Learn · ISO 27001

What is ISO 27001?

ISO 27001 is the international standard for building and certifying an Information Security Management System (ISMS). Unlike SOC 2 — a US attestation report — ISO 27001 certification is issued by an accredited registrar after a structured two-stage audit.

The basics

An ISMS, not just a control checklist.

Management system

ISO 27001 requires documented scope, leadership commitment, risk treatment, internal audit, management review, and continual improvement — not only technical controls.

Annex A (93 controls)

ISO 27001:2022 lists 93 controls in Annex A — organized by themes like organizational, people, physical, and technological security.

Statement of applicability

Clause 6.1.3 requires a SoA: every Annex A control marked applicable or excluded, with justification. Auditors treat this as a core certification artifact.

Certification stages

Stage 1 reviews documentation and readiness. Stage 2 tests implementation in the field. Surveillance audits follow annually; recertification every three years.

ISO vs SOC 2

Different buyers, overlapping control work.

US enterprise procurement often asks for SOC 2 Type II. European and global buyers frequently require ISO 27001 certification. Many vendors run both programs on shared controls and evidence.

  • Access control, change management, and vendor risk appear in both frameworks — implement once where mappings align
  • ISO emphasizes ISMS clauses (4–10); SOC 2 emphasizes Trust Services Criteria and points of focus
  • Cross-mapping reduces duplicate policy work and conflicting narratives between audits

Explore ISO 27001 on Axovern → What is SOC 2?

Getting started

Typical first steps toward certification.

01

Define scope

Document systems, locations, and teams in scope — auditors will challenge boundaries early.

02

Gap analysis

Compare current controls and policies against Annex A and ISMS clauses; prioritize treatment plans.

03

SoA & risk register

Publish applicability decisions and link risks to controls with owners and evidence.

04

Internal audit

Run an internal audit cycle before Stage 1 — find gaps on your timeline, not the registrar’s.

FAQ

Common questions

What is ISO 27001?

ISO 27001 is an international standard for building and certifying an Information Security Management System (ISMS). Certification is issued by an accredited registrar after a two-stage audit.

What is Annex A in ISO 27001?

Annex A lists 93 security controls in ISO 27001:2022. Your statement of applicability documents which controls apply, which are excluded, and why — a core artifact auditors review.

Is ISO 27001 the same as SOC 2?

No. ISO 27001 is a certifiable ISMS standard common in Europe and global procurement. SOC 2 is a US attestation report on Trust Services Criteria. Many vendors pursue both; controls and evidence often overlap.

See ISO 27001 controls in one workspace.

Request a demo → Back to Learn