ISO 27001

What are the four control themes in ISO 27001:2022?

The 2022 revision organizes 93 controls into: (1) Organizational controls (policies, roles, asset management, supplier management) — 37 controls; (2) People controls (screening, training, disciplinary process, remote work) — 8 controls; (3) Physical controls (entry control, secure areas, equipment protection) — 14 controls; (4) Technological controls (access control, cryptography, secure development, monitoring) — 34 controls.

How does ISO 27001 differ from SOC 2?

ISO 27001 is an international management-system standard; certification is publicly listed and lasts 3 years with surveillance audits. SOC 2 is a US AICPA attestation reporting on specific controls during a period; reports are confidential. ISO 27001 emphasizes the management system structure (Plan-Do-Check-Act); SOC 2 emphasizes detailed control evidence. Many organizations seek both — ISO 27001 for international recognition and SOC 2 for detailed US enterprise reporting.

How long does ISO 27001 certification take?

Typical timelines: 4-6 months for initial implementation in a small organization; 6-12 months for mid-market; 12-18 months for enterprise. The certification process includes Stage 1 audit (documentation review), Stage 2 audit (implementation review), and certificate issuance. The certificate is valid for 3 years with annual surveillance audits and a recertification audit at year 3.

What is the relationship between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable management system standard with mandatory requirements. ISO 27002 is the supporting code of practice that provides implementation guidance for the controls listed in ISO 27001 Annex A. Annex A of ISO 27001 lists controls; ISO 27002 explains how to implement them. ISO 27002 is not certifiable — only ISO 27001 carries certification.