ISO/IEC 27001:2022

Information security management, done properly.

ISO/IEC 27001:2022 is the world’s leading standard for information security management systems. Audit41 Readiness helps you assess your gaps against the standard — and build the evidence base your certification auditor will expect.

1M+certificates issued globally

150+countries with certified organisations

Get started →See pricing →

The standard

What is ISO/IEC 27001:2022?

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines what an ISMS must contain and how it must operate.

The 2022 revision — ISO/IEC 27001:2022 — introduced 11 new controls, reorganised Annex A into four control themes (Organisational, People, Physical, Technological), and added explicit requirements for threat intelligence, cloud security, and data masking. Organisations certified under the 2013 version had until October 31, 2025 to transition to the 2022 standard.

Certification to ISO 27001 is issued by accredited certification bodies — not by ISO itself. The standard applies to any organisation of any size in any sector. It is increasingly required by enterprise customers, government procurement, and regulated industries as proof that information security is managed systematically.

Published by

ISO & IEC (joint standard)

Current version

ISO/IEC 27001:2022

Transition from 2013 version deadline: October 31, 2025

Scope

Any organisation, any size, any sector

No minimum size threshold

Certification

Issued by accredited certification bodies

Not by ISO directly. Requires formal external audit.

93 controls across four themes.

A.5

Organisational controls

37 controls

Policies, roles, responsibilities, threat intelligence, information security in projects, supply chain security, and business continuity planning.

A.6

People controls

8 controls

Screening, terms of employment, security awareness training, disciplinary process, and remote working.

A.7

Physical controls

14 controls

Physical security perimeters, clear desk and screen policies, equipment maintenance, and secure disposal of media.

A.8

Technological controls

34 controls — includes 11 new in 2022

Access control, cryptography, vulnerability management, network security, secure coding, data masking, web filtering, and cloud security (new in 2022).

The 2022 revision added 11 new controls specifically addressing modern threats: threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and cloud security.

Why it matters

ISO 27001 is becoming a commercial requirement.

Enterprise customers demand it

An increasing proportion of enterprise procurement processes require ISO 27001 certification as a prerequisite. Without it, you are disqualified before the conversation starts.

Regulators reference it

NIS2 in Belgium, Slovenia, and Croatia explicitly accepts ISO 27001 as a compliance path. In Belgium, ISO 27001 certification gives a presumption of conformity with NIS2 — removing the need for a separate NIS2 audit.

It demonstrates board-level accountability

ISO 27001 requires management to approve and oversee the ISMS. This aligns directly with NIS2’s management liability requirements — achieving both in parallel is more efficient than treating them as separate programmes.

The 2022 version covers modern threats

Cloud security, data masking, threat intelligence, and secure development are now explicit requirements — not optional extensions. The 2022 revision reflects the current threat landscape, not the 2005 one.

It reduces cyber insurance costs

Many cyber insurers offer premium reductions for ISO 27001 certified organisations. The certification signals a systematic approach to risk — exactly what underwriters want to see.

How Audit41 helps

From gap assessment to certification-ready evidence.

Gap assessment

Know your Annex A gaps before your auditor does

Audit41 Readiness maps your current controls against all 93 ISO 27001 Annex A controls. Every gap is identified, classified by severity, and linked to the specific control reference.

Remediation roadmap

A prioritised action plan, not a checklist

Gaps are ranked by risk exposure and effort to close. Your remediation roadmap tells you what to fix first — so you are certification-ready before your Stage 2 audit, not scrambling the week before.

Evidence structure

Outputs formatted for your certification body

Gap findings reports and executive summaries are structured the way accredited certification bodies expect to see them. Show your auditor a defensible, traceable evidence base from day one.

Efficiency tip

ISO 27001 and NIS2 share significant overlap.

If your organisation needs both NIS2 compliance and ISO 27001 certification, assessing them together is significantly more efficient than running two separate programmes. Controls for access management, incident response, supply chain security, business continuity, and cryptography map directly between the frameworks.

Audit41 Readiness Programme plan (up to 3 projects) lets you run NIS2 and ISO 27001 assessments under one subscription — so you can address both frameworks without managing two separate contracts.

Get started →See Programme plan →

Get started with your ISO 27001 gap assessment.

Tell us about your organisation and we'll send you everything you need to start — including a tailored plan recommendation.

Your name *Work email *Organisation size✓I agree to receive information about Audit41 Readiness ISO/IEC 27001:2022 assessment and related compliance guidance. You can unsubscribe at any time.

Looking to check your NIS2 scope first? The free self-check covers NIS2 for all 30 EU+EEA countries. Start NIS2 self-check →