What is ISO 27001 and why is it relevant?
ISO 27001 is the internationally recognized standard for implementing an Information Security Management System (ISMS). The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is used worldwide by organizations that take information security seriously. The most recent version is ISO/IEC 27001:2022, published in October 2022.
While many security measures are technical in nature — firewalls, encryption, patch management — ISO 27001 focuses on the management process behind them. Who is responsible for what information? How are risks identified and evaluated? What measures are taken and how is their effectiveness monitored? ISO 27001 answers all these questions through a management system that continuously improves.
The structure of ISO 27001:2022
The standard is built around two core components. The management system (clauses 4 through 10) describes governance requirements: management leadership and involvement, risk assessment and treatment, objectives, support, operational planning, performance evaluation, and continuous improvement.
The Annex A contains 93 security controls divided into four categories:
- Organizational (37 controls): policy, roles, responsibilities, incident management, information classification
- Personnel (8 controls): screening, employment contracts, awareness training, disciplinary procedures
- Fysiek (14 controls): accessssecurity van gebouwen, apparatuursecurity, clean desk
- Technological (34 controls): access control, cryptography, vulnerability management, logging, backup
New in the 2022 version are eleven controls addressing current developments, including threat intelligence, cloud security, data masking, and information security for cloud services.
Who is ISO 27001 relevant for?
ISO 27001 is applicable to organizations of any size and sector. While certification is formally voluntary, in practice it increasingly becomes a hard requirement from customers, tenders, and chain partners. Sectors where this is particularly strong:
- IT service providers and software developers: Enterprise customers demand certification as a quality guarantee
- Financial sector: Banks and insurers require it from suppliers, and DORA indirectly references it
- Healthcare: Combined with NEN 7510 (the Dutch implementation for the healthcare sector)
- Government and semi-government: National and local governments use it as a requirement in procurement
- Data controllers and processors: ISO 27001 certification significantly simplifies demonstrating GDPR compliance
The four phases of the certification process
Phase 1 — Gap Analysis (4–8 weeks): The first step is mapping the current situation against ISO 27001 requirements. Which controls are already implemented? Which are missing or incomplete? The gap analysis produces a prioritized list and a realistic implementation plan. An experienced ISO 27001 Lead Auditor can already indicate which findings a certification auditor will view as critical.
Phase 2 — ISMS implementation (2–6 months): Based on the gap analysis, the ISMS is built. This includes creating policy documents (information security policy, risk assessment procedure, statement of applicability), conducting a formal risk assessment and treatment, implementing missing technical and organizational controls, and establishing processes for incident management, internal audits, and management review.
Phase 3 — Internal Audit and Management Review (2–4 weeks): Before the external auditor arrives, the organization conducts its own internal audit to verify that the ISMS meets its own requirements. Management conducts a formal management review to assess ISMS performance and adjust objectives where needed. This provides both a quality check and the documentation the external auditor expects to see.
Phase 4 — External Certification Audit: An accredited certification body (such as Bureau Veritas, DNV, Lloyd's Register, or TÜV) conducts a two-stage audit. Stage 1 is a documentation review: the auditor assesses whether the ISMS is complete and logically structured. Stage 2 is the implementation audit: the auditor verifies on-site whether measures are actually implemented. Upon a positive assessment, the organization receives an ISO 27001 certificate valid for three years, provided annual surveillance audits pass.
Timeline and costs
A realistic timeline for an SME organization of 50–200 employees is 6 to 12 months. Organizations that already have formal processes, policy documentation, and a mature IT environment can sometimes reduce that to 4–6 months.
Costs consist of three components:
- External audit costs: €8,000–€20,000 for Stage 1 and 2 for an SME organization, depending on the certification body and number of locations
- Implementation costs: €15,000–€40,000 for external consulting, depending on the starting position and complexity of the organization
- Internal hours: Not to be underestimated — an internal project manager is necessary and typically costs 20–40% of their time during the process
Annual surveillance audits cost approximately 30–50% of the initial audit price. After three years, a recertification audit follows.
ISO 27001 as a foundation for NIS2 and GDPR
A well-implemented ISMS is not only valuable for certification itself. It also forms an excellent foundation for NIS2 compliance and GDPR compliance. The technical and organizational measures (TOMs) required by GDPR overlap significantly with ISO 27001 controls. NIS2 mandates a risk-based approach that closely aligns with the ISO 27001 risk management system. Organizations that are already certified have a measurable advantage in NIS2 implementation.
GRC platform as an accelerator
A common mistake is maintaining the ISMS in loose Word documents and Excel sheets. This works during the setup phase, but becomes unmanageable once the system needs to operate. A GRC platform like iso2700x.com centralizes risk assessment, control management, audit trails, and reporting. Compli, our built-in AI assistant, helps with creating and reviewing policy documents and flags deviations early.
How can iso2700x.com help?
Our CISSP and ISO 27001 Lead Auditor certified consultants guide your organization from gap analysis to certification audit. We know the most common pitfalls—underestimated documentation burden, scope too broad, insufficient management commitment—and ensure you avoid them. The result: a realistic path, no surprises during the external audit, and an ISMS that actually works after certification.