Instant downloadAuditor-writtenSecure Stripe checkout

ISO 27001 Certification: The Complete Guide (2022)

ISO 27001 certification is the international benchmark for information security, proving to customers and regulators that you manage information risk through a structured, independently audited management system. Achieving ISO 27001 certification signals that security isn’t an afterthought but a governed programme. This guide walks through what the standard is, how certification works, what it costs, how long it takes, and how to get started.

ISO 27001 certification toolkit templates
An editable ISO 27001 certification toolkit covering every mandatory document.

What is ISO 27001?

ISO/IEC 27001 is an international standard that specifies the requirements for an Information Security Management System (ISMS) — a structured framework of policies, processes, and controls for protecting the confidentiality, integrity, and availability of information. It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The current version is ISO/IEC 27001:2022, which replaced the 2013 edition. If you’re starting a project today, you should build against the 2022 revision.

Why get ISO 27001 certification?

  • Win more business. Enterprise and public-sector buyers increasingly require ISO 27001 before they’ll sign — it shortens security questionnaires and unblocks deals.
  • Reduce risk. A working ISMS surfaces and treats security risks before they become incidents.
  • Meet regulatory expectations. It maps well to obligations under GDPR, HIPAA, and similar regimes.
  • Build trust. A certificate from an accredited body is independent proof, not a self-assessment.

How the standard is structured

ISO 27001 has two parts:

1. The management clauses (Clauses 4–10)

These are the mandatory requirements every certified organization must meet — context, leadership, planning, support, operation, performance evaluation, and improvement. They define how your ISMS is run and continually improved.

2. Annex A controls

Annex A lists 93 security controls grouped into four themes — Organizational, People, Physical, and Technological. You don’t implement all 93 blindly; you select the ones relevant to your risks and document that decision in your Statement of Applicability. We break these down in the Annex A controls guide.

The documentation ISO 27001 requires

A common early question is which documents do we actually need? There’s a defined set of mandatory documents and records, plus the Annex A policies your risk assessment makes applicable. See the full breakdown in our full ISO 27001 required documents checklist.

Skip the blank page.

The ISO 27001 Toolkit gives you every mandatory document and Annex A policy as fully editable, auditor-written Word & Excel files — pre-mapped to ISO/IEC 27001:2022, so you tailor instead of author from scratch.

Explore the ISO 27001 Toolkit →

The certification process, step by step

  1. Gap analysis. Compare your current state against the standard to see how far you have to go.
  2. Define scope & context. Decide which parts of the business the ISMS covers.
  3. Risk assessment & treatment. Identify information security risks, then decide how to treat each one.
  4. Build the ISMS. Write the mandatory policies and procedures and implement the selected Annex A controls.
  5. Operate it. Run the ISMS for a period so it generates records (auditors want evidence it actually works).
  6. Internal audit & management review. Check the ISMS yourself and have leadership formally review it.
  7. Stage 1 audit. The certification body reviews your documentation for readiness.
  8. Stage 2 audit. The auditor tests whether your ISMS is genuinely implemented and effective.
  9. Certification. Pass, and you receive a certificate valid for three years, with annual surveillance audits.

How long does it take, and what does it cost?

Timelines vary with company size, scope, and how much you start with. Most organizations reach certification in roughly three to twelve months. We cover the realistic timeline and the factors that speed it up or slow it down in our guide on how long ISO 27001 certification takes.

ISO 27001 vs. SOC 2

If your buyers are North American SaaS companies, you may be weighing ISO 27001 against SOC 2. They overlap heavily but serve different audiences and work differently. We compare them directly in our ISO 27001 vs SOC 2 comparison.

The full requirements are published by ISO, and ISO 27001 certification is granted by an accredited certification body after a two-stage audit — not by ISO itself. Choosing an accredited body is what makes your certificate globally recognised.

How to get started

The fastest route is to avoid re-inventing documentation that already has a well-established structure. Start from a complete, auditor-written set of policies and registers, then tailor them to your organization and risk profile.

Skip the blank page.

The ISO 27001 Toolkit gives you every mandatory document and Annex A policy as fully editable, auditor-written Word & Excel files — pre-mapped to ISO/IEC 27001:2022, so you tailor instead of author from scratch.

Explore the ISO 27001 Toolkit →

Explore the ISO 27001 series

Shopping Cart