ISO 27001 is the international standard for Information Security Management Systems. It defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS — giving organisations a structured, auditable approach to managing information security risk. The 2022 revision (ISO/IEC 27001:2022) replaced the 2013 version and introduced significant changes to Annex A that directly affect how cloud-first organisations implement and maintain controls.
This guide covers everything you need to know: what ISO 27001 actually requires, what changed in 2022, how to implement an ISMS in a cloud environment, what the certification timeline looks like, and the most common gaps that derail first-time audits.
What ISO 27001 Requires
ISO 27001 is a management system standard, not a technical checklist. Certification requires demonstrating that your organisation has a functioning ISMS — a set of policies, processes, controls, and evidence that manages information security risk in a structured way. The standard is structured around the Plan-Do-Check-Act (PDCA) cycle.
- Plan: Define the scope, assess risks, select controls from Annex A, produce a Statement of Applicability
- Do: Implement the selected controls, train staff, document policies and procedures
- Check: Monitor control effectiveness, conduct internal audits, management reviews
- Act: Address non-conformities, drive continual improvement, maintain certification through surveillance audits
Certification is awarded by an accredited certification body (CB) after a two-stage audit. Stage 1 reviews your documentation and ISMS design. Stage 2 tests implementation and evidence. After initial certification, annual surveillance audits verify ongoing compliance, and a full re-certification audit occurs every three years.
ISO 27001:2022 vs 2013 — What Changed
The 2022 revision made structural changes to both the main clauses and Annex A. The core management system clauses (4–10) were updated to align with the latest version of the ISO Harmonised Approach (formerly Annex SL), making ISO 27001 easier to integrate with other management system standards like ISO 9001 and ISO 22301. The most visible changes are in Annex A.
| Area | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Annex A controls | 114 controls across 14 domains | 93 controls across 4 themes |
| Control structure | 14 domain categories | 4 attribute themes (Organisational, People, Physical, Technological) |
| New controls | — | 11 net-new controls added |
| Merged controls | — | 57 controls merged/rationalised |
| Renamed controls | — | 58 controls renamed for clarity |
| Control attributes | Not included | 5 attributes per control (#type, #concept, etc.) |
| Threat intelligence | Not addressed | New control 5.7 — Threat intelligence |
| Cloud security | Generic | New control 5.23 — Information security for use of cloud services |
| Business continuity | Covered | Updated and expanded |
| Data masking | Not addressed | New control 8.11 — Data masking |
| Web filtering | Not addressed | New control 8.23 — Web filtering |
| Transition deadline | — | October 2025 (for existing 2013 certifications) |
The 11 New Annex A Controls in 2022
- 5.7 — Threat intelligence: Collecting and analysing threat intelligence to inform risk decisions
- 5.23 — Information security for use of cloud services: Managing security in cloud environments throughout the lifecycle
- 5.30 — ICT readiness for business continuity: Ensuring ICT systems support business continuity objectives
- 7.4 — Physical security monitoring: Monitoring premises for unauthorised physical access
- 8.9 — Configuration management: Managing secure configurations of hardware, software, and services
- 8.10 — Information deletion: Ensuring information is deleted when no longer required
- 8.11 — Data masking: Using masking to protect sensitive data in non-production environments
- 8.12 — Data leakage prevention: Detecting and preventing unauthorised data disclosure
- 8.16 — Monitoring activities: Monitoring networks, systems, and applications for anomalous behaviour
- 8.23 — Web filtering: Controlling access to external websites to reduce exposure to malicious content
- 8.28 — Secure coding: Applying secure coding principles to software development
The 4 Annex A Themes
The 2022 revision reorganised the 93 controls into 4 themes, replacing the 14 domain categories of 2013. This restructuring makes it easier to assign control ownership and to identify which team — people, IT, facilities, or governance — is responsible for each area.
| Theme | Controls | Scope |
|---|---|---|
| Organisational (5.x) | 37 controls | Policies, risk management, supplier relations, incident management, business continuity, compliance |
| People (6.x) | 8 controls | Pre-employment screening, training, disciplinary processes, remote working |
| Physical (7.x) | 14 controls | Physical access, equipment security, clear desk, environmental controls |
| Technological (8.x) | 34 controls | Identity, access, encryption, logging, vulnerability management, software security, cloud, backups |
ISMS Implementation for Cloud-First Organisations
Cloud-native organisations face specific challenges when implementing ISO 27001. The standard was written with physical infrastructure in mind, but the 2022 revision's new cloud control (5.23) and the technical theme (8.x) make it much more relevant to organisations running workloads on AWS, Azure, or GCP.
Phase 1: Scoping and Context (Weeks 1–3)
- Define the ISMS scope: which systems, services, locations, and teams are in scope
- Identify internal and external issues affecting information security (Clause 4.1)
- Identify interested parties and their requirements (Clause 4.2)
- Document your organisational context in a scope statement that a certifier can review
Phase 2: Risk Assessment (Weeks 3–6)
- Identify information assets and assign owners
- Identify threats and vulnerabilities per asset
- Score risks by likelihood and impact using your organisation's risk criteria
- Select a risk treatment — accept, transfer, avoid, or mitigate
- For risks you mitigate, select the relevant Annex A controls
Phase 3: Control Implementation (Weeks 6–16)
- Implement or verify the Annex A controls you have selected
- Write policies for controls that require documented procedures (access control policy, incident response procedure, etc.)
- Configure cloud-native controls: IAM policies, encryption, logging, network segmentation, backup policies
- Build the Statement of Applicability — listing all 93 controls, whether they are included or excluded, and the justification
Phase 4: Audit Readiness (Weeks 14–18)
- Conduct an internal audit against all applicable clauses and Annex A controls
- Run a management review meeting (Clause 9.3) — minutes must be retained as evidence
- Compile an evidence pack: policy documents, risk register, SoA, internal audit report, management review minutes, training records
- Address any non-conformities before Stage 1 audit
Certification Timeline
| Organisation Type | Typical Timeline |
|---|---|
| Startup (< 20 staff, limited scope) | 3–4 months |
| SME (20–100 staff, cloud workloads) | 4–6 months |
| Mid-market (100–500 staff, multiple systems) | 6–9 months |
| Enterprise (500+ staff, complex scope) | 9–18 months |
| Transition from ISO 27001:2013 | 3–4 months (gap analysis + updated SoA) |
The timeline depends heavily on: how mature your existing security controls are, how quickly your team can produce policy documentation, how fast you can gather evidence, and how responsive your certification body is for scheduling audits. Organisations using AISEC typically reduce the documentation and evidence collection phases by 60–80% by automating policy drafting and integrating directly with cloud environments.
Most Common Gaps at First Audit
- Incomplete Statement of Applicability: Missing justifications for excluded controls, or controls listed as 'applicable' with no evidence of implementation
- Missing management review evidence: Clause 9.3 requires a documented management review — many first-time certifications lack meeting minutes
- Vague risk assessment methodology: Risk scores must be based on a defined, repeatable methodology. 'High/Medium/Low' without criteria fails
- Cloud misconfigurations treated as 'planned improvements': Auditors expect implemented controls, not a roadmap of future fixes
- Insufficient supplier management evidence (Annex A 5.19–5.22): Especially for SaaS-heavy organisations with many third-party data processors
- No documented internal audit programme (Clause 9.2): Conducting the audit is not enough — you must show an audit schedule and programme
- Control 5.23 gaps for cloud services: The new cloud control requires documented cloud security policies, supplier agreements, and exit procedures for each cloud provider
Transitioning from ISO 27001:2013
Organisations certified to ISO 27001:2013 were required to transition to the 2022 version by October 2025. If you are still on the 2013 standard, your certification has lapsed and you will need a transition audit.
The transition involves: conducting a gap analysis against the 11 new controls, updating your Statement of Applicability to reflect the 2022 Annex A structure, implementing any new or updated controls, and undergoing a transition audit with your certification body. Organisations with strong existing ISMS maturity typically complete the transition in 3–4 months.
How AISEC Accelerates ISO 27001:2022 Certification
AISEC was built specifically for ISO 27001:2022. The gap analysis maps directly to the 2022 Annex A structure. Policy generation drafts compliant documents against specific clause and control requirements. The risk register follows ISO 27005 methodology. The SoA is generated automatically as you work through controls. Evidence is pulled from AWS, Azure, GCP, and integrated tools continuously.
In practice, teams using AISEC typically complete initial certification in 3–5 months rather than 6–9 months for a comparable scope. The biggest time savings come from eliminating manual policy drafting (typically the most time-consuming phase) and automating evidence collection (typically the most error-prone).
Frequently Asked Questions
Is ISO 27001 mandatory?
ISO 27001 is not legally mandatory in most jurisdictions, but it is frequently required by enterprise customers as a condition of doing business (particularly in the UK, EU, and regulated sectors like financial services and healthcare). It is also increasingly required by procurement frameworks, government contracts, and cyber insurance applications.
How much does ISO 27001 certification cost?
Certification costs have two main components: the cost of preparing (internal time, tooling, and any consultancy support) and the certifier's audit fees. Certifier fees typically range from £3,000–£8,000 for SMEs for the initial Stage 1 + Stage 2 audit, with annual surveillance audits at £2,000–£4,000. AISEC's platform cost of £299–£799/month replaces the need for manual ISMS tooling and reduces internal preparation time significantly.
What is the difference between ISO 27001 and Cyber Essentials?
Cyber Essentials is a UK government-backed scheme focused on five technical controls against common cyber threats. It is a lighter-touch certification that can be completed in days. ISO 27001 is a comprehensive management system standard covering the full scope of information security — risk management, governance, physical security, supplier management, and technical controls. Many UK organisations hold both: Cyber Essentials for baseline technical assurance and ISO 27001 for enterprise-grade ISMS certification.
Do I need a consultant to get ISO 27001 certified?
No. AISEC is designed to be used by your internal team — GRC analysts, security engineers, and technical leads — without external consultancy. The AI guides you through each clause and control requirement in plain English. CipherFort's advisory services are available if you want expert support at specific phases (scoping, risk assessment, pre-audit review), but they are not required for certification.
Start your ISO 27001:2022 certification with AISEC — the platform built for the 2022 standard.
Request Early Access to AISEC