What is ISO 27001?

ISO 27001 Structure

ISO 27001 is organized around two core components. Clauses 4-10 contain the mandatory management system requirements — context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. These clauses establish the governance framework that management system auditors evaluate. Annex A provides 93 security controls organized in four themes: Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34).

The most significant change from the previous version (ISO 27001:2013) in the 2022 revision was reorganizing 114 controls into 93 controls across these four themes, adding 11 new controls covering areas like threat intelligence, cloud security, data masking, and secure coding, and eliminating redundant controls through consolidation.

The Statement of Applicability

The Statement of Applicability is a key ISO 27001 document that lists all Annex A controls, indicates which are applicable to the organization, and justifies the exclusion of any controls deemed not applicable. The SoA represents the organization's considered judgment about which controls its information security risk profile requires — and the quality of that judgment is a primary focus of certification audits.

Certification Process

ISO 27001 certification requires a two-stage audit by an accredited certification body. Stage 1 is a documentation review where auditors evaluate whether the ISMS documentation — policies, procedures, risk assessments, Statement of Applicability — meets ISO 27001 requirements. Stage 2 is an on-site assessment where auditors evaluate whether the documented management system is actually implemented and operating effectively.

Certification is granted for three years, with annual surveillance audits and a recertification audit in year three. Maintaining certification requires demonstrating that the ISMS continues to operate and improve through the surveillance audit cycle.

ISO 27001 vs. SOC 2

ISO 27001 and SOC 2 are frequently compared because both attest to information security practices. ISO 27001 is an international standard that specifies requirements for an Information Security Management System and is recognized globally. SOC 2 is a US-based attestation standard focused on service organizations. ISO 27001 is risk-based and requires organizations to define their own control scope through risk assessment. SOC 2 uses predefined Trust Service Criteria and is more prescriptive about what auditors evaluate.

Organizations serving international enterprise customers often pursue ISO 27001 for its global recognition. US-focused software and service companies more commonly pursue SOC 2. Some organizations maintain both certifications for different customer segments.

Real-World Example: ISO 27001 as Enterprise Deal Enabler

A PE-backed B2B software company in Cloudskope's portfolio was stalling on enterprise deals because procurement teams were requiring ISO 27001 certification or equivalent third-party attestation. The company had SOC 2 Type II but international enterprise customers — particularly in the UK, Germany, and Australia — preferred ISO 27001 as the recognized standard in their markets. An 18-month ISO 27001 implementation and certification program opened enterprise deals across three geographies that had previously stalled in procurement review, contributing to a measurable revenue impact in the ISMS investment business case.