Skip to Content
Governance and Compliance

What Is ISO 27001?

ISO/IEC 27001 is the international standard that sets the requirements for building, running and improving an Information Security Management System (ISMS): the framework of policies, controls and processes a company uses to protect the confidentiality, integrity and availability of information. The current version is ISO/IEC 27001:2022, and a company can pursue certification to prove to a customer or partner that the system is in place and working.

Zamak TechnologiesUpdated on July 10, 2026

How an ISMS works under ISO 27001

The standard does not hand over a fixed shopping list of tools; it requires a management system: identify risk, apply controls, measure and improve, on a continuous cycle.

1

Map the risk to information

The company identifies its information assets (data, systems, processes) and the risks that threaten their confidentiality, integrity or availability.

2

Apply the Annex A controls

Choose, among the 93 Annex A controls, grouped into four themes (organizational, people, physical and technological), the ones that address each mapped risk.

3

Document and run the system

Policies, roles, training and evidence that the controls actually work day to day, not just on paper.

4

Audit and certify

An independent certification body assesses the system. Passing earns the company a certificate valid for three years, with surveillance audits within that period.

Source: ISO/IEC 27001:2022 (International Organization for Standardization).

What ISO 27001 controls cover

  • Organizational controls Security policy, roles and responsibilities, supplier management, incident response: the governance backbone of the system.
  • People controls Screening, security awareness training, confidentiality agreements, what changes when someone joins or leaves the company.
  • Physical controls Facility access, equipment protection, secure media disposal: the security that is not digital.
  • Technological controls Access control, encryption, backup, monitoring, malware protection: the technical layer Zamak delivers day to day.

Why certification became a buying criterion

96,709
valid ISO 27001 certificates worldwide in 2024, per the ISO Survey 2024
+98%
growth in the number of certificates between 2023 (48,671) and 2024 (96,709)
93
Annex A controls, grouped into 4 themes, in the 2022 version of the standard

ISO 27001 stopped being a nice-to-have and became a prerequisite in procurement: enterprise customers, cyber insurers and data partners increasingly ask for the certificate before signing. The growth proves the pressure: the number of valid certificates worldwide nearly doubled in a year, from 48,671 in 2023 to 96,709 in 2024. The certificate is valid for three years, but requires surveillance audits within that window, so it is not a badge you earn and forget; it is a system that has to keep working or the certification can be suspended.

How a company prepares for ISO 27001

The path to certification follows predictable steps:

  1. Run a gap analysisCompare what the company already has against the Annex A controls to see the real distance to certification.
  2. Prioritize by risk, not the full checklistNot every control applies to every company. The standard asks you to justify excluding a control, not to blindly implement all of them.
  3. Build the evidence, not just the policyAn auditor does not certify a nice-looking policy on paper; it certifies a control proven to be operating, with records.
  4. Pick the certification body and schedule the auditCertification is carried out by an accredited, independent body, in two stages: documentation review and on-site audit.

In practice

The question that separates a security policy from a real ISMS: if an auditor asked today for evidence that a specific control worked last month, would the company have the record ready?

How Zamak supports the journey to ISO 27001

Zamak Technologies delivers the technical slice ISO 27001 requires (access control, backup, monitoring, incident response) and supports control mapping and evidence management on a compliance platform, within Governance and Compliance in the Zamak Method. The Compliance Audit Express shows, in minutes, the current distance to certification.

Frequently asked questions about ISO 27001

Is ISO 27001 a law or a voluntary standard?
It is a voluntary standard, not a law. A company pursues certification because a customer, a contract or a market requires it, or because it wants to formalize its own security management, not out of legal obligation.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 certifies the information security management system as a whole, with a certificate issued by an accredited body. SOC 2 is an audit report on specific controls, issued by an independent accountant. Companies selling into the US tend to hear more about SOC 2; those selling into Europe or Asia, more about ISO 27001.
Do I have to implement all 93 Annex A controls?
No. The standard asks you to assess each control against mapped risk and formally justify excluding the ones that do not apply, in a document called the Statement of Applicability.
How long does the certificate last?
Three years, but with surveillance audits within that window. It is not a permanent badge.
Can a small company get certified?
Yes. The standard is generic and applies to organizations of any size or sector; the effort scales with the size and complexity of the system, it is not fixed.
Is ISO 27001 certification for the company or a product?
For the company's management system (or a defined scope of it), not for a single product. That is why the scope stated on the certificate matters as much as the badge itself.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake