What Is ISO 27001?
The international standard for information security — explained without the jargon. What it covers, who needs it, and what certification actually involves.
What Is ISO 27001?
ISO 27001 is the international standard for managing information security. It gives organisations a framework for protecting their data — systematically, not ad hoc.
Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the full name is ISO/IEC 27001:2022. The current version was updated in 2022.
At its core, ISO 27001 requires you to build an Information Security Management System (ISMS) — a documented set of policies, processes, and controls that protect the confidentiality, integrity, and availability of your information.
The standard is deliberately technology-agnostic. Whether you run everything in the cloud or on-premise, ISO 27001 applies. It's about the system you use to manage security, not the specific tools.
Who Needs ISO 27001?
ISO 27001 applies to any organisation, of any size, in any industry. In practice, certification is most common — and most useful — in these situations:
Your Clients Require It
- Enterprise customers include ISO 27001 in procurement requirements
- Government contracts often mandate it
- Financial services and legal firms expect it from suppliers
You Handle Sensitive Data
- Personal data subject to GDPR
- Financial records and payment information
- Health data, legal files, or intellectual property
You Want to Improve Security Systematically
- Moving beyond ad-hoc security decisions
- Demonstrating due diligence to regulators
- Reducing the risk (and cost) of security incidents
Key Requirements
ISO 27001 is structured around clauses 4–10, which define what your ISMS must include. Here's what each one asks for, in plain English:
Clause 4: Context of the Organisation
Understand your business, who cares about your security (clients, regulators, staff), and define the scope of your ISMS.
Clause 5: Leadership
Top management must visibly support the ISMS, set a security policy, and assign roles and responsibilities.
Clause 6: Planning
Identify risks to your information, decide how to treat them, and set measurable security objectives.
Clause 7: Support
Provide the resources, competence, awareness, and documentation needed to run the ISMS.
Clause 8: Operation
Execute your risk treatment plans and security controls. This is where planning turns into action.
Clause 9: Performance Evaluation
Monitor, measure, audit, and review whether your ISMS is working. Includes internal audits and management reviews.
Clause 10: Improvement
When something goes wrong or an audit finds a gap, fix it — and improve the system so it doesn't happen again.
Annex A Controls at a Glance
Annex A of ISO 27001:2022 lists 93 controls organised into four themes. You don't have to implement every control — only those relevant to your risks.
Examples of what these controls cover:
- Organisational: Information security policies, roles, asset management, supplier relationships
- People: Screening, awareness training, responsibilities after termination
- Physical: Secure areas, equipment protection, clear desk policy
- Technological: Access control, encryption, logging, secure development, malware protection
The Certification Process
Certification is carried out by an accredited external body (not a consultant — they can help you prepare, but can't certify you). The process has two stages:
Documentation Review
- The auditor reviews your ISMS documentation
- Checks that policies, risk assessments, and the SoA exist and are complete
- Identifies any gaps to fix before Stage 2
- Typically a desk-based review or short on-site visit
Certification Audit
- The auditor verifies your ISMS is implemented and working in practice
- Interviews staff, reviews evidence, tests controls
- Checks that you're following the processes you documented
- Results in certification (valid for 3 years) or findings to address
Surveillance & Recertification
- Annual surveillance audits in years 1 and 2 (smaller scope)
- Full recertification audit in year 3
- Continuous improvement expected between audits
Benefits of ISO 27001
- Win more business. Certification removes security as an objection in sales and procurement processes.
- Reduce incidents. A structured approach to risk means fewer breaches and less downtime.
- Demonstrate compliance. ISO 27001 aligns with GDPR, NIS2, and sector-specific regulations.
- Build trust. Clients and partners gain confidence that you take security seriously.
- Improve operations. Documenting processes often reveals inefficiencies and gaps beyond just security.
- Lower insurance premiums. Some cyber insurance providers offer better terms to certified organisations.
FAQ
Most organisations achieve certification in 6 to 12 months, depending on size, complexity, and how mature their existing security practices are. If you already have good policies and processes, the gap to close is smaller.
For a small business (under 50 employees), expect £10,000–£30,000 including consultancy and the certification audit. Larger organisations will pay more. Annual surveillance audits are typically a fraction of the initial cost.
No, ISO 27001 is voluntary. However, some industries, contracts, and regulations effectively require it — particularly in financial services, healthcare, and government supply chains.
Cyber Essentials is a UK government scheme covering five basic technical controls. ISO 27001 is a comprehensive international standard covering your entire information security management system — policies, processes, people, and technology. They complement each other: Cyber Essentials is a good starting point, ISO 27001 is the full picture.
Not strictly, but most organisations — especially first-timers — benefit from experienced guidance. A consultant helps you avoid common pitfalls, reduces the time to certification, and ensures your ISMS is practical rather than just a paperwork exercise.
ISO 27001 is the certifiable standard that defines the requirements for an ISMS. ISO 27002 is a supporting guide that provides detailed implementation guidance for the Annex A controls. You get certified against 27001, and use 27002 as a reference.
Thinking About ISO 27001?
We help UK businesses build and maintain their ISMS — whether you're starting from scratch or preparing for certification. Let's talk about where you are and what you need.