Question 1

What is ISO 27001?

Accepted Answer

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information, ensuring confidentiality, integrity, and availability. The standard specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS.

Question 2

What is the difference between ISO 27001 and ISO 27002?

Accepted Answer

ISO 27001 is the certifiable standard that specifies ISMS requirements. ISO 27002 is a code of practice providing implementation guidance for the controls listed in ISO 27001 Annex A. Organizations certify against ISO 27001, while ISO 27002 is used as supplementary guidance for implementing controls.

Question 3

What are the main clauses of ISO 27001?

Accepted Answer

ISO 27001:2022 has 10 clauses: 1-3 are introductory. Clause 4: Context of the organization. Clause 5: Leadership. Clause 6: Planning. Clause 7: Support. Clause 8: Operation. Clause 9: Performance evaluation. Clause 10: Improvement. Clauses 4-10 contain the mandatory requirements for certification.

Question 4

How many controls are in ISO 27001:2022 Annex A?

Accepted Answer

ISO 27001:2022 Annex A contains 93 controls organized into 4 themes: Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34). This is a restructure from the 2013 version which had 114 controls in 14 domains.

Question 5

Is ISO 27001 certification mandatory?

Accepted Answer

ISO 27001 certification is voluntary, not legally required. However, it is often a contractual requirement from enterprise customers, particularly in B2B technology and services. Some industries and regulated sectors may require ISO 27001 or recognize it as demonstrating due diligence for information security.

Question 6

How long does ISO 27001 certification take?

Accepted Answer

Implementation typically takes 6-12 months depending on organization size, current security maturity, and resource dedication. The certification audit process itself takes 2-4 weeks including Stage 1 (documentation review) and Stage 2 (implementation audit). Small organizations with existing security practices may achieve certification faster.

Question 7

What is the Statement of Applicability (SoA)?

Accepted Answer

The Statement of Applicability is a mandatory document listing all Annex A controls with justification for inclusion or exclusion, implementation status, and references to implementing documentation. The SoA demonstrates which controls are applicable to your scope and how they are addressed.

Question 8

What is an ISMS scope?

Accepted Answer

The ISMS scope defines the boundaries of your information security management system-what is included and excluded from certification. It should consider: organizational units, locations, assets, technologies, and processes. A well-defined scope is critical as auditors will assess everything within it.

Question 9

What is the risk assessment requirement in ISO 27001?

Accepted Answer

ISO 27001 requires a documented risk assessment methodology and regular risk assessments. You must identify information security risks, analyze and evaluate risks against defined criteria, and select appropriate risk treatment options. Risk assessment results drive control selection from Annex A.

Question 10

What is the difference between Stage 1 and Stage 2 audits?

Accepted Answer

Stage 1 audit: A documentation review to verify your ISMS documentation is complete and you are ready for Stage 2. Stage 2 audit: An on-site (or remote) assessment of ISMS implementation and effectiveness. Both stages must pass for certification. Stage 1 typically identifies gaps to address before Stage 2.

Question 11

How long is ISO 27001 certification valid?

Accepted Answer

ISO 27001 certification is valid for 3 years, subject to annual surveillance audits. Surveillance audits (years 1 and 2) verify continued compliance. A full recertification audit is required at the end of the 3-year cycle to renew certification.

Question 12

What documentation is required for ISO 27001?

Accepted Answer

Required documentation includes: ISMS scope, information security policy, risk assessment methodology, risk assessment report, risk treatment plan, Statement of Applicability, information security objectives, evidence of competence, documented operational procedures, internal audit results, and management review records.

Question 13

What are the new controls in ISO 27001:2022?

Accepted Answer

ISO 27001:2022 introduced 11 new controls: Threat intelligence, Cloud services security, ICT readiness for business continuity, Physical security monitoring, Configuration management, Information deletion, Data masking, Data leakage prevention, Monitoring activities, Web filtering, and Secure coding.

Question 14

Can small companies get ISO 27001 certified?

Accepted Answer

Yes, ISO 27001 is designed to be scalable. Small companies can achieve certification by implementing controls proportionate to their size and risk. The standard allows flexibility in how controls are implemented. Focus on your specific scope and risk profile rather than trying to implement enterprise-level solutions.

Question 15

What is the relationship between ISO 27001 and SOC 2?

Accepted Answer

ISO 27001 and SOC 2 are both information security frameworks but differ in approach. ISO 27001 is a certifiable standard requiring specific ISMS processes. SOC 2 is an attestation based on Trust Service Criteria. Many controls overlap, and organizations often pursue both. ISO 27001 typically provides more comprehensive security coverage.

ISO 27001 Checklist Generator

What is your organization size?

How It Works

Who Should Use the ISO 27001 Checklist?

ISO 27001 Checklist FAQ

More Resources

Policy Templates

Core Security

Access & Identity

Data Protection

Network & Infrastructure

Operations

Incident & Continuity

Development

Governance