Guide
ISO 27001 requirements
ISO/IEC 27001:2022 specifies information security management system requirements across ten clauses, with Annex A providing 93 controls across four themes: organisational, people, physical and technological.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
The ten clauses
ISO/IEC 27001:2022 organises its content across ten clauses; Clauses 1 to 3 cover scope, normative references and terms and definitions. The auditable requirements begin at Clause 4. Clause 4 (Context): understanding the organisation, identifying interested parties and determining the ISMS scope. Clause 5 (Leadership): top management commitment, information security policy, and definition of organisational roles, responsibilities and authorities. Clause 6 (Planning): addressing risks and opportunities, conducting information security risk assessment and risk treatment, and setting objectives. Clause 7 (Support): provision of resources, competence assurance, awareness-raising, communication and management of documented information. Clause 8 (Operation): implementing operational planning, conducting risk assessments and treatment, and controlling externally provided processes. Clause 9 (Performance evaluation): monitoring, measurement, analysis, evaluation, internal audit and management review. Clause 10 (Improvement): addressing nonconformities, taking corrective action and driving continual improvement.
Annex A — 93 controls in four themes
ISO/IEC 27001:2022 substantially restructured Annex A compared with the 2013 edition. The 2013 edition contained 114 controls organised into 14 control domains. The 2022 edition reduced and reorganised these into 93 controls across four themes. Organisational controls (37 controls) address information security policies, roles and responsibilities, threat intelligence, information security in project management, supplier and third-party security, incident management and business continuity. People controls (8 controls) address screening, terms of employment, security awareness and training, and disciplinary processes. Physical controls (14 controls) address physical security perimeters, clear desk and clear screen, equipment maintenance and secure disposal. Technological controls (34 controls) address authentication, cryptography, endpoint security, network security, web filtering, secure development, vulnerability management, data masking, monitoring and logging, and cloud security. Eleven controls are entirely new in the 2022 edition, including threat intelligence, physical security monitoring, configuration management, information deletion and data masking.
Statement of Applicability (SoA) and risk-based selection
Organisations are not required to implement all 93 Annex A controls. The ISMS risk assessment identifies information security risks; the risk treatment process determines which controls are needed to treat those risks to an acceptable level. The Statement of Applicability is a mandatory documented information requirement of ISO/IEC 27001: it lists each Annex A control, states whether it is applicable to the organisation, provides justification for its inclusion or exclusion, and records its implementation status. The SoA is a central document in the certification audit: auditors use it to verify that control selection decisions are risk-driven, that exclusions are justified, and that applicable controls are implemented. The companion standard ISO/IEC 27002:2022 provides implementation guidance for each of the 93 controls, supporting practitioners in translating requirements into operational practice.
Certification process and the 2022 revision
ISO/IEC 27001 certification follows a two-stage audit process conducted by an accredited certification body. Stage 1 (documentation review) assesses the ISMS documentation — including the SoA, risk assessment, risk treatment plan and information security policy — for conformity with the standard's requirements. Stage 2 (conformity assessment) evaluates whether the ISMS operates as documented in practice, through evidence review, staff interviews and observation of controls. Certificates are valid for three years, with annual surveillance audits in years one and two, and a full recertification audit in year three. Organisations previously certified to ISO/IEC 27001:2013 had until 31 October 2025 to transition to the 2022 edition. Key changes in the 2022 edition: restructured Annex A (93 controls in four themes replacing 114 controls in 14 domains); eleven new controls; updated High-Level Structure alignment; and greater emphasis on outcomes and continual improvement.
Key facts
At a glance
- Clauses: ten (clauses 4–10 contain the auditable requirements)
- Annex A: 93 controls in four themes (2022 edition)
- 2022 change: restructured from 114 controls in 14 domains in the 2013 edition
- New controls in 2022: 11 new controls including threat intelligence, cloud security, data masking and configuration management
- Statement of Applicability: mandatory documented information justifying control inclusion and exclusion decisions
- Certification cycle: three years with annual surveillance audits in years one and two
- Companion standard: ISO/IEC 27002:2022 provides implementation guidance for each Annex A control
Common misconceptions
What people often get wrong
Often heard: All 93 Annex A controls must be implemented to achieve ISO 27001 certification.
Actually: Control selection is risk-based. Organisations implement the controls needed to treat their identified information security risks to an acceptable level. Excluded controls must be justified in the Statement of Applicability. Certification auditors assess whether the risk-based selection is sound and documented, not whether all 93 controls are implemented.
Often heard: ISO 27001:2013 and ISO 27001:2022 certifications are interchangeable.
Actually: The 2022 edition has a substantially different Annex A structure and eleven new controls not present in the 2013 edition. The transition deadline for existing certifications was 31 October 2025. Certificates issued against the 2013 edition beyond that date are no longer valid. Organisations must have transitioned to the 2022 edition to maintain an active, recognised certification.
Often heard: Achieving ISO 27001 certification means the organisation will not experience cybersecurity incidents.
Actually: ISO 27001 certifies that a systematic, risk-based information security management system is in place and operating. Incidents can and do occur in certified organisations; the standard requires incident response and management procedures precisely because incidents will happen. Certification reduces risk and improves resilience; it does not eliminate threat.
Common questions
FAQ
What is in the Statement of Applicability?+
The Statement of Applicability (SoA) is a mandatory document listing all 93 Annex A controls from ISO/IEC 27001:2022. For each control it states: whether the control is applicable to the organisation; the justification for including it (the risks and legal or contractual obligations it addresses) or excluding it (the reason it is not applicable); and its current implementation status. The SoA is a central document in the certification audit and must be kept current as the ISMS evolves.
How many controls are in ISO 27001 Annex A?+
ISO/IEC 27001:2022 Annex A contains 93 controls organised into four themes: 37 organisational controls, 8 people controls, 14 physical controls and 34 technological controls. This compares with 114 controls in 14 domains in the 2013 edition. The 2022 restructuring consolidated, updated and added controls — introducing 11 new controls including threat intelligence, cloud security configuration, data masking, information deletion and web filtering.
How long does ISO 27001 certification take?+
The time from initiating an ISO/IEC 27001 implementation to achieving certification varies with organisational size and complexity. Smaller organisations with limited scope may achieve certification within six to twelve months. Large, complex organisations may require eighteen months to two years. The key phases are: gap analysis against the standard; ISMS implementation including risk assessment, control implementation and documentation; internal audit; management review; and then the Stage 1 and Stage 2 certification audits. A pre-submission meeting with the chosen certification body can help scope and plan the process efficiently.
