← Glossary·Frameworks

ISO/IEC 27001

Also known as: ISO 27001 · ISO 27001:2022
ISO 27001

International standard for an Information Security Management System (ISMS) with 93 Annex A controls.

ISO/IEC 27001:2022 is the international standard for establishing, operating, and continually improving an Information Security Management System (ISMS). Clauses 4–10 mandate management-system requirements; Annex A lists 93 controls across four themes (Organisational, People, Physical, Technological). Certification is issued by an accredited body after a Stage 1 + Stage 2 audit.

Why it matters
ISO 27001 is the global passport for enterprise security — particularly in EMEA and APAC where SOC 2 carries less weight. Many EU and Japanese RFPs require it as a hard pass/fail criterion.

Common questions

Is ISO 27001 the same as SOC 2?
No. SOC 2 is a US attestation aligned to AICPA TSC; ISO 27001 is an international certification of a management system. The control overlap is roughly 70%.

Related terms

SOC 2
AICPA attestation report on a service organisation's controls across five Trust Services Criteria.
ISMS (Information Security Management System)
A documented, risk-based management system for information security — the object of ISO 27001 certification.
ISO 27001 Annex A
The catalogue of 93 reference controls (2022 edition) across Organisational, People, Physical, and Technological themes.
Statement of Applicability (SoA)
ISO 27001 document declaring which Annex A controls apply, why, and how — central artefact for certification.

Does your program actually cover ISO/IEC 27001?

Run a free ComplianceIQ audit against ISO 27001 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free ISO 27001 auditBack to glossary