ISO 27001 Compliance Guide

A practical guide to ISO 27001 certification — from understanding the standard to implementing your Information Security Management System.

What is ISO 27001?

ISO 27001 is an international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.

Unlike SOC 2, which is primarily used in North America, ISO 27001 is recognized globally and is often required for doing business in Europe, Asia, and other international markets.

Why ISO 27001 Matters

  • Global recognition — ISO 27001 is recognized in over 160 countries, making it essential for international business
  • Customer requirements — many enterprise customers, especially in Europe and APAC, require ISO 27001 certification from their vendors
  • Regulatory compliance — ISO 27001 aligns with GDPR, providing a strong foundation for EU data protection compliance
  • Risk management — the framework provides a structured approach to identifying and managing information security risks
  • Continuous improvement — the Plan-Do-Check-Act (PDCA) cycle drives ongoing security improvements

ISO 27001 Structure

ISO 27001 is organized into two main parts:

Clauses 4-10: ISMS Requirements

These clauses define the mandatory requirements for establishing, implementing, maintaining, and continually improving an ISMS:

  • Clause 4: Context of the Organization — understand your organization, stakeholder needs, and ISMS scope
  • Clause 5: Leadership — management commitment, security policy, and organizational roles
  • Clause 6: Planning — risk assessment, risk treatment, and security objectives
  • Clause 7: Support — resources, competence, awareness, communication, and documented information
  • Clause 8: Operation — operational planning, risk assessment execution, and risk treatment
  • Clause 9: Performance Evaluation — monitoring, internal audit, and management review
  • Clause 10: Improvement — nonconformity handling, corrective action, and continual improvement

Annex A: Security Controls

Annex A contains 93 controls (in the 2022 version) organized into 4 themes. Organizations select applicable controls based on their risk assessment:

  • Organizational controls (37) — policies, roles, asset management, access control, supplier relationships
  • People controls (8) — screening, terms of employment, awareness, disciplinary process
  • Physical controls (14) — physical perimeters, entry controls, equipment security, secure disposal
  • Technological controls (34) — endpoint devices, access rights, authentication, encryption, logging, network security, secure development

Key Annex A Control Areas

Access Control

  • User access provisioning and de-provisioning
  • Privileged access management
  • Multi-factor authentication
  • Access review and recertification

Cryptography

  • Encryption of data at rest and in transit
  • Key management procedures
  • Certificate management

Operations Security

  • Change management procedures
  • Capacity management
  • Malware protection
  • Backup and recovery
  • Logging and monitoring
  • Vulnerability management

Secure Development

  • Secure development policy
  • Code review and testing
  • Change control in development
  • Secure system architecture

The Certification Process

  1. ISMS scope definition — define which parts of your organization and which information assets are covered
  2. Risk assessment — identify information security risks, analyze their likelihood and impact, and determine treatment options
  3. Statement of Applicability (SoA) — document which Annex A controls apply and which are excluded (with justification)
  4. Control implementation — implement the selected controls and document procedures
  5. Internal audit — conduct internal audits to verify ISMS effectiveness
  6. Management review — leadership reviews ISMS performance and makes improvement decisions
  7. Stage 1 audit — certification body reviews your ISMS documentation and readiness
  8. Stage 2 audit — certification body verifies that controls are implemented and effective
  9. Certification — upon successful audit, the certification body issues your ISO 27001 certificate (valid for 3 years)
  10. Surveillance audits — annual audits in years 2 and 3 to maintain certification
  11. Re-certification — full re-certification audit every 3 years

ISO 27001 vs SOC 2

Both frameworks address information security, but they differ in important ways:

  • Geography — SOC 2 is primarily used in North America; ISO 27001 is recognized globally
  • Approach — SOC 2 is criteria-based (Trust Service Criteria); ISO 27001 is risk-based (you select controls based on your risk assessment)
  • Certification — SOC 2 produces an auditor's report; ISO 27001 produces a formal certification
  • Scope — SOC 2 focuses on service organization controls; ISO 27001 covers the entire ISMS
  • Duration — SOC 2 Type II covers a 6-12 month period; ISO 27001 certification is valid for 3 years with annual surveillance
  • Overlap — approximately 80% of controls overlap between the two frameworks, making dual compliance achievable

How Sentinel Helps with ISO 27001

Sentinel automates key aspects of ISO 27001 compliance:

  • Control evidence collection — automatically collect evidence for technological controls from AWS, GitHub, and Google Workspace
  • Control mapping — evidence items are automatically mapped to ISO 27001 Annex A controls
  • Gap analysis — identify which controls have evidence, which are failing, and which need attention
  • Policy generation — generate ISO 27001-aligned policies including Information Security Policy, Access Control Policy, and more
  • Audit reports — produce ISO 27001-specific audit reports with evidence references and control status
  • Continuous monitoring — maintain evidence freshness between surveillance audits

Implementation Roadmap

  • Months 1-2: Define ISMS scope, conduct risk assessment, create Statement of Applicability
  • Months 2-4: Implement controls, write policies and procedures, deploy technical controls
  • Months 4-5: Conduct internal audit, management review, address any findings
  • Month 5: Stage 1 audit (documentation review)
  • Months 6-7: Address Stage 1 findings, continue operating ISMS
  • Month 7-8: Stage 2 audit (implementation verification)
  • Month 8+: Receive certification, begin continuous improvement cycle

With Sentinel, you can significantly accelerate months 2-4 by automating evidence collection and policy generation, and reduce the manual effort required throughout the process.

Ready to Get Started?

Sign up for Sentinel and begin your ISO 27001 journey. Connect your cloud accounts and map your compliance posture to ISO 27001 controls in minutes.