Back to Journal ISO Standards

ISO/IEC 27001 - The Complete Certification Guide for Information Security Management

A comprehensive guide to ISO/IEC 27001 — the global standard for information security management systems. Learn what it covers, who needs it, how to build an ISMS, what the certification audit involves, and how to maintain certification year after year.

Savadub GRC Team ·
ISO/IEC 27001 - The Complete Certification Guide for Information Security Management

ISO/IEC 27001: The Complete Certification Guide for Information Security Management

ISO/IEC 27001 is the world's most widely adopted information security standard. With over 70,000 certificates issued across more than 150 countries, it has become the global benchmark for how organisations manage information security risk systematically and demonstrably. Whether you are pursuing certification to win government contracts in Europe, satisfy supply chain requirements in the Middle East, or demonstrate security maturity to global enterprise customers, ISO 27001 is the most recognised credential you can achieve.

What Is ISO/IEC 27001?

ISO/IEC 27001 is an international standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). Its full title is Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements.

The current version is ISO/IEC 27001:2022, which replaced the 2013 version and introduced significant updates to Annex A controls, reducing the control set from 114 controls in 14 domains to 93 controls in 4 themes.

At its core, ISO 27001 defines requirements for an Information Security Management System (ISMS) — a systematic framework for managing information security risks through policies, procedures, processes, and controls that are continually monitored and improved.

The ISO 27001 ISMS Structure

ISO 27001 is structured around the Plan-Do-Check-Act (PDCA) cycle and follows the Annex SL high-level structure shared by all ISO management system standards. It contains ten clauses:

Clauses 1–3: Scope, normative references, and terms and definitions (informational)

Clause 4 — Context of the Organisation: Understanding the organisation's internal and external context, identifying interested parties and their requirements, and defining the scope of the ISMS.

Clause 5 — Leadership: Top management's commitment to the ISMS, establishment of information security policies, and assignment of roles and responsibilities.

Clause 6 — Planning: Risk assessment methodology, risk treatment process, Statement of Applicability (SoA), and ISMS objectives.

Clause 7 — Support: Resources, competence, awareness, communication, and documented information requirements.

Clause 8 — Operation: Implementing and controlling the ISMS, conducting risk assessments and treatment, and documenting results.

Clause 9 — Performance Evaluation: Monitoring, measurement, analysis, evaluation, internal audit, and management review.

Clause 10 — Improvement: Nonconformity and corrective action, and continual improvement.

Annex A Controls: The 93 Security Controls

Annex A of ISO 27001:2022 contains 93 controls organised into four themes:

Theme 1: Organisational Controls (37 controls)

Covering governance, policy, roles, responsibilities, information security in projects, supplier relationships, incident management, business continuity, and compliance.

Theme 2: People Controls (8 controls)

Covering personnel screening, terms of employment, information security awareness, training and education, disciplinary process, and responsibilities after termination.

Theme 3: Physical Controls (14 controls)

Covering physical security perimeters, physical entry controls, securing offices and facilities, clear desk policy, equipment security, and secure disposal.

Theme 4: Technological Controls (34 controls)

Covering access control, authentication, information access restriction, cryptography, secure development, vulnerability management, network security, logging, monitoring, and many others.

The Statement of Applicability (SoA) is a mandatory document that lists all 93 Annex A controls and states, for each, whether it is applicable to your ISMS and, if not, why it has been excluded. The SoA is one of the first documents certification auditors examine.

The ISO 27001 Risk Assessment Process

Risk assessment is the engine of ISO 27001. Everything flows from a structured, documented risk assessment that:

  1. Identifies information assets within the ISMS scope — systems, data, processes, personnel, facilities
  2. Identifies threats and vulnerabilities relevant to each asset
  3. Assesses risk — combining likelihood and impact to produce a risk rating
  4. Identifies risk owners — individuals accountable for managing each identified risk
  5. Determines risk treatment — accept, avoid, transfer, or mitigate each risk
  6. Selects controls from Annex A (and other sources) to mitigate identified risks
  7. Documents the risk register and treatment plan

The risk assessment must be repeatable and comparable — meaning two people performing the assessment using your methodology should produce similar results. This requires a defined risk scoring methodology, documented criteria, and calibrated rating scales.

The ISO 27001 Certification Journey

Stage 1: Define the ISMS Scope

The scope definition sets the boundary of what the ISO 27001 certification covers. Options include:

  • The entire organisation
  • A specific division, product, or service
  • A specific location or set of locations
  • A specific information system or platform

Scope decisions affect both the cost and credibility of the certification. Scoping out significant portions of your organisation without clear justification raises auditor questions and may reduce the commercial value of the certificate.

Stage 2: Gap Assessment (ISO 27001 Baseline Assessment)

A systematic comparison of your current information security practices against every ISO 27001 clause requirement and relevant Annex A control. The output is a structured gap report identifying:

  • Requirements that are fully met
  • Requirements that are partially met and need improvement
  • Requirements for which no controls currently exist

Stage 3: Build the ISMS Documentation

ISO 27001 requires a minimum set of documented information. Mandatory documents include:

  • Information security policy
  • ISMS scope document
  • Risk assessment methodology and results
  • Risk treatment plan
  • Statement of Applicability
  • Information security objectives
  • Evidence of competence and awareness
  • Operational planning documentation
  • Internal audit programme and results
  • Management review records
  • Nonconformity and corrective action records

Beyond mandatory documents, most organisations also maintain supporting policies covering access control, cryptography, physical security, asset management, supplier security, incident management, and business continuity.

Stage 4: Implement Controls

Using the risk treatment plan and SoA as the guide, implement all selected Annex A controls. Technical implementation items commonly include:

  • Multi-factor authentication across all systems
  • Role-based access control and least-privilege enforcement
  • Encryption of data in transit and at rest
  • Centralised log management and security monitoring
  • Vulnerability scanning and patch management processes
  • Secure backup and recovery procedures
  • Network segmentation and firewall management
  • Endpoint protection and mobile device management

Stage 5: Operate the ISMS

The ISMS must be operational — not just documented — before the certification audit. This means:

  • Risk assessments have been performed and documented
  • Controls have been implemented and evidenced
  • Awareness training has been delivered to all in-scope personnel
  • Internal audits have been planned and at least one has been completed
  • A management review meeting has been held with documented outputs

Stage 6: Stage 1 Certification Audit (Document Review)

The certification body conducts the Stage 1 audit — primarily a document review to assess:

  • Whether the ISMS is sufficiently developed and documented
  • Whether the scope is appropriately defined
  • Whether mandatory documents are present and complete
  • Whether the organisation is ready to proceed to Stage 2

Stage 1 typically produces a Stage 1 report identifying any areas that must be addressed before Stage 2 proceeds.

Stage 7: Stage 2 Certification Audit (Effectiveness Assessment)

The Stage 2 audit is the full certification audit. Auditors:

  • Test the implementation and effectiveness of controls across the ISMS scope
  • Interview personnel across the organisation on their security awareness and responsibilities
  • Verify that the ISMS is genuinely operational, not just documented
  • Sample evidence across all control domains
  • Issue findings classified as Major Nonconformities, Minor Nonconformities, or Opportunities for Improvement

Major Nonconformities must be resolved before the certificate is issued. Minor Nonconformities must be resolved within a defined timeframe with evidence of closure. A clean Stage 2 audit with only Opportunities for Improvement results in immediate certificate issuance.

Stage 8: Certification Issuance

The certification body issues the ISO 27001 certificate, which is valid for three years subject to:

  • Annual surveillance audits (covering approximately one-third of the scope each year)
  • A recertification audit at the end of the three-year cycle

ISO 27001 vs SOC 2: Which One Do You Need?

ISO 27001 SOC 2
Type Certification Attestation report
Issued by Accredited certification body Licensed CPA firm
Recognition Global, particularly Europe, Middle East, Asia, Africa Strongest in North America
Duration Three-year certificate (annual surveillance) Annual report
Framework Management system + 93 controls Trust Services Criteria
Focus Risk management and systematic security Operational controls for service organisations

Many organisations pursue both — ISO 27001 for global market access and supply chain requirements, and SOC 2 for North American enterprise sales. When implemented together, the two frameworks share significant control overlap, reducing the total implementation effort.

ISO 27001 for Different Organisation Sizes

Startups (20–100 people): ISO 27001 is achievable with a focused twelve to twenty-week program. Keep the scope tight (core product infrastructure and the team that builds and operates it), use a risk-based approach to prioritise controls, and build documentation that is proportionate to your scale.

SMBs (100–500 people): Multiple products, departments, and systems require a more structured ISMS. Dedicated ownership, a defined risk management process, and regular management reviews are essential for sustained certification.

Large enterprises: Enterprise ISO 27001 programs span multiple sites, divisions, and jurisdictions. The management system infrastructure — governance, risk reporting, internal audit, management review — must be robust enough to function at scale across the entire certification scope.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like