ISO 27001 Implementation Guide

Section 1

Overview

ISO/IEC 27001 is the international standard that specifies the requirements for an Information Security Management System (ISMS). It provides a risk-based, process-oriented framework that lets an organisation of any size protect the confidentiality, integrity and availability of its information in a systematic and demonstrable way. Certification against the standard is awarded by an accredited certification body following a two-stage external audit, and signals to customers, regulators and partners that the organisation has implemented and operates an ISMS that meets the requirements of the standard.

The 2022 revision versus 2013

The 2022 revision retains the same management system clauses (4 to 10) as the 2013 version, but consolidates Annex A from 114 controls grouped in 14 domains into 93 controls grouped in four themes — Organisational (A.5), People (A.6), Physical (A.7) and Technological (A.8). Eleven new controls were introduced, including Threat intelligence (5.7), Information security for use of cloud services (5.23), ICT readiness for business continuity (5.30), Physical security monitoring (7.4), Configuration management (8.9), Information deletion (8.10), Data masking (8.11), Data leakage prevention (8.12), Monitoring activities (8.16), Web filtering (8.23) and Secure coding (8.28). Existing organisations had a transition period to align certificates with the 2022 edition; new certifications are issued exclusively against ISO/IEC 27001:2022.

Who needs it

The standard is sector-agnostic. It is adopted by technology providers, financial institutions, healthcare operators, public administration, manufacturing, professional services and any organisation that handles information whose loss would cause material harm. In many tenders and supply chains certification is now a contractual prerequisite rather than a differentiator, and in some regulated contexts (for example operators of essential services under NIS2 or processors of sensitive personal data) an ISMS aligned with ISO 27001 is the most efficient way to demonstrate a state-of-the-art level of security.

Business case

Beyond market access, the business case for certification rests on operational maturity: a documented risk treatment process, clear ownership of assets and controls, fewer ad-hoc decisions during incidents, lower insurance premiums in some markets, and stronger negotiation posture in vendor assessments. The standard does not prescribe specific technologies; it requires that decisions about security are deliberate, justified by risk, reviewed by management and continually improved.