ISO 27001 — Information Security Management System FAQ

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information through risk assessment, security controls, and continuous improvement. The standard is published by ISO and the International Electrotechnical Commission (IEC).

The current version, ISO/IEC 27001:2022, defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. Certification demonstrates to clients and stakeholders that your organization takes information security seriously. Learn more about ISO 27001.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and technology, and is designed to protect the confidentiality, integrity, and availability (CIA triad) of information assets.

Key components include:

• Information security policy and objectives
• Risk assessment and treatment methodology
• Statement of Applicability (SoA)
• Security controls from Annex A
• Incident management procedures
• Business continuity planning
• Internal audit and management review

ISO 27001 is the certification standard that defines the requirements for an ISMS. It tells you WHAT you need to do. ISO 27002 is a guidance document that provides best practices for implementing the security controls listed in Annex A of ISO 27001. It tells you HOW to do it.

You can only be certified against ISO 27001, not ISO 27002. However, ISO 27002 is an invaluable reference during implementation.

Annex A of ISO 27001:2022 contains 93 security controls organized into 4 themes:

• Organizational controls (37): Policies, responsibilities, asset management, access control
• People controls (8): Screening, training, disciplinary processes, remote working
• Physical controls (14): Physical security perimeters, equipment, secure areas
• Technological controls (34): Authentication, encryption, network security, logging, malware protection

Organizations select applicable controls based on their risk assessment and document this in the Statement of Applicability (SoA).

ISO 27001 is essential for organizations that handle sensitive data. This includes:

• Technology companies (SaaS, cloud providers, IT services)
• Financial services (banks, fintech, insurance)
• Healthcare organizations handling patient data
• Government contractors processing sensitive information
• Any B2B company whose enterprise clients require security certification

It is increasingly becoming a prerequisite for doing business with large enterprises and regulated industries.

ISO 27001 is not legally mandated in most jurisdictions. However, it is effectively required in many business contexts:

• Enterprise clients frequently require ISO 27001 as a vendor qualification
• Regulated industries expect certified security management
• Government contracts often mandate it
• GDPR Article 32 references ISO 27001 as a means to show security measures

Even where not mandatory, certification provides significant competitive advantage and risk reduction.

ISO 27001 certification costs depend on organization size and complexity:

• Small organizations (10-50 employees): $5,000 - $15,000
• Mid-size companies (50-250 employees): $15,000 - $40,000
• Large enterprises (250+ employees): $40,000 - $100,000+

Costs include consulting, documentation development, security tool implementation, internal audit training, and certification body audit fees. Get a detailed estimate.

Typical timelines:

• Organizations with existing security practices: 4-6 months
• Organizations with partial systems: 6-9 months
• Organizations starting from scratch: 9-14 months

With Avantcert's methodology, we can reduce timelines by up to 40%. Contact us for a project timeline.

The certification process follows these steps:

• Gap Analysis: Assess current security posture against ISO 27001 requirements
• Risk Assessment: Identify information assets, threats, vulnerabilities, and risks
• Risk Treatment: Select controls from Annex A and implement security measures
• Documentation: Develop policies, procedures, and the Statement of Applicability
• Implementation: Deploy controls and train staff
• Internal Audit: Verify ISMS effectiveness
• Certification Audit: Stage 1 (documentation) and Stage 2 (implementation) by accredited body

Start your ISO 27001 journey with Avantcert.

The Statement of Applicability is a critical document that lists all 93 Annex A controls and indicates:

• Whether each control is applicable to your organization
• Justification for including or excluding each control
• Current implementation status
• How each applicable control is implemented

The SoA is reviewed by auditors during the certification audit and must be kept up to date throughout the certification cycle.