ISO 27001
ISO/IEC 27001:2022
The world's most recognized standard for information security management.
Issuer
ISO / IEC
Region
Global
Latest version
2022
Outcome
Accredited certification
Overview
What is ISO 27001?
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) — a systematic, risk-based approach to managing the security of information assets. Unlike SOC 2, it results in a formal certification from an accredited body.
The 2022 revision restructured the Annex A controls into 93 controls across four themes, and introduced new controls for areas like threat intelligence, cloud security, and data masking.
Who needs it: Companies that want a globally recognized security credential — common across Europe, the UK, India, and APAC, and increasingly requested alongside or instead of SOC 2.
Inside the framework
Annex A — 93 controls in four themes
Organizational (37 controls)
Policies, roles, supplier relationships, incident management, and the rules that govern your ISMS.
People (8 controls)
Screening, awareness, responsibilities, and conduct for everyone who touches information.
Physical (14 controls)
Securing facilities, equipment, media, and the physical perimeter.
Technological (34 controls)
Access control, cryptography, logging, secure development, and network security.
The management system (Clauses 4–10)
Context, leadership, planning, support, operation, evaluation, and improvement — plus a risk assessment and Statement of Applicability.
With RegShield
Get ISO 27001-ready in a fraction of the time
AI evidence mapping
Upload a policy, screenshot, or config and RegShield maps it to the right ISO 27001 controls in seconds — with confidence scores you can defend in front of an auditor.
Reuse across frameworks
Evidence you collect for ISO 27001 is automatically reused across every other framework you've activated — so the work compounds instead of repeating.
Gaps & audit-ready reports
See your ISO 27001 readiness score, the exact gaps that remain, and concrete remediation steps — then export an audit-ready report.
FAQ
Common questions
How is it different from SOC 2?
ISO 27001 certifies a management system against a fixed standard worldwide; SOC 2 is a US-origin attestation report against the Trust Services Criteria. Many companies pursue both, and most evidence overlaps.
What's a Statement of Applicability?
The SoA documents which Annex A controls apply to you and why — a core certification artifact. RegShield helps you build and maintain it from your evidence.
How long is a certificate valid?
Three years, with annual surveillance audits to confirm the ISMS is still operating effectively.