ISO 27001 in Plain English
The international security standard, minus the jargon: what an ISMS is, what the 2022 controls cover, and how certification actually works.
People hear "ISO 27001" and picture a checklist of security controls to tick off. That's the part everyone fixates on, and it's the smaller half of the standard. The bigger half — the part auditors actually care most about — is whether you've built a system for managing security that keeps running after the consultant leaves. Miss that and you can have every control in the book and still fail the audit.
So let me take this apart in order: what the standard is built from, what the 2022 controls cover, and what certification really involves, including roughly what it costs and how long it takes.
What an ISMS actually is
The heart of ISO 27001 is the Information Security Management System, or ISMS. The name is grander than the idea. An ISMS is just the documented, repeatable way your organization decides what to protect, how to protect it, and how to keep improving that over time. It's a management process, not a piece of software.
Concretely, an ISMS means you've defined your scope, identified your risks, decided how to treat each one, written the policies that govern your decisions, assigned ownership, and set up a cycle to review and improve all of it. The standard cares less about whether you picked control X and more about whether you have a deliberate, evidenced process for deciding that X was the right call.
This is the bit that trips up teams coming from a SOC-2-first mindset. ISO isn't asking "do you have these controls?" so much as "do you run a functioning system that produces and maintains the right controls?"
The clauses versus Annex A
ISO 27001 has two distinct parts, and understanding the split clears up most of the confusion.
The management-system clauses (clauses 4 through 10) are the mandatory requirements for the ISMS itself. These cover the things that make security a managed discipline rather than a one-time push:
- Context and scope — what you're protecting and where the boundaries sit.
- Leadership — documented commitment from the top, not just an engineer volunteering. The standard explicitly wants management involved.
- Risk assessment and treatment — a defined method for identifying risks and deciding what to do about each one. This is the engine of the whole thing.
- Support and operation — resources, competence, awareness, documentation, and running the controls day to day.
- Performance evaluation — internal audits and management reviews to check the ISMS is working.
- Continual improvement — handling nonconformities and getting better over time.
Annex A is the catalog of security controls you select from, based on what your risk assessment turned up. The clauses tell you how to run the system; Annex A gives you the menu of controls the system might choose to apply.
What the 2022 controls cover
The current version is ISO/IEC 27001:2022, and the 2022 update reorganized Annex A significantly. There are now 93 controls grouped into four themes (the older 2013 version had 114 controls across 14 domains). The reshuffle made the catalog easier to reason about and added a handful of controls for modern realities like threat intelligence, cloud services, and data masking.
| Theme | Roughly what it covers | Examples |
|---|---|---|
| Organizational | Policies, roles, supplier and cloud risk, incident management | Information security policies, vendor security, threat intelligence |
| People | The human side of security | Screening, awareness training, remote working, onboarding/offboarding |
| Physical | Securing premises and equipment | Secure areas, clear desk, equipment disposal, physical entry |
| Technological | The technical controls engineers think of first | Access control, encryption, logging, secure development, data masking |
The key thing: you don't have to implement all 93. You implement the ones your risk assessment justifies, and you document the rest — which brings us to the single most ISO-specific artifact.
The Statement of Applicability
The Statement of Applicability (SoA) is the document auditors will always ask for, and it's where the clauses and Annex A meet. The SoA lists every Annex A control and states, for each one, whether you've applied it, how, and — if you haven't — why it's not applicable to your scope.
That last part is what makes the SoA more than a checklist. Excluding a control is fine, but you have to justify the exclusion against your risk assessment. The SoA is, in effect, the auditable record of every security decision your ISMS has made. Get it right and the audit goes smoothly; treat it as a formality and you'll spend Stage 2 defending choices you never actually reasoned through.
Your ad-network slot renders here
How certification actually works
Unlike SOC 2, ISO 27001 is a genuine certification, and the audit comes in defined stages from an accredited certification body.
- Stage 1 audit (documentation review). The auditor checks that your ISMS exists on paper — scope, policies, risk assessment, the SoA. They're confirming you're ready for the real audit and flagging gaps before they cost you.
- Stage 2 audit (implementation review). The auditor tests that the ISMS is actually operating — that the controls you documented are running and producing evidence. Pass this and you're certified.
- Surveillance audits. Lighter annual check-ins (typically in years one and two) confirming you haven't let the ISMS lapse.
- Recertification. The certificate runs on a three-year cycle; at the end you do a fuller recertification audit to renew.
That cadence is part of what distinguishes ISO from a SOC 2 report. You're not buying a point-in-time opinion — you're committing to an ongoing system that gets re-checked yearly and renewed every three. I compared the two head to head, including who should pick which, in SOC 2 vs ISO 27001.
Cost and timeline
Plan for six to twelve months to your first certificate, because you have to stand up the ISMS and then run it long enough to generate evidence before Stage 2. Teams with mature security move faster; teams starting from scratch take longer.
On budget, the certification body's fees for a first certification commonly land in the $15,000 to $40,000+ range depending on your size and scope, and that's before internal time and any consulting help. As with every framework, the audit fee is the smaller number — the real spend is the people-hours to build and operate the ISMS. A compliance automation platform can carry a lot of the evidence and documentation load, especially if you're mapping ISO onto controls you already run for SOC 2.
ISO 27001 looks intimidating from the outside, and the clause numbers don't help. But strip away the formatting and it's asking something reasonable: run a deliberate, documented, improving process for protecting information, and prove it keeps running. Build that process for real and the certificate is mostly a matter of writing down what you already do. For where ISO sits relative to SOC 2, HIPAA, and the rest, start with our frameworks guide.