ISO 27001 is the international standard for an information security management system, published by ISO and IEC. The current version is ISO/IEC 27001:2022. It sets out how an organisation governs, runs and improves information security, and it can be independently certified by an accredited body. It is a management system, not a product certificate.
An ISO 27001 certificate does not say your organisation is secure. It says you run a system for managing information security, that the system meets a defined standard, and that an independent auditor has checked it. Buyers often read the badge as a guarantee. It is not.
What does ISO 27001 actually certify?
It certifies the management system, not any single product or control. An information security management system, or ISMS, is the set of policies, processes, roles and decisions an organisation uses to manage information security risk. ISO 27001 defines that system in clauses 4 to 10: context, leadership, planning, support, operation, performance evaluation and improvement. Certification confirms the system exists, runs and is improved over time. A control switched on once is not a management system. The standard asks whether you govern security, not whether you bought a tool. For the wider picture, see our complete ISO 27001 guide.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 holds the requirements you are certified against. ISO 27002 is the guidance that explains how to implement the Annex A controls. You certify to 27001. You read 27002 to build and operate the controls. The two get treated as one, which leads teams to chase control detail before they have a management system to hang it on. Get the system right first, then use 27002 to deepen each control. Only 27001 is auditable for certification.
What does Annex A require?
Annex A lists 93 controls grouped into four themes. You do not implement all of them. You select controls from a risk assessment, then record what you included, what you excluded and why in a Statement of Applicability. The 2022 version cut the count from 114 to 93, restructured the old fourteen domains into four themes, and added 11 new controls covering areas such as threat intelligence, cloud services and secure coding. The Statement of Applicability is where an auditor starts, so vague risk decisions surface fast.
| Theme | Controls | Examples |
|---|---|---|
| Organisational | 37 | Security policies, supplier relationships, threat intelligence (new in 2022) |
| People | 8 | Screening, security awareness, remote working |
| Physical | 14 | Secure areas, equipment security, physical monitoring (new in 2022) |
| Technological | 34 | Access control, cryptography, logging, secure development |
How does ISO 27001 certification work?
An accredited certification body audits you. This is not a self declaration or a vendor badge. The initial audit runs in two stages. Stage 1 reviews your documentation and whether the ISMS is ready. Stage 2 tests whether it operates in practice, through evidence, records and interviews. Pass both and the certificate runs for three years, with annual surveillance audits in between and a full recertification at the end of the cycle. It is point in time at issue, but the surveillance audits mean the system has to keep working, not just look right on audit day. We cover this in Stage 1 versus Stage 2 audits.
Is ISO 27001 mandatory in Australia?
No. Australian government ties its mandates to the Information Security Manual, IRAP and the Essential Eight, not to ISO 27001. If you sell cloud or software to government, an IRAP assessment is the relevant bar, not an ISO certificate. ISO 27001 demand in Australia is commercial. Customers, partners and tenders ask for it, especially from software and services companies that hold other organisations’ data. It is the most widely recognised security credential in private sector procurement. Required by a buyer, rarely by a law.
How long does ISO 27001 take, and what does it cost?
It depends on size, scope and how much you already run. As an indicative guide from our own engagements, gap analysis and ISMS design commonly take 4 to 8 weeks, and a first certificate more often lands 6 to 12 months out once implementation, evidence and the internal audit are done. Pricing is scoped by complexity rather than published as a rate, because a ten person SaaS and a national insurer are not the same job. The slow part is rarely the audit. It is building the habits the audit checks. See ISO 27001 certification cost and ISO 27001 versus SOC 2 if a US buyer is in the picture.
Frequently asked questions
No. ISO 27001 certifies a management system against an international standard and is recognised globally. SOC 2 is a US attestation report against the AICPA Trust Services Criteria. Companies selling into the US often hold both.
Annex A lists 93 controls across four themes: 37 organisational, 8 people, 14 physical and 34 technological. Eleven are new in the 2022 version.
No. You select controls from your risk assessment and record the included and excluded controls, with reasons, in the Statement of Applicability.
Three years, with annual surveillance audits during the cycle and a full recertification audit before it expires.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, Requirements, 2022
- ISO/IEC 27002:2022, Information security controls, 2022
- ASD, Essential Eight explained, June 2026
Last updated: 21 June, 2026