A mid-sized company receives a tender from a corporate customer: “Participation requires a valid ISO 27001 certificate or equivalent proof.” The deadline is 18 months — from the first management discussion to passing the certification audit. Starting the build-up only after the tender arrives is too late. ISO 27001 has become a prerequisite for doing business in many B2B markets and regulated industries rather than a marketing asset.
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines how an organisation plans, implements, monitors and improves information security systematically, regardless of size, industry or technology stack. The current version is ISO/IEC 27001:2022.
What does the standard cover?
The standard has two layers: the main body with ten clauses (the actual management system) and Annex A (reference catalogue of 93 security controls).
The ten clauses in the main body
- Clauses 1-3 — scope, normative references, terms and definitions.
- Clause 4 — Context of the organisation: internal and external issues, interested parties, scope of the ISMS.
- Clause 5 — Leadership: top management commitment, information security policy, roles and responsibilities.
- Clause 6 — Planning: risk assessment and treatment, security objectives, Statement of Applicability (SoA).
- Clause 7 — Support: resources, competence, awareness, communication, documented information.
- Clause 8 — Operation: operational execution of risk treatment.
- Clause 9 — Performance evaluation: monitoring, internal audit, management review.
- Clause 10 — Improvement: corrective actions and continual improvement.
Annex A — the control catalogue
93 controls in four themes:
- A.5 — Organisational controls (37): policies, roles, suppliers, incidents.
- A.6 — People controls (8): training, disciplinary process, remote working.
- A.7 — Physical controls (14): access, equipment, secure disposal.
- A.8 — Technological controls (34): endpoints, network, cryptography, development.
The detailed descriptions with implementation guidance live in ISO/IEC 27002:2022. This structure is new since the 2022 revision; the predecessor from 2013 had 114 controls in 14 groups.
Certification process
Stage 1 — document review. The certification body checks whether the ISMS is documentarily complete: scope, policy, risk assessment methodology, SoA, procedures for internal audit and management review. Duration: 1-3 days, depending on organisation size.
Stage 2 — on-site audit. Effectiveness review: is the documented ISMS actually lived in practice? Auditors interview samples from all departments, examine evidence and test the effectiveness of controls. Duration: 2-10 days, depending on the number of sites and employees.
Surveillance audits. In years 1 and 2 after initial certification, the certification body conducts reduced surveillance audits (typically 1-3 days). In year 3, the recertification audit takes place (comparable in scope to Stage 2). The certificate is valid for three years.
Prerequisites before Stage 1:
- ISMS has been running productively for at least three months
- Documented internal audit covering the full scope is in place
- At least one management review has been conducted
- Risk treatment plan is implemented or formally deferred with justification
Mapping to other standards
| Standard | Relation to ISO 27001 |
|---|---|
| ISO/IEC 27002:2022 | Implementation guidance for Annex A; not certifiable |
| ISO/IEC 27005:2022 | Methodological guidance for risk management |
| ISO/IEC 27017 / 27018 | Cloud security / protection of personal data in the cloud |
| ISO 22301 | BCM standard; complements ISO 27001 with business continuity |
| BSI IT-Grundschutz | Recognised in Germany as equivalent to ISO 27001 (with additional requirements) |
| NIST Cybersecurity Framework | US framework, freely accessible, maps to ISO 27001 |
| CIS Controls | Concrete technical measures that complement ISO controls with implementation detail |
| TISAX | ISO-27001-based, industry-specific for automotive |
| C5 (BSI) | Cloud security requirements, integrates ISO 27001 controls |
Implementation effort
SME (10-50 people): 6-12 months of build-up, then 0.2-0.5 FTE for ongoing operation. External support during the build-up phase typically 15-30 consulting days.
Mid-market (50-500 people): 12-18 months of build-up, 0.5-1.5 FTE for operation. An internal ISO or CISO position is often created, sometimes combined with other duties.
Corporation (>500 people): 18-36 months of build-up with multiple sites or complex business processes. Several FTEs for the ISMS team, often with decentralised responsibility per business unit.
Recurring costs: external audit days (initial audit ~5-15 days, surveillance ~2-5 days annually), training, tooling, risk treatment measures.
Related standards
- ISO/IEC 27002: implementation guidance for Annex A.
- ISO/IEC 27005: risk management methodology for an ISO 27001 ISMS.
- BSI IT-Grundschutz: German standard with greater detail; mandatory in federal authorities.
- ISO 22301: Business Continuity Management, complementary to ISO 27001.
Sources
- ISO/IEC 27001:2022 (ISO Online Browsing Platform) — official standard information
- ISO/IEC 27002:2022 — the implementation guidance
- BSI: ISO/IEC 27001 Native — recognition in Germany
- Beuth Verlag — German translation as DIN EN ISO/IEC 27001 (paid)