ISO 27001
Getting Started Guide

ISO/IEC 27001:2022 Information Security Management

The global information security standard. The most recognised security certification in India, EU, and APAC markets.

Audit Effort6–12 months to certification
Key Fact93 Annex A controls across 4 themes

What Is ISO 27001?

ISO/IEC 27001:2022 is an internationally recognised standard for Information Security Management Systems (ISMS). Unlike SOC 2, which produces an audit report, ISO 27001 produces a certificate — issued by an accredited certification body — that confirms your information security management system meets the standard's requirements. The certificate is valid for 3 years with annual surveillance audits.

The standard has two components. The first is a management system framework built around 10 clauses (Clauses 4–10 are mandatory): these cover how you manage security governance, plan and implement controls, monitor performance, and continuously improve. The second is Annex A — a reference set of 93 controls across 4 themes: Organisational, People, Physical, and Technological. You don't implement all 93 — you select the ones relevant to your risk profile and document your choices in a Statement of Applicability.

The 2022 version introduced 11 new controls compared to 2013, covering threat intelligence, cloud security, data masking, secure coding, and web filtering — reflecting the modern cloud-native technology landscape. If you hold an older ISO 27001:2013 certificate, you must transition to the 2022 standard by October 2025.

Does ISO 27001 Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

India-Market B2B Enterprise Vendors

ISO 27001 is the default security credential expected by large Indian corporations and public sector undertakings (PSUs).

Likely applies

SaaS Scaling into Europe and UK

European and UK procurers strongly prefer ISO 27001 over SOC 2 due to its international standardization status.

Likely applies

Dual-Market Global Teams

Building an ISMS establishes the foundations of security. Satisfying ISO 27001 transfers up to 70% of controls to SOC 2.

Likely applies

Defense and Gov Contractors

Public sectors globally mandate certified compliance with international standards to enter supply chains.

Likely applies
You probably don't need ISO 27001 if:
  • Your customer pipeline is entirely located in the US and they specifically demand a SOC 2 audit report.
  • You are in a pre-product development stage and do not yet process active business information.
  • You operate solely in low-risk consulting sectors where buyers accept simple security questionnaires.

Why ISO 27001 Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

2013 Version Decommissioning

All older ISO 27001:2013 certificates expire in October 2025. In 2026, all audits must be against the updated 2022 controls.

NIS2 Supply Chain Audits

Under Europe's NIS2 directive, large businesses are auditing vendors. ISO 27001 is the standard proof of cybersecurity maturity.

Indian PSU Mandates

Indian public sector units have added ISO 27001:2022 as an absolute eligibility requirement in IT service tenders.

The Requirements

The core security controls and evidence parameters audited for ISO 27001.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for ISO 27001.

1
Weeks 1–4

Scope & Risk Assessment

Map the ISMS boundaries, define assets, and conduct the cybersecurity risk assessment.

Key Deliverable:Scope document, Risk Treatment Plan
2
Weeks 5–12

Policy Drafting & Control Build

Draft policies for all applicable Annex A themes and configure monitoring, logging, and access settings.

Key Deliverable:ISMS policies, Statement of Applicability (SoA)
3
Weeks 13–16

Operational History & Audit Prep

Operate controls, run staff training, conduct the mandatory internal audit, and hold a management review.

Key Deliverable:Internal audit report, management review minutes
4
Weeks 17–20

Certification Audits (Stages 1 & 2)

Auditor runs Stage 1 (documentation review) followed by Stage 2 (operational test of all controls).

Key Deliverable:Audit findings report, ISO 27001 Certificate
With Existing Certifications

10–12 weeks: If you have SOC 2, repurpose security policies and evidence logs to speed up Annex A compliance.

Starting from Scratch

20–24 weeks: Starting from scratch requires time to build documentation and establish a history of operations.

The Mistakes That Delay Most ISO 27001 Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Writing the ISMS for the auditor, not the organisation

Why it happens:

Teams create policies and procedures that look correct on paper but don't reflect how anything actually works.

How to avoid it:

For every policy you write, ask: if a new employee read this on their first day, would they know exactly what to do? If not, rewrite it.

Scoping the ISMS to everything

Why it happens:

Larger scope means more controls, more evidence, higher audit cost, and more maintenance.

How to avoid it:

Define a tight, defensible scope. 'The development and operation of the Acme SaaS platform' is better than 'all of Acme's information assets'. Expand scope in subsequent certification cycles.

Treating the Statement of Applicability as a checkbox exercise

Why it happens:

The SoA maps your risk assessment to your Annex A control selection. A poorly-reasoned SoA tells an auditor that the risk assessment wasn't done properly.

How to avoid it:

Every exclusion in your SoA needs a specific justification tied to your risk assessment. 'Not applicable to our business model' is not a justification. 'We have no physical media because we are fully cloud-hosted' is.

Skipping Stage 1 preparation

Why it happens:

Stage 1 is a document review. Teams assume it's easy and turn up with incomplete documentation.

How to avoid it:

Treat Stage 1 as a full documentation audit. Every mandatory document must exist, be approved, and be current before your Stage 1 date.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

ISO 27001 Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

ISO 27001 Checklist

Assess your baseline control posture against ISO 27001 criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about ISO 27001 compliance and certification processes.