What Is ISO 27001?
ISO/IEC 27001 is the international standard that sets the requirements for building, running and improving an Information Security Management System (ISMS): the framework of policies, controls and processes a company uses to protect the confidentiality, integrity and availability of information. The current version is ISO/IEC 27001:2022, and a company can pursue certification to prove to a customer or partner that the system is in place and working.
How an ISMS works under ISO 27001
The standard does not hand over a fixed shopping list of tools; it requires a management system: identify risk, apply controls, measure and improve, on a continuous cycle.
Map the risk to information
The company identifies its information assets (data, systems, processes) and the risks that threaten their confidentiality, integrity or availability.
Apply the Annex A controls
Choose, among the 93 Annex A controls, grouped into four themes (organizational, people, physical and technological), the ones that address each mapped risk.
Document and run the system
Policies, roles, training and evidence that the controls actually work day to day, not just on paper.
Audit and certify
An independent certification body assesses the system. Passing earns the company a certificate valid for three years, with surveillance audits within that period.
Source: ISO/IEC 27001:2022 (International Organization for Standardization).
What ISO 27001 controls cover
- Organizational controls Security policy, roles and responsibilities, supplier management, incident response: the governance backbone of the system.
- People controls Screening, security awareness training, confidentiality agreements, what changes when someone joins or leaves the company.
- Physical controls Facility access, equipment protection, secure media disposal: the security that is not digital.
- Technological controls Access control, encryption, backup, monitoring, malware protection: the technical layer Zamak delivers day to day.
Why certification became a buying criterion
ISO 27001 stopped being a nice-to-have and became a prerequisite in procurement: enterprise customers, cyber insurers and data partners increasingly ask for the certificate before signing. The growth proves the pressure: the number of valid certificates worldwide nearly doubled in a year, from 48,671 in 2023 to 96,709 in 2024. The certificate is valid for three years, but requires surveillance audits within that window, so it is not a badge you earn and forget; it is a system that has to keep working or the certification can be suspended.
How a company prepares for ISO 27001
The path to certification follows predictable steps:
- Run a gap analysisCompare what the company already has against the Annex A controls to see the real distance to certification.
- Prioritize by risk, not the full checklistNot every control applies to every company. The standard asks you to justify excluding a control, not to blindly implement all of them.
- Build the evidence, not just the policyAn auditor does not certify a nice-looking policy on paper; it certifies a control proven to be operating, with records.
- Pick the certification body and schedule the auditCertification is carried out by an accredited, independent body, in two stages: documentation review and on-site audit.
In practice
The question that separates a security policy from a real ISMS: if an auditor asked today for evidence that a specific control worked last month, would the company have the record ready?
How Zamak supports the journey to ISO 27001
Zamak Technologies delivers the technical slice ISO 27001 requires (access control, backup, monitoring, incident response) and supports control mapping and evidence management on a compliance platform, within Governance and Compliance in the Zamak Method. The Compliance Audit Express shows, in minutes, the current distance to certification.