ISO/IEC 27001

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Certification is issued by accredited certification bodies after an audit.

Get a demo All frameworks

Governed by ISO and IEC (current revision: ISO/IEC 27001:2022)

What it is

What ISO/IEC 27001 is, in plain terms

ISO/IEC 27001 is the leading international standard for an Information Security Management System (ISMS) — a documented, risk-driven way of managing the security of information across people, processes, and technology. Unlike SOC 2, it results in an actual certification issued by an accredited certification body after a two-stage audit. The 2022 revision modernized Annex A into 93 controls across four themes and added attributes to help organize them.

Typical effort & timeline

Certification involves a Stage 1 (documentation) and Stage 2 (implementation) audit, followed by surveillance audits in the following years and recertification on a three-year cycle. Plan for an operating period long enough to demonstrate the ISMS is genuinely running.

Who needs it

Is this framework for you?

Companies selling internationally, where ISO 27001 is often the expected security credential.
Organizations that want a certifiable, audit-backed information security program rather than an attestation.
Teams already pursuing SOC 2 who want to reuse that work toward a globally recognized certificate.

About the framework

Key facts about ISO/IEC 27001

Specifies requirements for establishing, maintaining, and continually improving an ISMS.
The 2022 revision lists 93 controls in Annex A, organized into four themes: Organizational, People, Physical, and Technological.
Requires risk assessment and a Statement of Applicability (SoA) documenting control selection.
Certification is granted by accredited certification bodies, not by tooling.

Public information about the framework itself. We don't claim certifications, assessment status, or authorizations for our own product.

With this platform

How we help with ISO/IEC 27001

Maintain a risk register that feeds your Statement of Applicability.
Map Annex A controls to tests and evidence.
Reuse evidence already collected for SOC 2 to reduce duplicate work.
Track ISMS activities and continual improvement over time.

Step by step

Get and stay compliant

How the platform supports your ISO/IEC 27001 program — from first scope to ongoing monitoring.

Define ISMS scope & context

Establish the boundaries of your ISMS and document the context, interested parties, and objectives.

Run risk assessment & treatment

Maintain a risk register that drives which Annex A controls you select and feeds your Statement of Applicability.

Implement & map Annex A

Map the selected controls to tests and evidence, reusing anything already collected for SOC 2.

Operate & improve

Track ISMS activities, internal audits, and continual improvement so the program is demonstrably alive at audit time.

Representative areas

What ISO/IEC 27001 covers

Public, high-level control or requirement areas — for orientation, not a complete control list.

Organizational controls

People controls

Physical controls

Technological controls

Risk assessment & treatment

Statement of Applicability

Do it once

Reuse evidence across frameworks

ISO/IEC 27001 shares controls with frameworks you may already run. A passing test can satisfy requirements in more than one place — so adding the next framework means reusing work, not repeating it.

SOC 2

Trust Services Criteria for service organizations

ISO/IEC 27701

Privacy information management extension to ISO 27001

ISO/IEC 42001

International standard for AI management systems

FAQ

Common questions about ISO/IEC 27001

ISO 27001 is a certifiable management-system standard with a certificate from an accredited body; SOC 2 is a CPA attestation report. Their security controls overlap heavily, so evidence is largely reusable.

The 2022 revision lists 93 controls organized into Organizational, People, Physical, and Technological themes.

The SoA documents which Annex A controls apply, why, and their implementation status — it is a central artifact auditors review.

Get audit-ready for ISO/IEC 27001

Get a guided demo, or start by scanning any domain for free.

Get a demo Compliance automation