The complete ISO 27001 guide
Everything you need to know to plan, implement, and maintain an ISO 27001-certified ISMS.
This guide walks through ISO 27001 from first principles to ongoing operation. It's written for security and compliance leads who are building their first ISMS or maturing an existing program.
What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Certification against it is a public signal that your organization has implemented a structured, risk-based approach to protecting information.
The 2022 revision (ISO/IEC 27001:2022) restructured Annex A into 93 controls grouped into four themes: organisational, people, physical, and technological.
The structure of an ISMS
Every ISMS has the same foundational parts:
- Context and scope. What you're protecting and why.
- Leadership and commitment. Top management buy-in, documented.
- Risk assessment and treatment. Identify, analyze, and treat risks.
- Statement of Applicability. Which controls apply and why.
- Operation. Run the program day-to-day.
- Performance evaluation. Measure effectiveness.
- Improvement. Close the loop.
Planning your certification
Budget 3–6 months for your first certification, depending on where you're starting from. The biggest time sinks are scope definition and evidence collection — both of which Asurvo accelerates dramatically.
Common pitfalls
- Over-scoping. Keep your first ISMS scope as narrow as defensible.
- Consultant dependency. Use consultants to accelerate, not to own your program.
- Static documentation. Your ISMS is alive; spreadsheets can't keep up.
Maintaining certification
After initial certification, you'll face surveillance audits annually and a full recertification every three years. A well-run program makes these events routine rather than crises.