ISO 27001 — Information Security Management System Standard

Effective overview last updated: January 2026

What Is ISO 27001

ISO/IEC 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

The current version is ISO/IEC 27001:2022, which replaced the 2013 version. The 2022 revision restructured the Annex A controls to align with ISO/IEC 27002:2022.

Unlike frameworks that are specific to certain industries or geographies, ISO 27001 is globally recognized and applicable to any organization of any size in any sector.

How ISO 27001 Works

The ISMS

An ISMS is a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes, and technology. ISO 27001 doesn't prescribe specific technologies or solutions — it requires a management system that:

  • Identifies information security risks through a formal risk assessment
  • Selects and implements controls to address those risks
  • Monitors and reviews the effectiveness of those controls
  • Continually improves the system

Structure of the Standard

ISO 27001 has two main parts:

Clauses 4–10 (Management System Requirements):

  • Clause 4 — Context of the organization: Understand internal and external factors, interested parties, and define the ISMS scope
  • Clause 5 — Leadership: Management commitment, information security policy, roles and responsibilities
  • Clause 6 — Planning: Risk assessment methodology, risk treatment, information security objectives
  • Clause 7 — Support: Resources, competence, awareness, communication, documented information
  • Clause 8 — Operation: Risk assessment execution, risk treatment implementation
  • Clause 9 — Performance evaluation: Monitoring, measurement, internal audit, management review
  • Clause 10 — Improvement: Nonconformities, corrective actions, continual improvement

Annex A (Reference Controls):

Annex A contains 93 controls (in the 2022 version) organized into four themes:

  • Organizational controls (37): Policies, roles, asset management, access control, supplier relationships, incident management, business continuity, compliance
  • People controls (8): Screening, terms of employment, awareness and training, disciplinary process, termination
  • Physical controls (14): Security perimeters, physical entry, equipment security, secure disposal, clear desk
  • Technological controls (34): User devices, privileged access, information access restriction, secure authentication, malware protection, logging, network security, cryptography, secure development, data protection

You don't need to implement all 93 controls — you select controls based on your risk assessment and justify exclusions in your Statement of Applicability (SoA).

The Certification Process

ISO 27001 certification is performed by accredited certification bodies (not by ISO itself). The process typically involves:

Stage 1 Audit (Documentation Review)

The auditor reviews your ISMS documentation to verify:

  • The scope is defined and appropriate
  • Required policies and procedures exist
  • Risk assessment methodology is established
  • The Statement of Applicability is complete
  • Management commitment is demonstrated

This is a readiness check. The auditor identifies any major gaps that must be addressed before Stage 2.

Stage 2 Audit (Implementation Assessment)

The auditor evaluates whether your ISMS is actually implemented and operating effectively:

  • Interviews with staff at various levels
  • Review of records and evidence
  • Observation of processes
  • Testing of controls
  • Verification that the ISMS achieves its objectives

If nonconformities are found, you have a defined period to address them before the certification decision.

Surveillance Audits

After certification, surveillance audits are conducted annually (at minimum) to verify the ISMS continues to operate effectively. A full recertification audit occurs every three years.

Key Differences From SOC 2

Organizations often compare ISO 27001 with SOC 2. Key distinctions:

  • ISO 27001 is a certification; SOC 2 is a report. You either are or aren't ISO 27001 certified. A SOC 2 report can contain exceptions and qualified opinions.
  • ISO 27001 is globally recognized; SOC 2 is primarily US-focused. International companies often prefer ISO 27001.
  • ISO 27001 requires a formal risk assessment methodology; SOC 2 is more flexible in how you design controls.
  • ISO 27001 mandates continual improvement; SOC 2 Type II examines a fixed period.
  • ISO 27001 has a prescriptive management system structure; SOC 2 is criteria-based without prescribing how you organize your security program.

Many organizations pursue both, using ISO 27001 as their foundational security program and SOC 2 for US enterprise customers who specifically request it.

Where Privacy Policies Fit

Honesty note: ISO 27001 is an information security standard, not a privacy standard. Your customer-facing privacy policy is not a primary artifact in an ISO 27001 audit.

That said, there are several touchpoints:

Annex A Control 5.34 — Privacy and Protection of PII

This control (new numbering in ISO 27001:2022; previously A.18.1.4) requires organizations to identify and meet requirements for the privacy and protection of personally identifiable information (PII) as required by applicable legislation, regulations, and contractual requirements.

If your organization processes personal data, the auditor will check that you've identified applicable privacy laws (GDPR, CCPA, etc.) and have controls to address them. Your privacy policy may be reviewed as evidence that you've considered these obligations.

Information Security Policy vs. Privacy Policy

ISO 27001 requires an information security policy (Clause 5.2) — this is an internal document approved by management that establishes the direction for information security. This is different from a customer-facing privacy policy.

Auditors care about the information security policy. Your customer-facing privacy policy is only relevant insofar as it makes commitments that your ISMS must then support (e.g., if your privacy policy claims you encrypt all data at rest, your ISMS controls must demonstrate this).

Supplier and Third-Party Management

Annex A controls related to supplier relationships (5.19–5.22) require you to assess and manage security risks from third parties. If your privacy policy names specific third-party processors, auditors may cross-reference this against your supplier management program.

When Your Privacy Policy Matters More

Your privacy policy becomes more relevant if you're also pursuing ISO 27701, the extension to ISO 27001 for privacy information management (a Privacy Information Management System, or PIMS). ISO 27701 maps additional controls to GDPR and other privacy requirements and would make your privacy policy a more central audit artifact.

Common ISO 27001 Challenges

  • Scope creep: Defining too broad a scope makes certification expensive and difficult to maintain. Start with the systems and processes most critical to your customers.
  • Documentation overhead: ISO 27001 requires documented policies, procedures, risk assessments, and records. Organizations underestimate the effort.
  • Risk assessment rigor: A superficial risk assessment will be flagged in the audit. The methodology needs to be systematic, repeatable, and cover confidentiality, integrity, and availability.
  • Cultural adoption: An ISMS that exists only on paper will fail surveillance audits. Staff must be trained, aware, and actively following procedures.
  • Continual improvement: Many organizations treat certification as a finish line. ISO 27001 requires ongoing monitoring, review, and improvement.

How Privacy Policy Review Helps

While your privacy policy isn't the focal point of an ISO 27001 audit, inconsistencies between your public-facing privacy commitments and your actual security controls can create problems. If your privacy policy promises data protection practices you can't demonstrate, auditors may flag this under Annex A 5.34.

Our service reviews your privacy policy against the privacy-related requirements in ISO 27001 (and ISO 27701 if applicable), checking for commitments that your ISMS should be prepared to back up. An attorney verifies the findings in a signed Record of Review.

This is most useful as a cross-check — ensuring your public-facing statements align with what your security program actually delivers.

Ready to review your privacy policy?

Get AI-powered compliance analysis verified by an attorney — flat $199 per review.

Start Your Review