ISO 27001:2022 explained — Information Security Management
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It defines how an organisation should establish, implement, maintain and continually improve information security — covering people, processes and technology.
What ISO/IEC 27001 covers
The 2022 edition restructured the control set into 93 controls across four themes (down from 114 across 14 domains in the 2013 edition):
- Organisational controls (37) — policies, roles, supplier relationships, incident management, compliance
- People controls (8) — screening, training, awareness, remote working, confidentiality
- Physical controls (14) — secure areas, equipment, clear desk, secure disposal
- Technological controls (34) — access control, cryptography, network security, secure development, threat intelligence
- Statement of Applicability — list of applicable controls with justification for inclusion/exclusion
- Risk treatment plan — how each unacceptable risk will be reduced, accepted, transferred or avoided
Who needs ISO/IEC 27001?
Any organisation that handles sensitive information — customer data, intellectual property, financial data, health records. Especially relevant for SaaS, fintech, healthcare, government, and any vendor selling into enterprises that require ISMS certification.
Key points to know
- Annex A controls are NOT mandatory — organisations select only the controls relevant to their identified risks (the Statement of Applicability documents this).
- Risk assessment and risk treatment are the heart of ISO 27001 — controls are downstream of risk decisions.
- The 2022 edition introduced threat intelligence, ICT readiness for business continuity, data masking, secure coding, and several other modern controls.
- Organisations on the 2013 edition had until 31 October 2025 to transition to 2022.
ISO/IEC 27001 — frequently asked questions
What is ISO 27001 in simple terms?
ISO 27001 is a framework for managing the confidentiality, integrity and availability of an organisation's information. It requires a risk-based approach: identify what you need to protect, assess the threats, choose appropriate controls, and continually improve.
How is ISO 27001 different from SOC 2?
ISO 27001 is an international standard with a published list of certifiable requirements (Clauses 4-10 + Annex A controls). SOC 2 is an AICPA attestation report based on Trust Service Criteria, used mainly in the US. ISO 27001 results in a certificate; SOC 2 produces an attestation report. Many organisations hold both for global commercial reach.
How long does ISO 27001 certification take?
For a typical SaaS company starting from scratch, 6-12 months is realistic. Mature organisations with existing controls can compress this. Certification is then valid for three years with annual surveillance audits.
Do I need to implement all 93 Annex A controls?
No. You implement only the controls relevant to your risks. The Statement of Applicability lists every Annex A control with a clear justification for why it is or is not applicable. Auditors will challenge sparse justifications.
What is the relationship between ISO 27001, ISO 27002 and ISO 27701?
ISO 27001 is the requirements standard — what you must do. ISO 27002 is the implementation guidance — how to do it, with detailed advice for each Annex A control. ISO 27701 extends ISO 27001 with privacy controls (PIMS), aligning with GDPR and similar regulations.