ISO 27001 Requirements: What You Need to Know

ISO 27001 is the international standard for information security management systems (ISMS). While SOC 2 dominates in North America, ISO 27001 is the global standard — recognized and often required across Europe, Asia-Pacific, and increasingly in the US market as well. Understanding ISO 27001 requirements is essential for companies looking to demonstrate security maturity to a global customer base.

ISO 27001 structure: clauses and Annex A

ISO 27001 consists of two main parts. The management system clauses (4 through 10) define the requirements for establishing, implementing, maintaining, and continually improving your ISMS. These clauses cover context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. Annex A provides a reference set of 93 controls (as of the 2022 revision) organized into four themes: organizational controls, people controls, physical controls, and technological controls.

A critical distinction: ISO 27001 does not require you to implement every Annex A control. Instead, you conduct a risk assessment, determine which controls are relevant to your risk profile, and document your selection in a Statement of Applicability (SoA). Controls that are not applicable must be justified.

The risk assessment process

Risk assessment is the foundation of ISO 27001. The standard requires a systematic approach to identifying information security risks, analyzing their likelihood and impact, evaluating them against your risk criteria, and selecting appropriate risk treatment options (mitigate, accept, transfer, or avoid). Your risk assessment methodology must be documented, repeatable, and produce consistent results across assessors.

In practice, many organizations use a risk matrix approach, scoring threats on a scale for likelihood and impact, then mapping them to Annex A controls. The risk assessment should be reviewed at least annually and whenever significant changes occur to your environment, organization, or threat landscape.

Key changes in ISO 27001:2022

The 2022 revision introduced several important changes. Annex A was restructured from 14 domains with 114 controls to 4 themes with 93 controls. Eleven new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Organizations certified under the 2013 version had until October 2025 to transition.

Implementing an ISMS: practical steps

Building an ISMS from scratch typically takes three to six months, depending on organizational size and complexity. Start with scoping — define the boundaries of your ISMS (which systems, departments, and data are in scope). Conduct the risk assessment and select controls. Develop policies and procedures. Implement controls and begin collecting evidence. Train staff on their security responsibilities. Conduct an internal audit. Address any findings and go through the Stage 1 (documentation review) and Stage 2 (operational assessment) certification audit.

Suregrid supports ISO 27001 alongside SOC 2 and other frameworks with shared evidence and control mapping, so adding ISO 27001 to an existing SOC 2 program is incremental rather than starting from zero.

Maintaining certification

ISO 27001 certification is valid for three years, with annual surveillance audits in years two and three. Maintaining certification requires ongoing management reviews, internal audits, corrective actions for non-conformities, and continuous improvement. Automating evidence collection and control monitoring through a compliance platform ensures you stay audit-ready year-round rather than scrambling before each surveillance audit.