ISO 27001

ISO 27001: Complete Guide to Information Security Management Management (2026)

Q: Is ISO 27001 certification mandatory?

ISO 27001 certification is not universally mandatory, but it is increasingly required by regulation, contract, and procurement. NIS2 in the EU, DORA for financial services, and many government procurement frameworks either reference or effectively require ISO 27001. Many enterprise customers require it before awarding contracts.

Q: How long does ISO 27001 certification take?

Most organizations take 6 to 18 months to achieve ISO 27001 certification depending on their starting maturity, scope, and internal resources. Small organizations with focused scope can achieve it in 6 months. Large enterprises with complex environments typically take 12 to 18 months.

Q: How much does ISO 27001 certification cost?

ISO 27001 certification costs vary significantly. For personal certification as a Lead Implementer or Lead Auditor, costs start from $799 through reconn for self-study with 2 exam attempts included. For organizational certification through a certification body, budget $15,000 to $80,000 depending on organization size and scope.

Q: What is the difference between ISO 27001 and ISO 27002?

ISO 27001 specifies the requirements for an ISMS — what you must do. ISO 27002 provides a reference set of information security controls and implementation guidance — how to do it. Annex A of ISO 27001 is aligned with ISO 27002:2022 controls. Organizations use both together: 27001 for the management system framework, 27002 for control implementation guidance.

Q: How many Annex A controls does ISO 27001:2022 have?

ISO 27001:2022 Annex A contains 93 controls organized across 4 themes: organizational controls (37), people controls (8), physical controls (14), and technological controls (34). This is reduced from the 114 controls in the 2013 version, with several controls merged and 11 new controls added.

ISO 27001 is the world's leading information security management standard. This complete guide covers what it is, how the ISMS works, Annex A controls, certification, costs, and how it connects to GDPR, NIS2, and ISO 42001.

ISO 27001 is the world's most widely adopted information security management system standard, with over 70,000 certified organizations globally.

ISO 27001 is the world's most widely adopted standard for information security management. Over 70,000 organizations across more than 150 countries are certified. It is referenced in GDPR, NIS2, DORA, and dozens of national regulatory frameworks. If your organization handles sensitive data, operates in regulated industries, or sells to enterprise customers, ISO 27001 is not optional. It is the baseline.

This guide covers everything. What ISO 27001 is, how the ISMS works, what Annex A controls look like in practice, how certification works for organizations and individuals, what it costs, and how it connects to the broader regulatory landscape including GDPR and ISO 42001.

I have delivered this training as a PECB Certified Trainer and implemented ISMS frameworks across industries. What follows is not a marketing page for the standard. It is a practical guide for people who need to understand it, implement it, or get certified in it.

Key Takeaways

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It specifies what organizations must do to protect information assets systematically, not just technically.
The 2022 version contains 93 Annex A controls across 4 themes, updated from 114 controls in the 2013 version, with 11 new controls added.
Clauses 4 to 10 are mandatory. No clause can be excluded if an organization claims conformity to the standard.
The standard directly supports GDPR Article 32 compliance and aligns with NIS2, DORA, HIPAA, PCI DSS, and other regulatory frameworks globally.
70,000+ organizations are currently certified worldwide, making ISO 27001 Lead Implementer and Lead Auditor among the most commercially valuable information security credentials available.
PECB Personal certification through reconn starts at $799 for self-study and $899 for eLearning, both with 2 exam attempts included. The same PECB credential regardless of format.

What Is ISO 27001?

ISO 27001 is the international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System. It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The current version is ISO/IEC 27001:2022, which replaced the previous 2013 edition. The 2022 update reorganized Annex A controls, added 11 new controls to address cloud security, threat intelligence, data masking, and physical security monitoring, and merged several overlapping controls from the previous version.

The standard is not a technical specification. It does not tell you which firewall to buy or which encryption algorithm to use. It defines a management system framework for identifying what information assets you have, assessing the risks to those assets, selecting appropriate controls, implementing and monitoring them, and improving the system over time. The technical decisions are yours. The framework for making them systematically and demonstrably is what ISO 27001 provides.

Why it was created

The standard traces its origins to BS 7799, published by the British Standards Institution in 1995, developed by the UK Department of Trade and Industry. It was intended to help organizations establish an ISMS and protect the confidentiality, integrity, and availability of their information. BS 7799-2 followed in 2002 and was adopted as ISO/IEC 27001 in 2005. The 2013 and 2022 revisions followed as the threat landscape and technology environment evolved.

The ISO 27000 Family of Standards

ISO 27001 does not stand alone. It is the centerpiece of a family of related standards, each addressing a specific aspect of information security management.

ISO/IEC 27000 provides the overview and definitions used across the entire family. A free copy is available from the ISO website.
ISO/IEC 27001 specifies the ISMS requirements. This is the certifiable standard.
ISO/IEC 27002 provides the reference set of information security controls and implementation guidance. Annex A of ISO 27001 is aligned directly with ISO 27002:2022.
ISO/IEC 27003 provides guidance on implementing ISO 27001 requirements.
ISO/IEC 27004 provides guidelines for measuring ISMS effectiveness, supporting Clause 9.1 performance evaluation requirements.
ISO/IEC 27005 provides guidance on information security risk management.
ISO/IEC 27006-1 specifies requirements for bodies providing ISMS audit and certification services.
ISO/IEC 27007 provides guidance on managing an ISMS audit program and conducting audits.
ISO/IEC 27701 extends ISO 27001 into a Privacy Information Management System (PIMS) for organizations managing personally identifiable information.
ISO 27799 provides sector-specific guidance for health informatics organizations.

For most practitioners, the working set is ISO 27001, ISO 27002, and ISO 27005. Together they give you the framework, the controls library, and the risk methodology.

PECB ISO 27001 Lead Auditor Certification

Plan, manage, and lead ISO 27001 ISMS audits with confidence. Self-study from $799 or eLearning from $899 — both include 2 exam attempts and official PECB courseware. Covers internal and external audits based on ISO 19011 and ISO 17021.

Enroll Now

ISO 27001 Structure: Clauses 4 to 10

ISO 27001 follows the High Level Structure (HLS), the common framework used across all modern ISO management system standards including ISO 9001, ISO 14001, and ISO 42001. This shared structure makes integration straightforward for organizations already running other management systems.

Clauses 4 to 10 are mandatory. No clause can be excluded if an organization claims conformity to ISO 27001.

Clause 4: Context of the Organization Understand the internal and external issues that are relevant to information security. Identify interested parties and their requirements. Define the scope of the ISMS.

Clause 5: Leadership Top management must demonstrate commitment to the ISMS. This includes establishing an information security policy, assigning roles and responsibilities, and ensuring resources are available.

Clause 6: Planning Conduct ISO 27001 risk assessment and risk treatment. This is one of the most substantive requirements in the standard. Your risk assessment methodology must be consistent, produce comparable results, and be repeated at planned intervals. Define information security objectives and plan how to achieve them. This is also where the Statement of Applicability is produced.

Clause 7: Support Ensure the resources, competence, awareness, communication, and documented information needed to operate and maintain the ISMS are in place.

Clause 8: Operation Implement and control the processes and risk treatment plans defined in Clause 6. Manage operational information security activities.

Clause 9: Performance Evaluation Monitor, measure, analyze, and evaluate ISMS performance. Conduct internal audits. Carry out management reviews.

Clause 10: Improvement Address nonconformities and corrective actions. Drive continual improvement of the ISMS.

The PDCA cycle runs through all of these clauses. Plan (Clauses 4 to 6), Do (Clauses 7 to 8), Check (Clause 9), Act (Clause 10). This is not a one-time project. It is an operating system for managing information security risk on an ongoing basis.

Annex A Controls: What Changed in 2022

Annex A of ISO 27001 contains the reference set of information security controls. In the 2022 version, these were reorganized from 14 categories and 114 controls into 4 themes and 93 controls.

The ISO 27001 controls in the 2022 version are organized across 4 themes in Annex A:

Organizational controls (37 controls) covering policies, roles, supplier relationships, incident management, and business continuity
People controls (8 controls) covering screening, terms of employment, awareness, and disciplinary processes
Physical controls (14 controls) covering physical security perimeters, entry controls, equipment security, and clear desk policies
Technological controls (34 controls) covering access control, cryptography, malware protection, logging, network security, and secure development

11 new controls added in 2022:

Threat intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

The 2022 update also introduced 5 attributes for classifying controls: control type (preventive, detective, corrective), information security properties (CIA), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities, and security domains. These attributes make it easier to map ISO 27001 controls to other frameworks like NIST CSF and CIS Controls.

The Statement of Applicability

Not every Annex A control applies to every organization. The Statement of Applicability (SoA) documents which controls are applicable to your ISMS, which are implemented, and the justification for any exclusions. It is one of the most important documents in any ISO 27001 implementation and is required for certification audit.

What Is an ISMS?

An Information Security Management System is the set of policies, processes, procedures, and controls an organization uses to manage information security risks systematically. It is not a product you buy. It is a management framework you build and operate.

An effective ISMS takes information security into account across all organizational processes, policies, and activities. It does not treat security as an IT problem bolted onto the side of the business. It integrates security into how the organization operates, from human resources processes to supplier management to software development.

The ISMS consists of measures and controls that minimize information security risks and drive improvement over time. An organization with a functioning ISMS in place has defined accountability for information security at leadership level, assessed its risks systematically, selected and implemented appropriate controls, trained its people, and put monitoring and review processes in place to keep the system effective as the threat landscape changes.

ISO 27001 provides the requirements framework for building and maintaining that system. The standard tells you what the ISMS must achieve. Your ISO 27001 implementation determines how you get there, and the IMS2 methodology used in PECB training gives practitioners a structured roadmap for doing it correctly.

The CIA Triad

The three core principles of information security in ISO 27001 are confidentiality, integrity, and availability. Every control in Annex A maps back to protecting one or more of these properties.

Confidentiality means ensuring that information is accessible only to those authorized to access it. Access controls, encryption, classification policies, and clean desk requirements all serve this principle.

Integrity means ensuring the accuracy and completeness of information and preventing unauthorized modification. Data validation controls, change management processes, and audit logs all serve this principle.

Availability means ensuring that authorized users can access information and associated assets when they need them. Backup procedures, business continuity controls, and incident response plans all serve this principle.

Every information security risk assessment in ISO 27001 evaluates threats and vulnerabilities through the lens of these three properties. A risk that compromises confidentiality is treated differently from one that compromises availability, and the control selection reflects that difference.

ISO 27001 and Regulatory Compliance

One of the most commercially important aspects of ISO 27001 is its relationship to regulation. Implementing ISO 27001 provides demonstrable compliance evidence for a wide range of legal and regulatory requirements.

GDPR ISO 27001 directly addresses Article 32 of the GDPR, which requires organizations to implement appropriate technical and organizational measures to ensure security of processing. An ISMS based on ISO 27001 provides a robust and auditable framework for demonstrating Article 32 compliance. It does not cover all GDPR obligations. Data subject rights, lawful basis determinations, and privacy notices are outside the ISMS scope, but it addresses the security requirements directly.

NIS2 Directive The EU Network and Information Security Directive 2 requires essential and important entities across 18 sectors to implement appropriate information security risk management measures. ISO 27001 is widely used as the implementation framework for NIS2 compliance across the EU.

DORA The Digital Operational Resilience Act applies to financial entities operating in the EU. ISO 27001 aligns with DORA's ICT risk management requirements, particularly around governance, risk assessment, incident management, and operational resilience.

PCI DSS ISO 27001 overlaps significantly with PCI DSS requirements. Organizations that have implemented ISO 27001 typically find PCI DSS compliance considerably more straightforward because the management system framework is already in place.

HIPAA For US healthcare organizations, ISO 27001 addresses the administrative and technical safeguard requirements of the HIPAA Security Rule. While HIPAA compliance requires additional specific measures, ISO 27001 provides a strong foundation.

NIST Cybersecurity Framework ISO 27001 and NIST CSF are frequently used together, particularly by US organizations or those with US operations. The two frameworks are complementary: ISO 27001 provides the management system structure, NIST CSF provides the cybersecurity function model (identify, protect, detect, respond, recover). The 2022 Annex A attributes explicitly map ISO 27001 controls to NIST CSF functions, making the ISO 27001 NIST alignment straightforward to document.

Other frameworks ISO 27001 also supports compliance with SOX financial reporting requirements, CCPA consumer privacy requirements, PIPEDA in Canada, and many national cybersecurity frameworks. The management system approach provides a single framework that addresses multiple regulatory requirements simultaneously, which is one of the primary drivers of adoption by enterprise organizations.

How ISO 27001 Certification Works for Organizations

Organizational ISO 27001 certification is the process by which an independent, accredited certification body assesses your ISMS against the requirements of the standard and issues a certificate confirming conformity.

The process follows a standard two-stage audit approach.

Stage 1: Documentation Review The certification body reviews your ISMS documentation, including your information security policy, risk assessment methodology, Statement of Applicability, risk treatment plan, and key procedures. The Stage 1 audit identifies any significant gaps before the on-site assessment and confirms the organization is ready to proceed to Stage 2.

Stage 2: Certification Audit The certification body conducts an on-site assessment to verify that your documented ISMS is actually implemented and operating effectively. Auditors interview personnel, review evidence, observe processes, and test controls. Nonconformities identified during Stage 2 must be addressed before the certificate is issued.

Surveillance Audits After initial certification, your certification body conducts surveillance audits, typically annually, to verify ongoing conformity. Full recertification audits occur every three years.

Choosing a certification body Major certification bodies for ISO 27001 include BSI, TÜV SÜD, DNV, Bureau Veritas, and SGS. The certification body must be accredited by a national accreditation body recognized under the IAF multilateral recognition arrangement. Always verify accreditation status before engaging a certification body.

Typical costs and timelines Organizational certification costs vary significantly based on organization size, ISMS scope, and certification body selected. Small organizations with a focused scope can expect to invest $15,000 to $30,000 including consultant fees and certification body costs. Large enterprises with complex, multi-site ISMS implementations can see costs of $80,000 and above. Timeline from implementation start to certification is typically 6 to 18 months.

ISO 27001 Personal Certification: Lead Implementer and Lead Auditor

Beyond organizational certification, ISO 27001 supports a well-established individual professional certification pathway through PECB and other certification bodies.

The two primary credentials are Lead Implementer and Lead Auditor. Both are forms of ISO 27001 individual certification, meaning personal credentials that demonstrate your competence as a practitioner, separate from organizational certification.

ISO 27001 Lead Implementer The Lead Implementer credential is for professionals who design, build, and operate ISMS frameworks inside organizations. If your role involves implementing ISO 27001, managing information security programs, or advising organizations on ISMS implementation, this is the credential you need.

The PECB ISO/IEC 27001 Lead Implementer training runs 5 days, using the IMS2 implementation methodology. It covers the full ISMS implementation lifecycle from initiation and planning through implementation, monitoring, and certification audit preparation. The exam is scenario-based and open book.

ISO 27001 Lead Auditor The ISO 27001 auditor credential is for professionals who assess ISMS implementations for conformity. It covers both the ISO 27001 internal auditor role, conducting audits within your own organization, and the external auditor role working for certification bodies or offering third-party ISMS assessment services commercially.

The PECB ISO/IEC 27001 Lead Auditor course is grounded in ISO 19011, the international standard for management system audit guidance. It covers audit principles, audit program management, planning and executing Stage 1 and Stage 2 audits, managing nonconformities, and producing audit reports. It is designed for both internal and external auditors.

Certification pathway

Credential	Experience Required
Provisional Implementer / Auditor	No experience required
Implementer / Auditor	Documented professional experience
Lead Implementer / Lead Auditor	Senior level experience
Senior Lead Implementer / Auditor	Expert level experience

How most professionals get certified in 2026

At reconn, over 95% of students complete their ISO 27001 certification through self-study or eLearning rather than live classroom or online cohort training. They study on their own schedule using the official PECB courseware, use AI tools like ChatGPT, Claude, and Gemini to work through complex concepts, and come to us with questions when they need support.

Format	Price	Exam Attempts
Self-Study	$799	2 included
eLearning	$899	2 included
Live Online	$2,000 to $2,500	1 included

The ISO 27001 certification fee for personal credentials starts at $799 through reconn, which is significantly below market rate for live training. The total ISO 27001 cost for individual certification, including exam attempts, is all-inclusive at these prices. The PECB credential is identical regardless of how you prepared. The difference is what you paid and how you studied.

View ISO 27001 Courses at reconn

ISO 27001 vs. ISO 42001: How They Connect

ISO 27001 and ISO 42001 are frequently discussed together and for good reason. They address adjacent governance challenges, use the same management system structure, and are increasingly deployed together by organizations navigating the intersection of information security and artificial intelligence.

ISO 27001 covers information security management across all information assets in an organization. The core question it answers is how to protect information from unauthorized access, modification, and loss.

ISO 42001 covers AI management systems specifically. Its focus is on governing the development, deployment, and use of AI systems responsibly.

Both standards use the High Level Structure and PDCA cycle. Both involve risk assessment, policy development, control selection, internal audit, and management review. An organization already certified to ISO 27001 will find the ISO 42001 implementation methodology immediately familiar.

In practice, the two systems are complementary. AI systems process and generate information assets that fall within the scope of your ISMS. The AI governance controls in ISO 42001 work alongside and extend your existing information security controls. Many organizations are implementing ISO 42001 as an extension of their existing ISO 27001 program rather than as a standalone initiative.

For professionals, holding both the ISO 27001 and ISO 42001 certifications is increasingly becoming the standard for senior AI governance and information security roles.

Who Needs ISO 27001?

Organizations that handle sensitive customer data, operate in regulated industries, sell to enterprise or government customers, or process personal data of EU residents should treat becoming ISO 27001 certified as a strategic priority. Over 70,000 organizations are already certified globally. In many sectors, being ISO 27001 certified is now a procurement baseline rather than a differentiator. It is not a compliance box to tick. It is a governance framework that reduces the actual cost and frequency of security incidents while satisfying regulatory and contractual requirements.

IT and cybersecurity professionals who want to move beyond technical roles into governance, risk, and compliance need ISO 27001 credentials to be credible in those conversations. The Lead Implementer and Lead Auditor certifications are the standard professional baseline for information security leadership roles.

Consultants and advisors working in information security, GRC, digital transformation, or regulatory compliance need ISO 27001 expertise to advise clients effectively. Certified practitioners command significantly higher rates and win contracts that generalists cannot.

AI and technology professionals implementing AI systems that handle sensitive data will find ISO 27001 an essential companion to ISO 42001. The two standards together provide a comprehensive governance framework for responsible AI in enterprise environments.

PECB ISO 27001 Lead Implementer Certification

Build and manage an ISO 27001 information security management system from the ground up. Self-study from $799 or eLearning from $899 — both include 2 exam attempts and official PECB courseware. Study at your own pace with direct query support from a PECB Certified Trainer.

Enroll Now

Frequently Asked Questions

What is ISO 27001? ISO 27001 is the international standard for Information Security Management Systems. It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS to protect the confidentiality, integrity, and availability of information across an organization.

Is ISO 27001 certification mandatory? Not universally, but increasingly required. NIS2 in the EU, DORA for financial services, and many government and enterprise procurement frameworks either reference or effectively require ISO 27001. Many organizations find it becomes commercially mandatory when selling to enterprise customers or operating in regulated sectors.

How long does ISO 27001 certification take? Most organizations take 6 to 18 months to achieve certification depending on starting maturity, scope, and internal resources. Small organizations with focused scope can achieve it in 6 months. Large enterprises with complex environments typically take 12 to 18 months.

How much does ISO 27001 certification cost? For personal certification, reconn offers self-study at $799 and eLearning at $899, both with 2 exam attempts. For organizational certification through a certification body, budget $15,000 to $80,000 depending on organization size and scope.

What is the difference between ISO 27001 and ISO 27002? ISO 27001 specifies what your ISMS must achieve. ISO 27002 provides implementation guidance for the Annex A controls. You use both: 27001 for the management system requirements, 27002 for the control implementation detail.

How many Annex A controls does ISO 27001:2022 have? ISO 27001:2022 Annex A contains 93 controls across 4 themes: 37 organizational, 8 people, 14 physical, and 34 technological. The 2013 version had 114 controls across 14 categories.

What is the difference between ISO 27001 and ISO 42001? ISO 27001 covers information security management across all information assets. ISO 42001 covers AI management systems. Both use the same High Level Structure and PDCA approach, making them highly complementary for organizations deploying AI systems.

Does ISO 27001 cover GDPR compliance? ISO 27001 directly addresses GDPR Article 32, which requires appropriate technical and organizational security measures. It provides strong evidence of compliance with the security requirements. It does not cover all GDPR obligations such as data subject rights or lawful basis determinations.

Conclusion

ISO 27001 is not a niche technical standard. It is the global framework for how organizations manage information security risk systematically. With regulatory pressure increasing across every major jurisdiction, enterprise procurement requirements tightening, and the cost of data breaches continuing to rise, ISO 27001 certification has moved from best practice to business necessity for most organizations handling sensitive data.

For professionals, the Lead Implementer and Lead Auditor credentials are the established pathway into information security governance and GRC leadership roles. They are mature, globally recognized, and increasingly required by employers and clients who need practitioners who can do more than talk about security in abstract terms.

reconn delivers both credentials through self-study and eLearning formats that work around your schedule. The same PECB certification, a fraction of the cost of live training, with direct query support included.