What Is ISO Compliance? ISO 27001 Explained

An auditor does not ask whether you have a firewall. They ask to see the risk assessment that decided you needed one, the policy that governs it, the owner accountable for it, the log that proves it runs, and the management review where someone looked at all of that and signed off. ISO compliance is the discipline of being able to answer all five. It is less about any single control and more about proving the whole thing is a managed system, not a pile of tools someone bought.

For most organizations, ISO compliance means one standard in particular: ISO/IEC 27001, the international standard for an information security management system (ISMS). The current edition is ISO/IEC 27001:2022. This guide covers what ISO compliance is, where 27001 sits in the broader ISO/IEC 27000 family, the structure of the standard and its Annex A controls, the certification cycle, and how a security team actually demonstrates conformance. The audience here is the practitioner who has to produce the evidence, not the consultant who sells the engagement.

What is ISO compliance?

ISO compliance is adherence to the standards published by the International Organization for Standardization, the independent body that develops and maintains consensus standards across thousands of fields. In security, the term almost always refers to the ISO/IEC standards for information security, jointly developed by ISO and the International Electrotechnical Commission (IEC). The flagship is ISO/IEC 27001, which specifies the requirements for an ISMS.

The key word is system. ISO/IEC 27001 does not hand you a checklist of controls to deploy. It requires you to build a management system: define the scope, assess your risks, decide which controls treat those risks, document why, assign ownership, operate the controls, measure them, and review the whole thing on a cycle. The controls themselves are the visible part. The system that decides, governs, and improves them is what the standard certifies.

That distinction is why ISO compliance is harder to fake than a tooling checklist and more useful as a signal. A certificate against ISO/IEC 27001 tells a customer, regulator, or partner that an accredited third party examined the organization's security management and found it conformant. It is recognized internationally, which is why it shows up in vendor due diligence, procurement requirements, and contracts across most regulated industries.

The ISO/IEC 27000 family

ISO/IEC 27001 does not stand alone. It anchors a family of related standards, the ISO/IEC 27000 series, that supply the vocabulary, the implementation guidance, and the sector-specific extensions. Knowing which is which prevents a common mistake: treating a guidance document as if it were a certifiable requirement. Only 27001 is the standard you certify against. The rest support it.

The pairing to understand is 27001 and 27002. ISO/IEC 27001 lists the controls in its Annex A as a catalogue of options. ISO/IEC 27002 is the companion guidance that explains how to implement each one. You certify against 27001; you read 27002 to do the work. The 2022 revision of both was a coordinated update, which is why the Annex A controls in 27001:2022 line up with the structure of 27002:2022.

Inside ISO/IEC 27001:2022

The standard has two parts that do different jobs. The main clauses (4 through 10) are the mandatory ISMS requirements. Annex A is the reference set of controls.

Clauses 4 through 10 are where conformance is actually decided. They require the organization to understand its context and interested parties (Clause 4), secure leadership commitment and an information security policy (Clause 5), plan by assessing and treating risk (Clause 6), provide resources and competence (Clause 7), operate the controls (Clause 8), evaluate performance through monitoring, internal audit, and management review (Clause 9), and drive continual improvement including corrective action on nonconformities (Clause 10). These clauses are non-negotiable. An organization cannot pick and choose among them the way it can among the Annex A controls.

Annex A of the 2022 edition contains 93 controls, organized into four themes:

• Organizational (37 controls): policies, roles, supplier relationships, threat intelligence, and the governance controls that frame the program.
• People (8 controls): screening, terms of employment, awareness training, and disciplinary process.
• Physical (14 controls): secure areas, equipment protection, clear desk and screen, and the handling of physical media.
• Technological (34 controls): access control, cryptography, secure development, logging and monitoring, and the controls closest to a SOC's daily work.

The 2022 edition was a significant restructuring of the 2013 version, which had 114 controls across 14 domains. The 2022 update consolidated overlapping controls, reorganized them into the four themes, and added 11 new controls reflecting current practice, including threat intelligence, information security for cloud services, data leakage prevention, and secure coding. In 2024, ISO published Amendment 1 to 27001:2022, adding climate-change considerations to the context clauses. Organizations certified against the 2013 edition were required to transition to 2022 by the end of October 2025.

The Statement of Applicability

The document that ties the two parts together is the Statement of Applicability (SoA), and it is the single artifact an auditor will scrutinize hardest. The SoA lists every Annex A control, states whether it applies to the organization, and gives the justification. A control can be excluded, but the exclusion has to be reasoned and defensible, not a blank.

This is where ISO compliance rewards honesty over coverage. An organization that runs no software development can legitimately exclude the secure-development controls, as long as the SoA says so and the scope supports it. What an auditor will not accept is a control marked applicable and implemented with no evidence behind it. The SoA is the map between the risk assessment, the controls chosen to treat those risks, and the proof that they operate. Get the SoA right and most of the audit follows from it.

Why ISO compliance matters

The honest benefit is not the certificate on the wall. It is the discipline the standard forces and the trust the certificate signals to people who cannot inspect your environment themselves.

It replaces ad hoc security with a managed system. The biggest practical gain is structural. Instead of a collection of controls bought reactively, the organization runs a documented system that assesses risk, treats it deliberately, and reviews itself on a cycle. That is the difference between security that degrades the moment its champion leaves and security that survives staff turnover because it is written down and owned.

It is a recognized trust signal. ISO/IEC 27001 is recognized internationally, so a single certification answers the security questionnaire for customers and partners across many jurisdictions at once. In vendor due diligence, "we are ISO 27001 certified" short-circuits weeks of back-and-forth, because an accredited body has already done the examination.

It maps to other obligations. A mature ISMS produces much of the evidence that other regimes demand. The risk assessments, access control records, and incident procedures built for 27001 feed directly into data protection and broader data compliance work, reducing duplicated effort across overlapping frameworks.

It improves incident response. The standard requires defined procedures for managing information security incidents, including detection, reporting, assessment, and learning from events. Building those procedures to pass an audit produces a response capability that holds up during a real one.

How an organization achieves and keeps certification

Certification is not a one-time test. It is a three-year cycle with ongoing oversight, and the work to get there follows a predictable arc.

1. Define scope and context. Decide what the ISMS covers: which systems, sites, services, and data. Identify the interested parties and their requirements. The scope shapes everything downstream, including which Annex A controls can be excluded.
2. Assess and treat risk. Run an information security risk assessment to identify what could go wrong, then choose how to treat each risk: accept it, avoid it, transfer it, or reduce it with controls. ISO/IEC 27005 guides this step.
3. Select controls and write the SoA. Map the chosen treatments to Annex A controls, document each decision in the Statement of Applicability, and justify any exclusions.
4. Implement and operate. Deploy the controls, write the required policies and procedures, train people, and run the system long enough to generate evidence. Auditors want to see the ISMS operating, not just designed.
5. Internal audit and management review. Audit the ISMS against the standard internally, surface nonconformities, and hold a documented management review. Clause 9 requires both before certification.
6. Stage 1 and Stage 2 certification audit. An accredited certification body reviews the documentation (Stage 1), then audits the operating ISMS for conformance and evidence (Stage 2). Pass both and the certificate is issued.
7. Surveillance and recertification. The certificate runs three years. Surveillance audits, typically annual, confirm the ISMS still operates, and a full recertification audit happens before the cycle ends.

The step most organizations underestimate is the evidence window in step 4. A control that was switched on the week before the audit has no operating history. Auditors look for records that the system has been running, reviewed, and improved over time, which is why a rushed implementation rarely passes cleanly.

ISO 27001 versus SOC 2 and other frameworks

Teams often have to choose between ISO/IEC 27001 and SOC 2, or run both. They solve overlapping problems differently.

Neither is strictly better. ISO/IEC 27001 produces an internationally recognized certificate and forces a full management system, which is why global and regulated organizations favor it. SOC 2 produces a detailed report that a North American customer's security team can read in depth, which is why many SaaS vendors start there. The two share enough underlying controls that an organization with a mature ISMS can pursue a SOC 2 report with far less incremental work, and vice versa. The choice usually follows where the customers and regulators are, not which standard is technically superior.

Frequently Asked Questions

What is ISO compliance?

ISO compliance is adherence to the standards published by the International Organization for Standardization. In security it refers to the ISO/IEC 27000 family, and in practice almost always to ISO/IEC 27001, the international standard that specifies the requirements for an information security management system. Compliance means building and operating that system, then having an accredited body verify it.

What is the difference between ISO 27001 and ISO 27002?

ISO/IEC 27001 is the certifiable standard: it defines the ISMS requirements and lists the controls in Annex A. ISO/IEC 27002 is the companion guidance that explains how to implement each of those controls. You certify against 27001 and use 27002 as the implementation manual. You do not get certified against 27002.

How many controls are in ISO 27001:2022?

Annex A of ISO/IEC 27001:2022 contains 93 controls, grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). This replaced the 2013 edition's 114 controls across 14 domains. An organization documents which of these controls apply, and why, in its Statement of Applicability.

Is ISO 27001 mandatory?

No. ISO/IEC 27001 certification is voluntary. It becomes effectively required when customers, partners, or regulators demand it in contracts, procurement, or due diligence, which is common in regulated industries and enterprise SaaS. Some sector regulations reference it, but the standard itself is not law.

How long does ISO 27001 certification last?

An ISO/IEC 27001 certificate is valid for three years. During that period the certification body conducts surveillance audits, typically annually, to confirm the ISMS still operates as intended. Before the three years end, a full recertification audit is required to renew the certificate for another cycle.

What is a Statement of Applicability?

The Statement of Applicability (SoA) is the document that lists every Annex A control, records whether it applies to the organization, and justifies each decision. It links the risk assessment to the controls chosen to treat those risks and to the evidence that they operate. It is the central artifact an auditor reviews during a certification audit.

The bottom line

ISO compliance, in practice, means conforming to ISO/IEC 27001, the international standard for an information security management system, currently the 2022 edition. The standard certifies a system, not a toolset: the mandatory clauses (4 through 10) require you to scope, assess risk, treat it, operate controls, measure them, and improve, while Annex A supplies 93 controls across four themes to draw from. The Statement of Applicability ties risk, control selection, and evidence together and is the artifact that decides most of the audit.

The reason to pursue it is partly the certificate, which is recognized internationally and short-circuits vendor due diligence, but mostly the discipline. A real ISMS produces the evidence other frameworks demand, survives staff turnover, and turns a reactive pile of controls into a managed program. Certification is a three-year cycle with annual surveillance, so the organizations that pass cleanly are the ones running the system continuously, not the ones standing it up the month before the audit.