What is ISO 27001?

‍What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is an internationally recognised standard for managing information security. It provides the framework for an Information Security Management System – known as an ISMS – designed to ensure the systematic protection and control of information. ISO 27001 outlines the requirements for this system.

The standard includes a set of controls and processes that must be implemented to achieve an appropriate level of security and a robust ISMS. ISO 27001 helps organisations demonstrate their commitment to information security, meet specific requirements, and build trust with stakeholders, customers, and partners.

ISO 27002, on the other hand, serves as a guide to the list of controls found in Annex A of ISO 27001. In other words, it provides implementation guidance for each of the security controls referenced in ISO 27001.

What does ISO 27001 include – and how is it implemented?

ISO 27001 contains 93 controls (listed in ISO 27002), divided into four categories:

• Organisational
  
  
• People-related
  
  
• Physical
  
  
• Technological
  

Organisations can select the controls most relevant to them based on their own risk assessment. The SoA document (Statement of Applicability) plays a central role in this process. It outlines which controls have been selected, why they were chosen, and how they are implemented.

Implementing ISO 27001 involves setting up an ISMS that helps address risks and protect information through clear policies, procedures, and guidelines. Success depends on leadership commitment, a dedicated team, and a solid understanding of the standard’s requirements.

There’s no one-size-fits-all approach to implementation. First, the organisation must determine which controls are relevant based on a risk assessment. Then, it must develop and implement policies and procedures for each selected control. Finally, it needs to establish ongoing monitoring and review processes to ensure the controls remain effective and relevant.

What is ISO certification?

An ISO certification is an official confirmation that an organisation meets an international standard – in this case, for information security. It demonstrates quality and reliability, and can help build external trust.

How do you get ISO 27001 certified?

To become certified, you must show that your ISMS complies with the ISO standard. The process typically includes:

1. Define the ISMS scope – Identify the assets, teams, and processes included.
   
   
2. Conduct a risk assessment – Analyse threats, vulnerabilities, and consequences.
   
   
3. Develop security policies – Set guidelines aligned with ISO requirements.
   
   
4. Implement controls – Put the necessary measures in place.
   
   
5. Monitor and review – Continuously evaluate and adjust controls.
   
   
6. Undergo an external audit – Collaborate with a certified body.
   
   
7. Achieve certification – Receive your ISO 27001 certificate after a successful audit.
   

Following this structured approach gives your organisation the best chance of achieving ISO certification.

How much does ISO certification cost?

The cost of ISO certification depends on several factors, including the size of your organisation (number of employees), the nature of your business, and how many locations are involved.

Also read: What is an information security policy?