A black and white drawing of a rock formation.

ISO 27001 is a globally recognized security framework created by the International Organization for Standardization that assesses how an organization protects its customer’s data. It looks at how your information security management system (ISMS) is designed and maintained to prevent unauthorized access or damage to your data and your customer’s data. To get an ISO 27001 certification, you’ll need to undergo an audit that confirms you’ve met the compliance requirements.

In this article, we’ll cover what ISO 27001 is, what it means to be ISO 27001 certified, and the audit process for certification. 

What is ISO 27001 certification?

What does ISO stand for?

ISO refers to the International Organization of Standardization — though it is not a direct acronym for that name. Because ISO is an international organization based in Switzerland that operates in multiple languages, the organization created its own abbreviation to avoid prioritizing one language over another.

In some cases, you may see ISO 27001 also called ISO/IEC 27001:2022. This standard was a joint effort between the International Organization of Standardization and the International Electrotechnical Commission, which is what ISO/IEC stands for. The current version of the standard was released in 2022.

‍What is ISO 27001 and why is it important?

ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS).

It includes an extensive list of controls and standards to ensure that your ISMS is protected against potential threats. Following a successful audit, you’ll receive an ISO 27001 certification which verifies your compliance with the standard.  

A completed certificate can demonstrate to prospects, customers, partners, and other stakeholders that your organization has a strong information security posture. 

While an ISO 27001 certification isn’t legally required, many large organizations require their vendors to be certified. This is so they can ensure that their data will be well protected by the vendors they do business with.  

What’s included in the ISO 27001 certification process?

The ISO 27001 certification process has several steps and stages. It can take several weeks to several months to complete your certification depending on how large your organization is, how complex your ISMS is, and how many controls you need to implement. 

Before you can begin the certification process, you’ll need to scope your ISMS and implement the controls needed to meet the ISO 27001 requirements. The standard is made up of 10 clauses, and 114 controls listed in Annex A of the standard. The 114 Annex A controls are divided into 14 categories that represent possible security measures an organization can consider based on its needs and risks. While you are required to comply with all 10 clauses, you do not need to implement the full list of the 114 controls to get certified. A key document in scoping the 114 controls to your organization is called the “Statement of Applicability,” which you will need to create during this process. 

Depending on how many of the controls you already have in place and how many you decide to add, implementing your controls will likely be the most labor- and time-intensive part of the process.

Once your controls are in place, it’s time to hire an auditor to investigate your ISMS. Your ISO 27001 audit will take place in three stages:

Readiness assessment

A readiness assessment is a preliminary screening your auditor will do to see if you’ve met the ISO 27001 requirements and are ready for your full audit. This step is meant to streamline the audit process and make it so you are more likely to pass your audit.

Stage 1 or documentation audit

In the first stage of your audit, your auditor will review the documentation you’ve provided that maps out your ISMS and details the security controls you have in place. At this stage, the auditor will provide you with corrective actions to take or will move into the next stage of the audit.

Stage 2 or compliance audit

The second stage of the audit is when the auditor will thoroughly investigate your ISMS to verify you’re following each of the ISO 27001 requirements. If you pass this stage, you will officially receive your ISO 27001 certification.

While your auditor will lead the auditing process, you will still need to be involved to answer questions about your ISMS, provide additional documentation, and respond to any other requests they might have.

Maintaining your ISO 27001 certification

Your ISO 27001 certification is valid for three years. However, in that three-year timeframe, you’ll need to undergo additional audits to maintain your ISO 27001 certification.

Every year after your initial audit, your auditor will perform a surveillance audit. This is a brief, surface-level audit that selects and evaluates a few of the key ISO 27001 requirements to ensure you’re still in compliance. If you pass your surveillance audit you’ll maintain your certification, but if you don’t you must complete another full audit.

Once your certification expires three years after your initial audit, you’ll need to complete another full audit to receive a new ISO 27001 certification. This typically excludes the Readiness and Stage 1 assessments as you have an operating ISMS in-place that your auditor is familiar with. If you switch auditors, however, you may need to undergo the Readiness and Stage 1 assessments for the new auditor. 

What does ISO 27001 include?

‍ISO 27001 includes 10 clauses and a list of security controls (Annex A) that your auditor will use to assess your security system. The clauses are divided into 10 categories:


  • Scope
  • Normative references
  • Terms and definitions
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement


The 114 security controls are divided into 14 categories:


  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition and maintenance
  • Supplier relations
  • Security incident management
  • Business continuity management
  • Compliance

‍How to get started with ISO 27001 certification

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.

Introduction to ISO 27001

What is ISO 27001 certification?

A black and white drawing of a rock formation.

ISO 27001 is a globally recognized security framework created by the International Organization for Standardization that assesses how an organization protects its customer’s data. It looks at how your information security management system (ISMS) is designed and maintained to prevent unauthorized access or damage to your data and your customer’s data. To get an ISO 27001 certification, you’ll need to undergo an audit that confirms you’ve met the compliance requirements.

In this article, we’ll cover what ISO 27001 is, what it means to be ISO 27001 certified, and the audit process for certification. 

What is ISO 27001 certification?

What does ISO stand for?

ISO refers to the International Organization of Standardization — though it is not a direct acronym for that name. Because ISO is an international organization based in Switzerland that operates in multiple languages, the organization created its own abbreviation to avoid prioritizing one language over another.

In some cases, you may see ISO 27001 also called ISO/IEC 27001:2022. This standard was a joint effort between the International Organization of Standardization and the International Electrotechnical Commission, which is what ISO/IEC stands for. The current version of the standard was released in 2022.

‍What is ISO 27001 and why is it important?

ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS).

It includes an extensive list of controls and standards to ensure that your ISMS is protected against potential threats. Following a successful audit, you’ll receive an ISO 27001 certification which verifies your compliance with the standard.  

A completed certificate can demonstrate to prospects, customers, partners, and other stakeholders that your organization has a strong information security posture. 

While an ISO 27001 certification isn’t legally required, many large organizations require their vendors to be certified. This is so they can ensure that their data will be well protected by the vendors they do business with.  

What’s included in the ISO 27001 certification process?

The ISO 27001 certification process has several steps and stages. It can take several weeks to several months to complete your certification depending on how large your organization is, how complex your ISMS is, and how many controls you need to implement. 

Before you can begin the certification process, you’ll need to scope your ISMS and implement the controls needed to meet the ISO 27001 requirements. The standard is made up of 10 clauses, and 114 controls listed in Annex A of the standard. The 114 Annex A controls are divided into 14 categories that represent possible security measures an organization can consider based on its needs and risks. While you are required to comply with all 10 clauses, you do not need to implement the full list of the 114 controls to get certified. A key document in scoping the 114 controls to your organization is called the “Statement of Applicability,” which you will need to create during this process. 

Depending on how many of the controls you already have in place and how many you decide to add, implementing your controls will likely be the most labor- and time-intensive part of the process.

Once your controls are in place, it’s time to hire an auditor to investigate your ISMS. Your ISO 27001 audit will take place in three stages:

Readiness assessment

A readiness assessment is a preliminary screening your auditor will do to see if you’ve met the ISO 27001 requirements and are ready for your full audit. This step is meant to streamline the audit process and make it so you are more likely to pass your audit.

Stage 1 or documentation audit

In the first stage of your audit, your auditor will review the documentation you’ve provided that maps out your ISMS and details the security controls you have in place. At this stage, the auditor will provide you with corrective actions to take or will move into the next stage of the audit.

Stage 2 or compliance audit

The second stage of the audit is when the auditor will thoroughly investigate your ISMS to verify you’re following each of the ISO 27001 requirements. If you pass this stage, you will officially receive your ISO 27001 certification.

While your auditor will lead the auditing process, you will still need to be involved to answer questions about your ISMS, provide additional documentation, and respond to any other requests they might have.

Maintaining your ISO 27001 certification

Your ISO 27001 certification is valid for three years. However, in that three-year timeframe, you’ll need to undergo additional audits to maintain your ISO 27001 certification.

Every year after your initial audit, your auditor will perform a surveillance audit. This is a brief, surface-level audit that selects and evaluates a few of the key ISO 27001 requirements to ensure you’re still in compliance. If you pass your surveillance audit you’ll maintain your certification, but if you don’t you must complete another full audit.

Once your certification expires three years after your initial audit, you’ll need to complete another full audit to receive a new ISO 27001 certification. This typically excludes the Readiness and Stage 1 assessments as you have an operating ISMS in-place that your auditor is familiar with. If you switch auditors, however, you may need to undergo the Readiness and Stage 1 assessments for the new auditor. 

What does ISO 27001 include?

‍ISO 27001 includes 10 clauses and a list of security controls (Annex A) that your auditor will use to assess your security system. The clauses are divided into 10 categories:


  • Scope
  • Normative references
  • Terms and definitions
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement


The 114 security controls are divided into 14 categories:


  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition and maintenance
  • Supplier relations
  • Security incident management
  • Business continuity management
  • Compliance

‍How to get started with ISO 27001 certification

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.

Get started with ISO 27001

Start your ISO 27001 journey with these related resources.

ISO 27001

The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

The ISO 27001 Compliance Checklist
The ISO 27001 Compliance Checklist
ISO 27001

ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

ISO 27001 Compliance for SaaS
ISO 27001 Compliance for SaaS
ISO 27001

ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001 vs. SOC 2: Which standard is right for my business?
ISO 27001 vs. SOC 2: Which standard is right for my business?

Get compliant and
build trust, fast.

Two wind turbines on a white background.