Glossary

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS), specifying how to establish, implement, and maintain controls.

Definition

ISO 27001 is an internationally recognized standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It uses a risk-based approach to managing information security.

Context

ISO 27001 certification is particularly important for companies doing business internationally, as it is recognized globally unlike SOC 2 which is US-centric. The standard covers 93 controls organized in four themes: organizational, people, physical, and technological. Many security questionnaires reference ISO 27001 controls, and certification can satisfy numerous questionnaire requirements simultaneously. The standard was updated in 2022 (ISO/IEC 27001:2022) with a restructured control set.

Why it matters

ISO 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System. Unlike prescriptive frameworks, ISO 27001 requires organizations to perform their own risk assessment and select controls from Annex A based on identified risks. Certification involves a two-stage audit by an accredited certification body: stage one reviews documentation and ISMS design, while stage two evaluates operational effectiveness through interviews, observation, and evidence sampling.

One of the most common pitfalls is treating ISO 27001 as a checklist of 93 Annex A controls rather than a risk-based management system. The standard explicitly requires a documented risk assessment methodology and a Statement of Applicability explaining which controls were selected and why. Organizations that skip this step and simply implement every control without justification often struggle during surveillance audits when auditors probe whether the ISMS reflects actual business risk rather than generic compliance theater.

ISO 27001:2022 restructured Annex A controls into four themes — organizational, people, physical, and technological — and introduced eleven new controls addressing areas like threat intelligence, cloud security, and data masking. For organizations already certified under the 2013 version, transition audits must be completed by October 2025. Practitioners managing security questionnaires should note that ISO 27001 certification is increasingly expected by enterprise buyers globally, particularly in European and APAC procurement processes.

Related terms

SOC 2Security QuestionnaireGRC (Governance, Risk, and Compliance)Compliance Pack

Learn more

Questionnaire AutomationTrust Center Software

Automate your security questionnaire workflow

VeriRFP uses evidence-backed AI to draft security questionnaire responses with deterministic citations from your approved documentation.
Try VeriRFP freeQuestionnaire automationBack to glossary

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.