What an ISMS is, how the standard is built, the 93 Annex A controls, the certification process, honest timelines and cost lines. An informational guide, not a sales pitch.
ISO/IEC 27001 is the international standard for information security management. It doesn't certify a product or a single technical control: it certifies a management system, the ISMS (Information Security Management System), the way an organisation identifies risks to its information and keeps them under control over time.
The current version is ISO/IEC 27001:2022, supported by ISO/IEC 27002:2022, which is not certifiable but provides detailed guidance on the controls referenced by 27001.
The key point, often misunderstood: 27001 does not require you to be “100% secure” (no one is). It requires a documented, working process to assess risk, decide how to treat it, apply controls and keep improving. It's a living system, not a binder on a shelf.
ISO 27001 is voluntary: no general law mandates it. In practice it becomes “effectively mandatory” when: a B2B SaaS or vendor is asked for certification as a condition to sign an enterprise contract (the classic “deal blocked by the security questionnaire”); a startup wants to show investors or large customers a credible security posture; a company handles third-party data (IT vendors, payroll, healthcare) where trust is part of the product; a foreign company entering the Italian/EU market needs to prove compliance to local partners and clients.
If no one is asking and you have no concrete driver (a deal, a raise, a market), it may not be your priority right now: understand why you need it first.
Clauses 4-10 are the management system requirements, mandatory and non-negotiable: context and scope; leadership; risk assessment and treatment; support; operation; performance evaluation (internal audit, management review); improvement.
Annex A is the catalogue of controls: 93 controls in the 2022 version, grouped into 4 themes per ISO/IEC 27002:2022: Organizational (37), People (8), Physical (14) and Technological (34). You don't apply all 93 by default: you apply those relevant to your risk and justify inclusions and exclusions in the Statement of Applicability (SoA).
What an auditor expects to see: a clear ISMS scope; a documented risk assessment methodology plus a risk register and a risk treatment plan; the Statement of Applicability; a set of policies and procedures; operational evidence that controls actually run (logs, tested backups, vulnerability management, access records, training); a completed internal audit and management review.
Auditors don't grade “nice documents”: they check that the system actually works and produces consistent evidence.
1) Gap analysis / readiness. 2) Scoping and risk assessment (register, treatment plan, SoA). 3) Policies and documentation. 4) Control implementation. 5) Internal audit and management review. 6) Certification audit by an accredited third party: Stage 1 (documentation review and readiness check) and Stage 2 (the certification audit itself, handling major and minor nonconformities). 7) Certification and maintenance: valid 3 years, with annual surveillance audits and recertification in year 3.
Firm boundary: whoever prepares the organisation cannot be the one that certifies it. Certification is issued by an independent accredited certification body. This is an accreditation rule (ISO/IEC 17021), not a formality.
Preparation: typically 3-6 months, heavily dependent on starting maturity. Certification body audit: Stage 1 then Stage 2. Validity: 3 years, with annual surveillance and recertification in year 3.
Be wary of blanket “ISO 27001 in 3 months” claims: that timeline is realistic only with adequate readiness already in place. 27001 is a system that has to run and produce evidence: that takes time.
Preparation/consulting (gap analysis, documentation, implementation, audit support); the certification body audit (Stage 1 + Stage 2), billed by the body and separate from consulting; annual surveillance (years 2-3), a recurring body cost; internal costs (team time, tooling for logging, MFA/SSO, vulnerability management); recertification in year 3.
We don't post a flat price here: it depends on scope; the certification body's fee is always separate (and rightly so, it's independent).
ISO 27001 = certification, accredited body, valid 3 years, global and EU-strong. SOC 2 = attestation, a CPA report under AICPA standards, requires an observation period, US-dominant. Many companies do both to cover EU and US.
ISO 42001 = AI management (AIMS), same high-level structure, integrates well if you run AI systems. GDPR = legal requirements of its own; complementary, not equivalent. 27001 provides the security infrastructure, GDPR has its own legal duties.
A certification, issued by an independent accredited body. Whoever prepares the organisation cannot certify it.
3 years, with annual surveillance audits and recertification in year 3.
93 controls in 4 themes (Organizational, People, Physical, Technological) per ISO/IEC 27002:2022, applied per the risk assessment and documented in the Statement of Applicability.
No. It strongly helps with security measures, but GDPR has its own legal requirements. They're distinct.
No: preparer and certifier must be independent (ISO/IEC 17021).
See how we guide you: gap analysis, the ISMS, internal audit and managing the audit with the body.