMS
  • An independent auditor has verified all of the above

This is why enterprise procurement teams trust it. It’s not a self-assessment — it’s third-party verified.

The Certification Process

Stage 1 Audit (Documentation Review) The auditor reviews your ISMS documentation — policies, risk register, SoA, procedures. They’re checking that you’ve designed a system that meets the standard, not yet that it works.

Stage 2 Audit (Implementation Audit) The auditor goes deeper — interviewing staff, testing controls, reviewing evidence. They’re verifying that what your documents say is actually happening.

Certification Decision If the auditor is satisfied, they recommend certification to the certification body. You receive a certificate valid for three years, subject to annual surveillance audits.

What You’re Committing To

ISO 27001 is not a one-time project. It’s an ongoing commitment to:

  • Annual internal audits
  • Annual surveillance audits (years 1 and 2)
  • Full recertification audit (year 3)
  • Continual improvement — you must demonstrate the ISMS is getting better, not just maintained

Organisations that treat certification as the finish line tend to struggle at their first surveillance audit.

Common Mistakes

  • Scope too broad — trying to certify your entire organisation when a defined scope would have been faster and cheaper
  • Controls without evidence — saying you do something without being able to prove it
  • Risk register as a document — treating it as a compliance artefact rather than a management tool
  • No management review — leadership needs to be visibly involved, not just sign off on a document once a year
← Back to Knowledge Base