AuditXYZ

Lesson 1 of 5

What Is ISO 27001? A Plain-English Introduction

10 min readBeginner

What Is ISO 27001?

ISO 27001 is an international standard that describes how to manage information security systematically. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System — known as an ISMS.

Think of the ISMS as your organization's master plan for keeping data safe. It is not a checklist of technical controls (though it includes those). It is a management system — a set of policies, processes, and practices that ensure security is considered at every level of the organization.

A Brief History

The standard traces its roots to BS 7799, a British Standard first published in 1995. It became an international standard as ISO/IEC 27001 in 2005 and has been revised twice since then — in 2013 and most recently in 2022. The 2022 revision reorganized the Annex A controls from 14 categories into 4 themes and reduced the total from 114 to 93 controls (while adding 11 new ones).

How ISO 27001 Is Structured

The standard has two main parts:

Clauses 4 through 10 define the management system requirements. These are mandatory — you must satisfy all of them to achieve certification. They cover context of the organization, leadership, planning, support, operation, performance evaluation, and improvement.

Annex A lists 93 reference controls organized into four themes: organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). You do not need to implement every Annex A control — only those relevant to your identified risks. Your Statement of Applicability documents which controls you selected and why.

ISO 27001 vs SOC 2

This is the comparison everyone asks about. Here are the key differences:

  • Origin: ISO 27001 is an international standard; SOC 2 is a US-based framework from the AICPA
  • Output: ISO 27001 results in a certificate valid for three years; SOC 2 results in an audit report covering a specific period
  • Approach: ISO 27001 is risk-based (you choose controls based on your risks); SOC 2 is criteria-based (you must address specific trust service criteria)
  • Geography: ISO 27001 is recognized globally; SOC 2 is primarily recognized in North America
  • Auditor: ISO 27001 audits are performed by accredited certification bodies; SOC 2 audits must be performed by licensed CPA firms

Why Companies Pursue Certification

The three most common drivers are customer requirements (enterprise buyers requesting it), international market access (ISO 27001 is expected in Europe and Asia), and operational maturity (the ISMS framework genuinely improves how organizations manage security).

In the next lesson, we will dive into the fundamentals of building an ISMS.