ISO 27001 is the international standard for an information security management system (ISMS). Published by the International Organization for Standardization and updated most recently in its 2022 revision, it sets out the requirements for establishing, operating, and continually improving a systematic approach to managing information security risk.
Unlike a checklist of controls, ISO 27001 is a management-system standard: it defines how an organization should govern security, not just which safeguards to deploy.
This page is part of our GRC frameworks hub. For the broader discipline, see our complete guide to governance, risk, and compliance.
What ISO 27001 requires
At its core, ISO 27001 requires an organization to identify its information security risks and apply a managed set of controls to treat them, all within a documented, auditable management system.
See the latest GRC Webinars (Updated Daily!)
The standard’s main clauses cover leadership and governance, risk assessment and treatment, support and resources, operation, performance evaluation, and continual improvement — mirroring the plan-do-check-act cycle common to ISO management standards.
The controls themselves live in Annex A, which in the 2022 revision comprises 93 controls grouped into four themes: organizational, people, physical, and technological.
Organizations select applicable controls through a documented Statement of Applicability, justifying inclusions and exclusions against their risk assessment.
Certification
ISO 27001 is certifiable: an accredited external body audits the ISMS and, if it conforms, issues a certificate valid for three years with annual surveillance audits. Certification is a powerful trust signal — often a procurement requirement when selling internationally — because it is independently verified rather than self-attested.
The path typically runs from gap assessment, through ISMS implementation and an internal audit, to a two-stage certification audit.
How ISO 27001 fits a GRC program
ISO 27001 maps cleanly onto the disciplines of GRC: its risk assessment requirement is risk management, its control set is the heart of compliance management, and its internal-audit requirement aligns with audit and assurance.
Because its controls cross-map readily to other frameworks, an ISO 27001 program is often the backbone onto which SOC 2, NIST, and regulatory requirements are layered. Platforms in our compliance management software directory automate much of the evidence collection it demands.
Frequently asked questions
What is ISO 27001?
ISO 27001 is the international standard for an information security management system (ISMS) — a documented, risk-based framework for managing information security that organizations can be independently certified against.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is a certifiable international standard centered on a management system, resulting in a certificate. SOC 2 is an attestation report produced by an auditor against trust services criteria, more common in North America. Many organizations pursue both, mapping shared controls across them.
How long does ISO 27001 certification take?
For most organizations, six to twelve months from start to certification, depending on size, maturity, and how much of an ISMS already exists. Automation platforms and pre-built control libraries can shorten the timeline.
Is ISO 27001 mandatory?
No — ISO 27001 is voluntary, but it is frequently required contractually by customers and partners, which makes it effectively mandatory for many organizations selling into security-conscious markets.