ISO/IEC 27001 is the international standard for Information Security Management Systems — the most widely adopted security certification in the world, and the substantive backbone behind the "appropriate technical and organisational measures" that every modern privacy regulation requires. It sits adjacent to ISO 27701 (privacy) and predates it by two decades. The transition from ISO 27001:2013 to 27001:2022 closed on 31 October 2025 — every active certification today is on the 2022 edition. For privacy programs that need a defensible security foundation, this is where the work starts.
The three-year transition window from ISO 27001:2013 closed on 31 October 2025. Every active certification today is — and must be — against the 2022 edition. New entrants must implement to the 2022 edition; organisations on the 2013 edition lost their certification status. For most privacy and security teams, the 2022 transition is a closed chapter — the operational reality now is "running the 2022 ISMS in steady state" rather than "preparing for transition."
The current and only valid edition
2022 edition published. ISO 27001:2022 released, restructuring Annex A from 114 controls in 14 domains to 93 controls in 4 themes. Companion ISO 27002:2022 published five months earlier provides detailed control implementation guidance.
Last day for new 2013-edition certifications. Certification bodies stopped issuing new certificates against the 2013 edition. From this point, every fresh certification ran against 2022.
Environmental amendment. Adds requirement to assess impact of extreme weather and climate-related events on information security. Operational climate-resilience baseline — particularly relevant for data-centre and physical-infrastructure controls.
Transition deadline. All ISO 27001:2013 certificates expired. Organisations that did not complete transition lost certification status. Active certificate-holders all on 2022 edition from this point forward.
Clauses 4 to 10 form the operational heart of ISO 27001 — the same Plan-Do-Check-Act backbone that ISO 27701, ISO 42001, ISO 9001 and other ISO management system standards share. The 2022 edition introduced minor refinements: a new Clause 6.3 on planning of changes; structural splits in Clauses 9.2 and 9.3 on internal audit and management review; and tightened wording in 4.2 and 6.2. The intent and structure remain unchanged from 2013.
Understanding the organisation, its context, interested parties, and ISMS scope. Tightened in 2022 with explicit requirement to determine which interested-party requirements will be addressed through the ISMS.
Top-management commitment, information security policy, organisational roles, responsibilities and authorities. The CISO function and security-governance ladder live here.
Risk assessment, risk treatment, information security objectives. New 6.3 in 2022 edition: planning of changes. Required documentation evidence for ISMS changes — auditors will expect to see this trail.
Resources, competence, awareness, communication, documented information. The capability-building work — and the documentation discipline auditors examine first.
Operational planning and control, risk assessment in practice, risk treatment in practice. Where the 93 Annex A controls actually run — and where evidence of operating effectiveness gets generated.
Monitoring, measurement, analysis, internal audit, management review. 2022 split internal audit into 9.2.1 General + 9.2.2 Programme; management review into 9.3.1 / .2 / .3 — same intent, more explicit structure.
Nonconformity, corrective action, continual improvement of the ISMS. Closes the loop. Surveillance audits specifically test whether the improvement discipline is real or theoretical.
The 2022 edition restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes — a more navigable taxonomy, with controls grouped by who or what they govern. Organisations select applicable controls based on their risk assessment and document the selection in their Statement of Applicability. Annex A is normative — controls excluded from the SoA must have justified rationale.
Policies, roles, segregation of duties, threat intelligence, supplier relationships, cloud governance, incident management. The administrative backbone — the largest control set and the most strategically significant.
Screening, employment terms, awareness training, disciplinary process, remote working, post-termination responsibilities, NDA. The human-factor controls — small in number, large in impact.
Physical security perimeters, entry controls, securing offices, equipment maintenance, secure disposal, clear desk / clear screen, physical security monitoring. Where digital security meets the physical world.
Access management, encryption, secure development, configuration management, monitoring, vulnerability management, web filtering, data leakage prevention, secure coding. The largest technical set — where IT and engineering work concentrates.
Annex A is a reference catalogue — not a mandatory checklist. Organisations select the controls relevant to their risk assessment and scope, and document selection rationale in the Statement of Applicability (SoA). Excluded controls must have justified rationale. Most organisations include 80% — 95% of the 93 controls; pure exclusion is the exception, not the norm.
Most of the 2022 edition's 93 controls are renamed, merged or revised versions of the 2013 controls. The substantive additions are the eleven genuinely new controls listed below. They cluster around the security gaps that emerged between 2013 and 2022 — cloud, threat intelligence, modern data-handling practices, and resilience. For organisations transitioning, these were the gap-analysis priorities; for organisations starting fresh post-2025, they are simply part of the working baseline.
The substantive additions in the 2022 edition. They cluster around cloud, threat intelligence, modern data handling, and resilience — the security territory that materially changed between 2013 and 2022.
Every modern privacy regulation requires "appropriate technical and organisational measures" to secure personal data — but none specifies what those measures are. ISO 27001 is the most widely recognised mechanism for evidencing them. The matrix below shows how Annex A control themes underwrite the substantive security obligations that GDPR, KSA PDPL, UAE PDPL and India DPDP impose. Where regulators ask "how do you secure personal data," ISO 27001 is the answer most likely to be accepted without further explanation.
| Regulatory security obligation | ISO 27001:2022 control coverage |
|---|---|
| Appropriate TOMs for security GDPR Art. 32 · KSA PDPL Art. 19 · UAE PDPL Art. 19-20 · DPDP s.8(5) |
The flagship "appropriate technical and organisational measures" obligation. ISO 27001's entire framework is the answer — risk-based control selection, evidenced implementation, ongoing measurement, audit verification.
Clauses 4 — 10 (entire ISMS)
Annex A.5 / A.6 / A.7 / A.8
|
| Encryption of personal data GDPR Art. 32(1)(a) · KSA PDPL Art. 19 · UAE Federal PDPL · DPDP s.8(5) |
Encryption explicitly named in GDPR; technically required across all GCC and India regimes. ISO controls cover key management, encryption-in-transit, encryption-at-rest.
A.8.24 — Cryptography
A.8.20 — Network security
|
| Pseudonymisation & data minimisation in design GDPR Art. 25 / 32 · KSA PDPL Art. 24 · UAE PDPL Art. 21 |
Privacy by design is partly a design discipline, partly a control catalogue. The 2022 edition's new data-masking control directly underwrites this obligation.
A.8.11 — Data masking
A.8.25 — Secure development life cycle
|
| Confidentiality, integrity, availability of systems GDPR Art. 32(1)(b) · KSA PDPL · UAE PDPL · DPDP |
The CIA triad is foundational to the entire ISO 27001 framework. Every Annex A theme contributes; access management and resilience controls are central.
A.5.15 — Access control
A.8.5 — Authentication
A.5.30 — ICT continuity
|
| Restoration of availability after incident GDPR Art. 32(1)(c) · KSA PDPL · UAE PDPL |
Backup, recovery, business continuity discipline. New A.5.30 explicitly brings ICT readiness for business continuity into ISMS scope.
A.5.30 — ICT continuity
A.8.13 — Information backup
|
| Regular testing & evaluation of effectiveness GDPR Art. 32(1)(d) · KSA PDPL Art. 19 |
Internal audit, penetration testing, vulnerability management, performance evaluation. The Clause 9 measurement layer plus specific Annex A controls.
Clause 9 — Performance evaluation
A.8.8 — Vulnerability management
|
| Personal data breach response GDPR Art. 33-34 · KSA PDPL Art. 20 · UAE PDPL Art. 9 · DPDP s.8(6) |
Incident detection, classification, response, notification. The breach-response capability that underwrites regulatory notification obligations.
A.5.24 — Incident management planning
A.5.25 — Assessment & decision
A.5.27 — Lessons learned
|
| Processor / supplier security obligations GDPR Art. 28(3)(c) · KSA PDPL Art. 7 · UAE PDPL Art. 8 |
Sub-processor governance, contractual flow-down, audit rights, supplier security risk assessment. The third-party risk discipline.
A.5.19 — Information security in supplier relationships
A.5.21 — Managing security in ICT supply chain
|
| Cloud security & data sovereignty KSA PDPL · UAE PDPL · DPDP · sectoral regs |
Cloud services governance, data residency in cloud contracts, exit planning. New A.5.23 explicitly covers cloud-services security.
A.5.23 — Cloud services security
A.5.10 — Acceptable use
|
| Information deletion / retention discipline GDPR Art. 5(1)(e) · KSA PDPL Art. 18 · UAE PDPL Art. 17 · DPDP s.8(7) |
Storage limitation principle requires evidenced deletion. New A.8.10 (information deletion) explicitly addresses this — particularly important for privacy regulation alignment.
A.8.10 — Information deletion
A.7.14 — Secure disposal
|
ISO 27001 doesn't make the privacy obligations go away — it makes them defensible. Where a regulator asks "how do you secure personal data," an ISO 27001 certificate plus operational evidence is the most widely recognised answer in the world. It doesn't replace the substantive privacy compliance work; it underwrites it. For most multi-regulator organisations, ISO 27001 is the security foundation that lets a privacy program rest on something defensible rather than improvised.
ISO 27001 and ISO 27701 share the same Plan-Do-Check-Act backbone, the same management-system structure, the same documentation discipline. Most organisations that hold both run them as a single integrated management system rather than two separate programs. Since ISO 27701:2025 went standalone, the integration is now a choice rather than a structural requirement — but it remains the operating model that produces the most leverage from each.
For organisations with both, integrated is almost always the right answer. Common Plan-Do-Check-Act backbone means single management review cycle. Common documentation discipline means single document set with privacy and security overlays. Common internal audit programme. Common certification body engagement. The result is a unified security-and-privacy operating model where each standard reinforces the other, rather than two parallel programs competing for resources. Read the ISO 27701 page for the privacy side of this story.
The certification pathway runs through the same five phases used across the ISO management-system family. Total elapsed time depends on starting maturity — organisations with mature security operations, documented controls and a competent CISO function typically reach Stage 2 audit in 6 — 9 months; organisations starting from scratch typically take 9 — 14 months. Surveillance audits then run annually with full re-certification every three years.
Define ISMS scope. Diagnostic against the standard. Gap report and remediation plan.
ISMS documentation, control implementation, Statement of Applicability, evidence cadence.
Independent internal audit against the standard. Management review. Pre-certification readiness.
Documentation review by certification body; on-site Stage 2 effectiveness audit; nonconformity remediation.
Three-year certificate. Annual surveillance audits. Continual improvement discipline.
The path to ISO 27001 certification splits into eleven workstreams. Most overlap with ISO 27701 work — for organisations pursuing both, the integrated workstream model dramatically reduces total effort. Privacy advisors often deliver ISO 27001 as the foundation upon which the privacy program then rests; security advisors often add ISO 27701 as the privacy overlay on an existing ISMS. Either entry point arrives at the same operating model.
Definition of organisational and information-asset scope for the ISMS. Boundary decisions: which entities, which products, which information assets. Scope decisions made here drive every subsequent workstream and ultimately the certification scope.
Risk identification, analysis, evaluation methodology. Risk register. Risk treatment plan. The risk-driven backbone that justifies control selection — auditors examine this in detail at Stage 1.
Selection and justification of applicable Annex A controls. SoA documentation with rationale for each included and excluded control. The certification body's reference document for what they're auditing against.
Information security policy, supporting procedures, role definitions, process documentation. The document set auditors work through — needs to be both auditable and operationally meaningful, not just paperwork.
Implementation of selected Annex A controls across all four themes — organisational, people, physical, technological. The largest workstream by effort. Engineering, operations and HR all involved depending on control mix.
Specific implementation work for the 11 new-in-2022 controls. Threat intelligence feed, cloud security governance, ICT continuity, secure coding, DLP, data masking, monitoring. Where the gap-analysis effort concentrates for organisations transitioning or starting fresh.
Security awareness training, role-specific competence, evidence of staff understanding. Auditors specifically test whether staff know the security obligations relevant to their roles. Standard failure point at first-time audits.
Internal audit methodology, schedule, auditor independence and competence, evidence retention. Required by the standard. Certification body examines internal audit findings as part of their Stage 2 evaluation.
Top-management review meetings, agenda content, decision documentation. The Clause 9.3 requirement that demonstrates leadership engagement. Frequent failure point — meetings happen but lack the structure auditors expect.
Nonconformity logging, corrective action, improvement initiatives. The Clause 10 requirement that closes the PDCA loop. Surveillance audits specifically test whether the discipline is real or theoretical.
Selection of accredited certification body, Stage 1 and Stage 2 audit scheduling, nonconformity response, ongoing surveillance audit cadence. The external-facing workstream that runs in parallel with implementation.
ISO 27001 work is delivered through one of three engagement shapes — depending on whether the organisation is starting from scratch, integrating with privacy work, or maintaining post-certification. The most common pattern in our practice is integrated ISO 27001 + ISO 27701 builds where the security and privacy programs are designed and certified as a single management system.
For organisations targeting first-time ISO 27001 certification. Full ISMS build: scoping, risk assessment, SoA, policy framework, control implementation, 2022 new-controls coverage, internal audit, management review, certification body engagement. Frequently delivered with ISO 27701 as integrated build.
For organisations with existing security programs or partial ISMS work needing structured assessment against ISO 27001:2022. Targeted gap diagnostic, 2022 new-controls coverage check, risk assessment review, SoA development plan, remediation roadmap. Often the sequel to recent transition work.
For organisations holding ISO 27001 certification needing senior backup on harder questions — surveillance audit preparation, scope expansion, integration with ISO 27701 / ISO 42001 / SOC 2, control gap remediation, regulator-facing engagement on security obligations.
Common questions on ISO 27001 in early 2026 — particularly around the post-transition reality, the relationship to ISO 27701 and other standards, and whether ISO 27001 makes sense for organisations whose primary driver is privacy compliance rather than security certification per se.
Every privacy regulation requires "appropriate technical and organisational measures" for security — and none of them tells you what those are. ISO 27001 is the answer most likely to be accepted without further explanation. A 30-minute scoping call costs nothing — we will tell you honestly whether ISO 27001 makes sense for your situation, how it fits with your privacy program, and whether the integrated build with ISO 27701 is the right approach for you.
Schedule a call