ISO 27001: Information security management system
The international standard ISO 27001 structures information security around a certifiable management system. Conformitly supports you in implementing the 93 controls and preparing for certification.
What is ISO 27001?
The ISO/IEC 27001 standard is the international reference for information security management systems (ISMS). The 2022 version, replacing the 2013 version, reorganizes Annex A controls into 93 controls across 4 themes: organizational, people, physical, and technological. The standard is based on the Plan-Do-Check-Act (PDCA) continuous improvement cycle and requires a systematic approach to information security risk assessment and treatment.
Who is concerned by ISO 27001?
Key ISO 27001 requirements
93 Annex A controls (2022 version)
93 security controls organized into 4 themes: 37 organizational controls (policies, roles, asset inventory, supplier relationships), 8 people controls (screening, awareness, responsibilities), 14 physical controls (security perimeters, equipment), and 34 technological controls (authentication, encryption, monitoring, secure development).
Management system (ISMS) and PDCA cycle
Establishment of an information security management system based on the Plan-Do-Check-Act cycle: plan objectives and processes, implement controls, monitor and measure performance, and continuously improve the system based on results.
Risk assessment methodology
Definition and application of an information security risk assessment methodology, including risk identification, analysis of likelihood and impact, evaluation against acceptance criteria, and selection of appropriate treatment options.
Statement of Applicability (SoA)
Production of a Statement of Applicability documenting selected Annex A controls and their justification, excluded controls and the reason for their exclusion, and the implementation status of each selected control. The SoA is a key document for the certification audit.
ISO 27001 timeline
Publication of ISO/IEC 27001:2022, replacing the 2013 version
Transition deadline: all certifications must be updated to the 2022 version
Consequences of non-compliance
ISO 27001 being a voluntary standard, there are no direct regulatory penalties. However, the consequences of non-compliance or certification loss can be significant: loss of certification and associated credibility, inability to respond to tenders requiring certification, loss of client contracts imposing ISO 27001 as a prerequisite, reputational damage in case of a security incident not covered by a certified ISMS, and increased exposure to information security risks.
How Conformitly helps with ISO 27001
93 pre-mapped controls
Find all 93 Annex A controls from the 2022 version pre-configured in Conformitly, organized by theme, with detailed descriptions, expected evidence examples, and implementation status tracking.
Statement of Applicability generation
Automatically generate your Statement of Applicability from your selected controls, with justification for inclusion or exclusion of each control, and export it as PDF for your auditors.
Multi-methodology risk assessment
Choose from three risk assessment methodologies suited to your maturity level: simplified method to get started quickly, ISO 27005 for a normative approach, or EBIOS RM for an advanced threat-based analysis.
Audit preparation reports
Generate audit preparation reports including the compliance status of each control, collected evidence, identified gaps, and ongoing action plans, to facilitate the work of your certification auditors.