ISO 27001

ISO/IEC 27001:2022 — Information Security Management Systems

StandardInternational

ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Based on the Plan-Do-Check-Act cycle, it provides a systematic approach to managing information security risks. The 2022 revision reorganised Annex A from 114 controls (14 domains) to 93 controls across 4 themes.

Annex A Controls

Control Themes

3-Year

Certification Cycle

48,671

Certificates Worldwide (2023)

Who Needs to Comply

Any Organisation

Applicable regardless of size, type, sector, or geography
Flexible scoping: can certify entire organisation or specific departments
Technology, finance, healthcare, manufacturing, government — all sectors
Increasingly required by contracts and partner agreements

Certification Process

Stage 1 Audit: Documentation review and readiness assessment
Stage 2 Audit: Implementation audit — testing controls in practice
Surveillance Audits: Annual audits in Years 1 and 2
Recertification: Full assessment every 3 years
By accredited certification bodies

Key Compliance Areas

Clauses 4-10

ISMS Requirements

Core management system requirements: context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. Approximately 140-150 requirements.

A.5 (37 controls)

Organisational Controls

Policies, procedures, governance, roles, and responsibilities for information security management across the organisation.

A.6 (8 controls)

People Controls

Awareness, training, competence, screening, and behaviour management for personnel involved in information security.

A.7 (14 controls)

Physical Controls

Protection of physical assets, premises, equipment, and facilities from environmental and physical threats.

A.8 (34 controls)

Technological Controls

Digital security controls covering encryption, network security, access management, malware protection, and system development security.

How Orizon Helps

ISMS Scoping

Define the scope of your ISMS: which parts of the organisation, which information assets, and which locations to include in the certification boundary.

Risk Assessment

Identify information security risks, evaluate their likelihood and impact, and determine risk treatment options aligned with your risk appetite.

Control Selection

Select applicable Annex A controls based on your risk assessment. Document your Statement of Applicability (SoA) explaining control inclusion or exclusion.

Implementation

Implement selected controls across all four themes (Organisational, People, Physical, Technological). Document policies, procedures, and evidence.

Internal Audit & Review

Conduct internal audits and management reviews to verify ISMS effectiveness before engaging an external certification body.

Certification & Maintenance

Complete Stage 1 and Stage 2 audits. Maintain certification through annual surveillance audits and continuous improvement per the PDCA cycle.

Official Sources

Assess Your Compliance

Expert guidance for your ISO 27001 compliance journey.

Get Started