Shieldra
ISO/IEC 27001 Framework Guide
ISO/IEC 27001 is the international standard for an information security management system (ISMS). The current edition, ISO/IEC 27001:2022, was published on October 25, 2022, and the deadline to transition off the 2013 edition was October 31, 2025. Certification is granted by an accredited third-party body — not self-attested.
The two parts of ISO 27001
- ISMS clauses 4-10: the mandatory management requirements — context, leadership, planning (with the new 2022 clause 6.3), support, operation, performance evaluation, and improvement.
- Annex A controls: a reference set of 93 controls selected by risk and documented in a Statement of Applicability.
Annex A: 93 controls in four themes
- Organizational (A.5): 37 controls — policies, supplier and cloud security, threat intelligence, incident management.
- People (A.6): 8 controls — screening, terms of employment, awareness training, disciplinary process.
- Physical (A.7): 14 controls — secure areas, equipment, physical security monitoring.
- Technological (A.8): 34 controls — access control, cryptography, logging, secure coding, data leakage prevention.
- Total: 93 controls, down from 114 in 2013; 11 new 2022 controls include cloud security, threat intelligence, and configuration management.
Certification process
- Stage 1 audit: documentation and readiness review of your ISMS.
- Stage 2 audit: assessment of implementation and operating effectiveness of controls.
- Issued by an accredited certification body; valid for 3 years with annual surveillance audits and a recertification audit before expiry.
How ISO 27001 relates to SOC 2 and HIPAA
- ISO 27001 is a certification; SOC 2 is a CPA attestation report. The two share heavy control overlap, so evidence can be mapped once and reused.
- HIPAA Security Rule safeguards map closely to ISO 27001 access control, encryption, logging, and risk analysis, giving healthcare teams a head start.
- Usual healthcare path: HIPAA first (legal baseline), then SOC 2 for US buyers, then ISO 27001 when international customers require it.
Frequently asked questions
What is ISO 27001 in simple terms?
ISO/IEC 27001 is the international standard for an information security management system (ISMS) — a documented, risk-based system of policies, processes, and controls for protecting information. An organization can be independently certified against it by an accredited body.
How many controls does ISO 27001:2022 have?
ISO 27001:2022 Annex A has 93 controls, down from 114 in the 2013 edition, grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). The 2022 revision added 11 new controls covering areas like cloud security and threat intelligence.
What is the current version of ISO 27001?
The current version is ISO/IEC 27001:2022, published on October 25, 2022. Organizations certified to the older 2013 edition had until October 31, 2025 to transition; 2013 certificates are no longer valid after that date.
Is ISO 27001 required for healthcare?
No. US healthcare organizations are legally bound by HIPAA, not ISO 27001. Many health-tech vendors still pursue ISO 27001 voluntarily because international and large-enterprise customers expect it, and HIPAA, SOC 2, and ISO 27001 share many controls.
