What is ISO 27001? A plain-English primer

A European buyer asks if you are "ISO 27001 certified." You nod, hang up, and realize you have no idea what the acronym actually means. The first three search results are consultant pages that start with "In today's threat landscape..." and end with a demo request, and you still do not know what you would be buying.

Here is the version we wish those pages had written.

What ISO 27001 is

ISO 27001 is an international standard for managing information security. It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and the current version is ISO/IEC 27001:2022. The standard describes the requirements for an Information Security Management System (ISMS): a documented, operating program of policies, processes, risk decisions, and controls that a company uses to protect information. It is maintained by the joint technical committee ISO/IEC JTC 1/SC 27, which also publishes the rest of the ISO 27000 family.

The standard is not a tool, not a checklist, and not a product. It is a set of requirements against which an accredited body can certify a company's management system.

Why "ISO/IEC 27001" and "ISO 27001" both show up

"ISO/IEC 27001" and "ISO 27001" refer to the same document. IEC is the joint publisher with ISO, so the formal citation is ISO/IEC 27001:2022. Most people shorten it to ISO 27001 in conversation, and both spellings are correct. If you see "ISO27001" with no space, that is also the same standard, written by someone in a hurry.

Nothing changes about the requirements based on how the name is punctuated.

What an ISMS actually is

The ISMS is the thing being certified, and it is easy to miss what kind of thing it is.

An ISMS is not a tool you buy. It is not a SaaS product, a GRC platform, or a module inside Vanta or Drata. It is a management system: a set of policies, a set of processes, the people who run them, the records they produce, and a feedback loop that measures whether the system is working and improves it when it is not.

Think of it the way a finance team thinks about closing the books. There is no single "books-closing tool" that makes a finance function. There is a close calendar, a set of controls, people with defined roles, reviews, adjustments, and an improvement cycle. The ISMS is the same shape, applied to information security.

If you cannot point at the thing, the ISMS is not real yet. The auditor will notice.

Clauses 4 through 10 in plain language

The body of ISO 27001 is short. Seven numbered clauses describe what an ISMS must contain. In plain English:

• Clause 4, Context. Know what you do, who depends on you, and what is in scope of the ISMS. Not your whole company, the part your customers care about.
• Clause 5, Leadership. Someone senior owns information security, signs the policy, and actually commits resources to it.
• Clause 6, Planning. A documented way of assessing risks, a risk register that gets updated, and a plan for treating the risks you accept, mitigate, or transfer.
• Clause 7, Support. People are competent and trained, information is communicated, and documents are version controlled.
• Clause 8, Operation. The controls run in real life, not just on paper.
• Clause 9, Performance evaluation. Internal audits and management reviews happen on a cadence, with evidence, before anyone walks in to certify you.
• Clause 10, Improvement. When something goes wrong, the corrective action is documented, tracked, and closed.

That is the management system. The control details live in Annex A. Our ISO 27001 requirements post is the deeper walkthrough if you want the clause-by-clause version.

Annex A and the 93 reference controls

Annex A is the catalogue of security controls the standard expects you to consider. In the 2022 revision there are 93 controls, grouped into four themes:

• Organizational (37 controls). Policies, roles, supplier relationships, incident management, continuity.
• People (8 controls). Screening, terms of employment, awareness, disciplinary process, remote working.
• Physical (14 controls). Secure areas, equipment, clear desks, cabling.
• Technological (34 controls). Access control, cryptography, logging, secure development, vulnerability management.

The 2022 revision consolidated the old 114-control list from the 2013 version and added a handful of modern controls (threat intelligence, information deletion, data masking, secure coding, cloud services). If a blog post or vendor still talks about "114 Annex A controls," it is quoting the old version. The detailed guidance for each of these controls lives in the companion standard, ISO/IEC 27002:2022, which is the code of practice that Annex A references.

Annex A is a reference set, not a mandatory checklist. Which controls actually apply to your company is decided in the Statement of Applicability.

The Statement of Applicability

The Statement of Applicability (SoA) is the single most important document in your ISMS. It is a table that lists every Annex A control and, for each one, states whether it applies to your company and why.

For each of the 93 controls you write one of two things:

• Applicable, with a short justification and a pointer to how the control is implemented.
• Excluded, with a justification the auditor will scrutinize.

The SoA is the map an auditor uses to test your ISMS. It is also the map your buyer's security team asks for when they want to know what you actually do, beyond the one-page certificate. A vague SoA is the fastest way to turn a smooth stage 2 audit into a painful one.

Clauses 4 through 10 are the management system. Annex A is the control catalogue. The Statement of Applicability is the bridge between them, and the document that decides how your audit goes.

What "certified" means

Certification is a separate question from the standard itself. ISO does not certify companies. An accredited certification body does, through a two-stage initial audit followed by annual surveillance and a three-year recertification cycle. SecurancePro does not issue ISO 27001 certificates; we are a CPA firm. The full mechanics, including who the certification bodies are and what the stage 1 and stage 2 audits look like, are in our ISO 27001 certification walkthrough.

If someone tells you they can "certify" you and also consult on the build, they are describing a setup the accreditation rules do not allow.

ISO 27001 vs SOC 2, in one paragraph

If you sell to European, UK, Japanese, or Middle Eastern buyers, ISO 27001 is usually the default ask. If you sell to US enterprise buyers, SOC 2 is. The two frameworks overlap on roughly 70 to 80% of controls, so companies with mixed buyer geography often run both as a single evidence program with two sets of labels. Our SOC 2 vs ISO 27001 post is the full decision piece, including the three sequences that actually work in practice and the case for parallel programs when the pipeline has logos on both sides.

If you are standing up an ISMS for the first time and want a CPA firm's read on scope, risk methodology, and the sequence that gets you to a certificate without paying for stage 1 twice, see our compliance services or get in touch.