Key facts
- Controls
- 93 Annex A controls (ISO/IEC 27001:2022, down from 114 in the 2013 version)
- Recertification cycle
- 3-year certificate
- Ongoing oversight
- Annual surveillance audits in years 1 and 2
- Public registry
- IAF CertSearch β
- Common gap categories
- Risk assessment (clause 6.1); Access control (A.5 and A.8); Supplier relationships (A.5.19βA.5.22); Cryptography (A.8.24); Logging and monitoring (A.8.15βA.8.16)
- Related standards
What is ISO 27001?
An international standard (ISO/IEC 27001:2022) published by ISO and IEC, scoped to an organization's Information Security Management System (ISMS). The 2022 version updated Annex A controls from 114 to 93.
Is ISO 27001 a certification or an attestation?
ISO 27001 is a certification. A physical certificate with three-year validity is issued by an accredited certification body (e.g., BSI, Bureau Veritas, Schellman, A-LIGN). Annual surveillance audits are required to maintain it.
Who needs ISO 27001?
Tech companies selling to European enterprise or government buyers, organizations subject to GDPR accountability expectations, or any vendor whose customers expect a recognized international ISMS standard rather than a US-specific framework.
What happens during an ISO 27001 audit?
An ISO 27001 audit runs in two stages, then continues with annual surveillance audits and a full recertification audit every three years. An accredited certification body performs it, never the consultant who built the ISMS.
- Stage 1: documentation review
- The certification body reviews the ISMS scope, policies, risk assessment, and Statement of Applicability to confirm the system is ready for a full audit, typically over one to two days.
- Stage 2: certification audit
- Auditors test whether the ISMS is actually operating as documented, sampling evidence across Annex A controls and interviewing staff. A pass leads to the three-year certificate.
- Surveillance audits (years 1 and 2)
- Narrower annual audits confirm the ISMS keeps operating and improving between certificates. A failed surveillance audit can suspend or withdraw certification before year 3.
- Recertification (year 3)
- An audit similar in scope to Stage 2 renews the certificate for another three-year cycle. Organizations that let certification lapse must restart from Stage 1.
What does ISO 27001 cost and how long does it take?
Certification body audit fees of $10Kβ$80K. All-in first-year cost (consultant, tooling, internal time) typically $50Kβ$220K for mid-market organizations.
Audit body fees and total program cost diverge sharply. Quote both numbers when budgeting; one is the auditor invoice, the other is everything else.
Go deeper on this
Ready to act on ISO 27001?
The independent consultants who build your ISMS and the accredited body that audits and issues the certificate are two different hires. Start with the consultants who prepare you for certification.