An ISMS is a set of policies, procedures and controls that govern how an organization manages its information security risks and includes requirements like risk assessment, asset management, access control, cryptography, incident management and more.

The goal of an ISMS is to protect:

• Information confidentiality, by preventing unauthorized disclosure of information;
  
  
• Information integrity, by making sure information is accurate and complete; and
  
  
• Information availability, by making sure information is accessible when needed.

An ISMS helps a company implement consistent security controls that can adapt to a changing risk environment.

ISO 27001 outlines a comprehensive process for organizations to follow when creating and maintaining an ISMS:

• Risk assessment—identify and assess potential information security incidents that could occur involving a company’s information and data;
  
  
• Risk management process—implement relevant information security controls to guard against those security incidents and reduce information security risk; and
  
  
• Risk treatment—mitigate risks over time and monitor and review the effectiveness of those controls on an ongoing basis to help drive the continual improvement of data protection and information security within an organization.

In addition, ISO 27001 helps organizations safeguard the authenticity of information—meaning that the identity of users and systems can be verified throughout the information lifecycle, and helps ensure non-repudiation, meaning that any transactions related to information can be traced and verified.

To briefly recap, ISO 27001 requires organizations to:

• systematically examine their security risks, including threats, vulnerabilities, and potential impacts;
  
  
• design and implement a comprehensive suite of information security controls and other forms of risk treatment to address risks that are deemed unacceptable; and
  
  
• adopt an overarching management process to ensure the information security controls continue to meet the company’s needs and security objectives on a continuous basis.

ISO 27001 also mandates that companies establish an ISMS that is tailored to their specific business needs and risks.

The ISO 27001 standard itself comprises two parts:

• Eleven (11) mandatory clauses (0 to 10) outlining requirements in given areas, and
  
  
• Annex A, which provides guidelines for 93 control objectives, each of which is a specific practice that may be implemented to reduce risks to acceptable levels.
   

Mandatory clauses

The main section of ISO 27001—the 11 clauses—first introduces the basics of the standard in clauses 0-3, which provide definitions and summaries of the requirements. Clauses 4-10 list specific requirements that are mandatory for compliance with ISO 27001:

Clause 4—Context of the organization is a holistic requirement for management to discover, review and understand relevant external and internal issues, which may include regulatory challenges, and identify and consider interested parties.

Clause 5—Leadership details requirements for adequate leadership, including mandating the commitment of top management, with roles and responsibilities clearly defined. Clause 5 specifies that management must:

• Establish security objectives aligned with the strategic direction and objectives of the organization;
  
  
• Provide the proper resources needed to support an ISMS and people’s contributions to it; and
  
  
• Specify a top-level ISO 27001 information security policy that is documented and communicated throughout the organization and to all stakeholders and interested parties, from employees to shareholders to government regulators and others.

Clause 6—Planning is a requirement to identify and take into account information security risks and opportunities (the information security risk assessment), establish information security and control objectives based on this assessment, and create a risk treatment plan incorporating relevant controls from Annex A.

Clause 7—Support outlines how to support a robust ISMS and security framework by providing appropriate resources, ensuring employee comprehension of information security management, and communicating properly within and outside the organization. Management must update and maintain certain documentation, including a communications plan.

Clause 8—Operation mandates certain information security processes that must be planned, implemented and controlled. This is where risk assessment and risk treatment are put into action.

Clause 9—Performance Evaluation is a requirement that organizations must monitor, measure, analyze and evaluate their ISMS, regularly checking KPI s and conducting internal audits. At defined intervals, top management must review the ISMS and ISO 27001-related KPIs to ensure they are still relevant.

Clause 10—Improvement: After the performance evaluation, organizations must take any necessary corrective action called improvement. This means management must act to eliminate the causes of any so-called “nonconformities.” In addition, it should implement a continual improvement process.

Annex A controls

Annex A of ISO 27001:2022 lists 93 safeguards, or controls that organizations may use to lessen risks and comply with security requirements from interested parties, like regulators and partners. Part of the documentation mandated by ISO 27001 is the Statement of Applicability, in which the organization details the specific Annex A controls to be implemented by marking them as “applicable.”

ISO 27001:2022 also establishes four domains for the 93 controls:

Annex A.5—Organizational controls are 37 controls to be implemented by defining the rules to be followed, as well as expected behavior from users, equipment, software and systems (e.g., an Access Control Policy).

Annex A.6—People controls are 8 controls implemented by sharing knowledge, education, skills and/or experience with people to empower them to perform their respective activities in a way that protects information security (e.g., ISO 27001 training).

Annex A.7—Physical controls are 14 controls implemented by protecting and securing equipment or devices that interact physically with people and objects (e.g., CCTV cameras or alarm systems).

Annex A.8—Technological controls are 34 controls, focused on IT and communications, which are implemented primarily in information systems with software, hardware and firmware (e.g., backing up or antivirus software).

Note that ISO 27001:2022 includes 21 fewer Annex A controls than the previous version, ISO 27001:2013. The number of controls was reduced by merging 57 controls, deleting 3 controls, retaining 35 controls with no changes and introducing 11 new controls. The new controls focus on cloud services, readiness for business continuity, threat intelligence, physical security monitoring, data masking, information deletion, data leakage prevention, monitoring activities, web filtering and secure coding.

Companies may implement ISO 27001 to benefit from the best practices it offers. They can also choose to undergo a formal certification process, which demonstrates to customers and other stakeholders that they are committed to and capable of managing information securely and safely.

Before the certification process begins, the company must implement a compliant ISMS, and the company’s management team must determine the scope of the ISMS for certification purposes specifically (for example, they may limit the scope to a single business unit or location). The resulting certification will apply only to the limited scope.

Next, the ISMS must undergo an external, multi-step certification audit by an accredited certification body to verify compliance.

The external audit process has three stages.

• Stage 1: Preliminary review of the ISMS. The certification body will confirm that key documentation exists and is complete (e.g., for the organization’s Information Security Policy, its Statement of Applicability (SoA) and its Risk Treatment Plan (RTP).
  
  
• Stage 2: Formal compliance audit. The certification body conducts a more detailed audit, independently testing the organization’s ISMS to ensure it meets the ISO 27001 requirements. Passing Stage 2 means the organization will be certified as compliant with ISO 27001.
  
  
• Stage 3: Ongoing review. On a continuing basis after being certified compliant with ISO 27001, the organization must conduct follow up reviews and internal audits to confirm compliance over time.

Organizations that already have ISO 27001 certification must transition to the new 2022 version by October 31, 2025 by ensuring they have an updated, compliant ISMS.

According to reporting from 2022, there are over 70,000 ISO 27001 certificates in 150 countries. While the majority of these certificates are focused on information technology (IT), they cover organizations across all economic sectors.

Establishing a well-organized ISMS based on ISO 27001 compliance and certification can enable organizations to:

• Reduce vulnerability to the constantly growing threat of cyberattacks
  
  
• Respond more quickly and effectively to evolving information security risks
  
  
• Help ensure that assets like financial statements, intellectual property (IP), employee data and information entrusted to the organization by third parties remain undamaged, confidential, and available as needed
  
  
• Provide a centrally-managed information security framework that secures information from one point of control
  
  
• Prepare people, processes and technology throughout the organization to confront technology-based risks and other threats
  
  
• Secure information in all forms, whether paper-based, cloud-based, or digital
  
  
• Lower costs by increasing efficiency and reducing unnecessary spending on ineffective cybersecurity technology
  
  
• Comply with legal and regulatory requirements
  
  
• Enhance reputation and customer trust