ISO 27001 is the international standard for information security management systems (ISMS), and it is the most widely recognised certification for demonstrating an organisation's commitment to information security. The 2022 revision, ISO 27001:2022, restructured the control framework into four themes with 93 controls, down from 114 controls in 14 domains in the previous 2013 edition. This guide provides practical implementation advice for security teams, with a focus on the technical controls most relevant to detection, monitoring, and incident response.
What Is ISO 27001?
ISO 27001 (formally ISO/IEC 27001) is an internationally recognised standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
An ISMS is not a product or a tool. It is a systematic approach to managing sensitive company information so that it remains secure. The ISMS encompasses people, processes, and technology, and it operates within the broader context of the organisation's business objectives and risk appetite.
ISO 27001 follows the Plan-Do-Check-Act (PDCA) cycle:
- Plan: Establish the ISMS policy, objectives, processes, and procedures relevant to managing risk
- Do: Implement and operate the ISMS policies, controls, processes, and procedures
- Check: Assess and measure process performance against the ISMS policy, objectives, and practical experience
- Act: Take corrective and preventive actions based on the results of the management review
Who Pursues ISO 27001 Certification?
ISO 27001 certification is pursued by a wide range of organisations:
- SaaS and technology companies that need to demonstrate security maturity to enterprise customers during procurement evaluations
- Managed service providers and outsourcing firms handling client data
- Financial services firms seeking to meet regulatory expectations (ISO 27001 aligns well with DORA and FCA requirements)
- Government suppliers responding to public-sector procurement requirements
- Healthcare organisations managing sensitive patient data
- Manufacturing companies protecting intellectual property and operational technology
For mid-market organisations (500-7,500 employees), ISO 27001 certification is often a commercial enabler: it opens doors to enterprise contracts and demonstrates to regulators, clients, and partners that security is managed systematically rather than ad hoc.
What Is the ISO 27001:2022 Control Structure?
The 2022 revision significantly restructured the Annex A controls. The previous edition organised 114 controls into 14 domains (such as Access Control, Cryptography, and Operations Security). The 2022 edition consolidates these into 93 controls across four themes.
Organisational Controls (A.5), 37 Controls
Organisational controls address governance, policies, roles, responsibilities, and management processes. They cover information security policies, segregation of duties, contact with authorities, threat intelligence, information security in project management, asset management, access control policies, supplier relationships, incident management, business continuity, and compliance.
People Controls (A.6), 8 Controls
People controls address the human element of information security: screening, terms and conditions of employment, security awareness and training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working.
Physical Controls (A.7), 14 Controls
Physical controls address the protection of physical premises, equipment, and media: security perimeters, physical entry controls, securing offices and facilities, monitoring, protection against environmental threats, working in secure areas, clear desk/screen policies, equipment siting, utility support, cabling security, equipment maintenance, secure disposal, and off-premises equipment.
Technological Controls (A.8), 34 Controls
Technological controls address the technical security measures: user endpoint devices, privileged access rights, information access restriction, source code access, secure authentication, capacity management, protection against malware, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and network security.
The 2022 revision also introduced 11 entirely new controls that were not present in the 2013 edition:
| New Control | ID | Description | |---|---|---| | Threat intelligence | A.5.7 | Collecting and analysing threat intelligence relevant to the organisation | | Information security for cloud services | A.5.23 | Managing security for cloud service acquisition, use, and exit | | ICT readiness for business continuity | A.5.30 | Ensuring ICT supports business continuity requirements | | Physical security monitoring | A.7.4 | Monitoring premises for unauthorised physical access | | Configuration management | A.8.9 | Managing configurations of hardware, software, and networks | | Information deletion | A.8.10 | Deleting information when no longer required | | Data masking | A.8.11 | Masking data in accordance with policies and regulations | | Data leakage prevention | A.8.12 | Preventing unauthorised disclosure of information | | Monitoring activities | A.8.16 | Monitoring systems, networks, and applications for anomalous behaviour | | Web filtering | A.8.23 | Filtering access to external websites to reduce exposure to malicious content | | Secure coding | A.8.28 | Applying secure coding principles in software development |
Which Technical Controls Matter Most for Security Teams?
While all 93 controls contribute to a complete ISMS, security teams responsible for detection and response should pay particular attention to the following controls.
A.8.15: Logging
This control requires that logs recording activities, exceptions, faults, and other relevant events are produced, stored, protected, and analysed.
Implementation guidance:
- Define which events must be logged across all systems: authentication events (successful and failed), access to sensitive data, privilege changes, system configuration changes, and security-relevant application events
- Ensure log integrity, logs should be protected against tampering and unauthorised access. Write-once storage or centralised log forwarding to a secured platform prevents attackers from covering their tracks
- Establish log retention periods aligned with your legal, regulatory, and operational requirements. DORA-regulated firms should retain incident-relevant logs for at least the duration needed to complete final incident reports
- Synchronise clocks across all systems to ensure log correlation accuracy (NTP configuration is critical)
A.8.16: Monitoring Activities
This control requires that networks, systems, and applications are monitored for anomalous behaviour and that appropriate actions are taken to evaluate potential information security incidents.
Implementation guidance:
- Deploy continuous monitoring across endpoints, networks, and cloud environments, not just perimeter monitoring
- Implement anomaly detection that goes beyond static thresholds. Behavioural baselining that learns normal patterns per user, per system, and per network segment reduces false positives while improving detection of genuine anomalies
- Monitor east-west (internal) network traffic, not just north-south (perimeter) traffic. Lateral movement, insider threats, and post-compromise activity occur within the network
- Establish clear escalation procedures for monitoring alerts, with defined response timeframes based on severity
A.5.24: Information Security Incident Management Planning
This control requires that the organisation plan and prepare for managing information security incidents by defining, establishing, and communicating incident management processes and responsibilities.
Implementation guidance:
- Develop a formal incident response plan that defines roles, responsibilities, communication channels, and escalation procedures
- Define incident classification criteria (severity levels) with clear thresholds and examples
- Establish relationships with external parties, legal counsel, forensic investigators, law enforcement, regulatory contacts, before an incident occurs
- Conduct tabletop exercises at least twice per year to validate the plan and train response team members
A.5.25: Assessment and Decision on Information Security Events
This control requires that information security events are assessed and a decision is made on whether they should be classified as information security incidents.
Implementation guidance:
- Define triage criteria that security analysts use to assess events and determine whether they constitute incidents
- Implement a triage workflow that prioritises events based on potential impact, affected assets, and corroborating evidence
- Ensure analysts have access to sufficient context, asset inventory, user identity, business function criticality, to make informed classification decisions
- Document triage decisions, including the rationale for events that are assessed as non-incidents, for audit purposes
A.5.26: Response to Information Security Incidents
This control requires that information security incidents are responded to in accordance with documented procedures.
Implementation guidance:
- Define response procedures for common incident types: malware infection, compromised credentials, data exfiltration, ransomware, and denial of service
- Implement containment capabilities that allow rapid isolation of affected systems without requiring physical access
- Ensure forensic evidence preservation: response procedures should include steps to capture volatile data (memory, running processes) before containment actions that may destroy evidence
- Document all response actions in an incident log with timestamps for post-incident review and audit
A.8.7: Protection Against Malware
This control requires the implementation of protection against malware, combined with appropriate user awareness.
Implementation guidance:
- Deploy endpoint protection that includes behavioural detection, not just signature-based scanning. Modern malware increasingly uses fileless techniques, living-off-the-land binaries, and polymorphic code that evade signature detection
- Implement multi-layered malware protection: email gateway scanning, endpoint detection, network-level inspection, and web filtering
- Ensure protection extends to all endpoint types, including servers, workstations, and remote devices
- Conduct regular testing to validate that malware protection detects and blocks current threats
A.8.20: Network Security
This control requires that networks and network devices are secured, managed, and controlled to protect information in systems and applications.
Implementation guidance:
- Implement network segmentation to limit the blast radius of security incidents
- Deploy network monitoring that provides visibility into both north-south and east-west traffic patterns
- Maintain an inventory of all network devices and ensure they are securely configured
- Implement firewall rules based on the principle of least privilege: deny by default, allow by exception
A.8.28: Secure Coding
This control requires that secure coding principles are applied in software development.
Implementation guidance (for software development organisations):
- Establish secure coding standards aligned with OWASP guidelines
- Implement static application security testing (SAST) and dynamic application security testing (DAST) in the development pipeline
- Conduct code reviews with a security focus for changes to security-sensitive components
- Provide secure coding training to developers, covering common vulnerability classes relevant to your technology stack
What Does the Certification Process Look Like?
ISO 27001 certification follows a structured process that typically takes 6 to 18 months, depending on the organisation's existing security maturity.
Step 1: Gap Analysis
Conduct an assessment of your current security posture against ISO 27001 requirements. Identify which controls are already in place, which need improvement, and which are entirely missing. The gap analysis produces a prioritised remediation plan.
Step 2: Risk Assessment
ISO 27001 is risk-driven at its core. Conduct a formal risk assessment that identifies information security risks, evaluates their likelihood and impact, and determines appropriate risk treatment (mitigate, accept, transfer, or avoid). The risk assessment directly informs which Annex A controls you select.
Step 3: Implement Controls
Implement the controls identified through the risk assessment process. This includes deploying technical controls, establishing policies and procedures, conducting training, and implementing monitoring capabilities. Document the Statement of Applicability (SoA): a critical document that lists all 93 controls, states which are applicable, and justifies any exclusions.
Step 4: Internal Audit
Before the external certification audit, conduct an internal audit of the ISMS. The internal audit verifies that controls are implemented and operating effectively, and it identifies any remaining gaps that must be addressed before the certification audit.
Step 5: Stage 1 Audit (Documentation Review)
The certification body conducts a Stage 1 audit focused on reviewing ISMS documentation: policies, procedures, risk assessment, SoA, and internal audit results. The auditor assesses whether the ISMS is sufficiently developed to proceed to the Stage 2 audit and identifies any documentation gaps.
Step 6: Stage 2 Audit (Implementation Audit)
The Stage 2 audit is the main certification assessment. Auditors visit the organisation (or conduct remote assessments) and evaluate whether the ISMS is effectively implemented and maintained. They interview staff, review evidence of control operation, and test the effectiveness of security measures. Nonconformities identified during the audit must be addressed, major nonconformities must be resolved before certification is granted.
Step 7: Certification
If the Stage 2 audit is successful, the certification body issues the ISO 27001 certificate. Certification is valid for three years.
Step 8: Surveillance Audits
During the three-year certification cycle, the certification body conducts surveillance audits (typically annually) to verify continued compliance. Surveillance audits are less thorough than the initial certification audit but cover a sample of controls and any areas of concern.
What Are the Common ISO 27001 Implementation Challenges?
Resource Intensity
ISO 27001 implementation is a significant undertaking. Organisations need dedicated project management, security expertise, and engagement from every department. Mid-market companies frequently underestimate the effort required, particularly for documentation, risk assessment, and control implementation.
Evidence Collection Burden
Auditors require evidence that controls are not only implemented but operating effectively. Collecting and organising this evidence, monitoring logs, incident records, access reviews, training records, test results, is time-consuming. Organisations that rely on manual evidence collection often find that audit preparation consumes weeks of effort.
Maintaining Compliance Between Audits
The certification cycle runs for three years with annual surveillance audits, but compliance is an ongoing obligation. Organisations that treat certification as a point-in-time exercise, scrambling to prepare before each audit, find themselves constantly playing catch-up. Continuous compliance requires embedded processes, not periodic sprints.
Scope Creep
Defining the ISMS scope is a critical early decision. Too narrow a scope may not cover key business risks. Too broad a scope increases implementation effort and audit costs. Many organisations struggle to define a scope that is both meaningful and manageable, and scope changes mid-project can cause significant delays.
Integration with Existing Frameworks
Organisations that already comply with other frameworks, Cyber Essentials Plus, SOC 2, DORA, NIS2, need to integrate ISO 27001 without duplicating effort. Mapping controls across frameworks and establishing unified compliance processes requires careful planning.
How Does SenseOn Map to ISO 27001 Controls?
SenseOn's unified detection platform directly supports the implementation and ongoing operation of several key ISO 27001:2022 controls.
| ISO 27001:2022 Control | SenseOn Capability | |---|---| | A.5.7: Threat intelligence | SenseOn's cross-domain correlation incorporates threat intelligence into detection models, correlating external indicators with internal telemetry to identify active threats | | A.5.24: Incident management planning | The platform provides structured incident workflows, automated evidence collection, and audit-ready incident documentation | | A.5.25: Assessment and decision on events | SenseOn's correlation engine automatically enriches events with asset context, user identity, and historical behaviour to support rapid triage and classification | | A.5.26: Response to incidents | One-click endpoint isolation, automated response actions, and integrated investigation tools support rapid, documented incident response | | A.8.7: Protection against malware | Endpoint protection with behavioural detection, achieving 0 false positives in AV-Comparatives testing, covering both signature-based and behavioural malware detection | | A.8.15: Logging | Full telemetry collection across endpoints, networks, and cloud environments, the Flexible Intelligence Credit model means no log sources are excluded due to cost constraints | | A.8.16: Monitoring activities | Continuous monitoring with behavioural baselining and anomaly detection across all telemetry sources, covering east-west traffic, user behaviour, and system activity | | A.8.20: Network security | Network traffic monitoring and analysis from the endpoint agent, providing visibility into internal traffic patterns without requiring dedicated network appliances | | A.8.12: Data leakage prevention | Monitoring of file operations, network transfers, and removable media usage to detect potential data exfiltration |
The Flexible Intelligence Credit (FIC) pricing model is particularly relevant for ISO 27001 compliance. Control A.8.15 (Logging) requires full event logging, and control A.8.16 (Monitoring) requires continuous anomaly detection. Organisations using SIEM-based approaches with per-GB pricing often face a direct conflict between these controls and their budget constraints. They cannot afford to log and monitor everything. SenseOn eliminates this conflict because credits are consumed by security outcomes (detection, investigation, compliance retention), not by the volume of telemetry ingested.
For organisations pursuing ISO 27001 alongside regulatory compliance, SenseOn provides a single platform that maps to both ISO 27001 technical controls and regulatory requirements under frameworks such as DORA and NIS2.
Frequently Asked Questions
How many controls are in ISO 27001:2022?
ISO 27001:2022 contains 93 controls organised into four themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This is a reduction from the 114 controls in 14 domains in the 2013 edition. The restructuring consolidates related controls and introduces 11 new controls addressing topics such as threat intelligence, cloud security, data masking, and secure coding.
How long does ISO 27001 certification take?
For most mid-market organisations, ISO 27001 certification takes 6 to 18 months from project initiation to successful Stage 2 audit. The timeline depends on the maturity of existing security practices, the scope of the ISMS, and the resources allocated to the project. Organisations that already have structured security programmes can move faster, while those building from scratch typically need 12 to 18 months.
Is ISO 27001 mandatory?
ISO 27001 certification is voluntary: no regulation mandates it directly. However, it is increasingly a de facto requirement. Many enterprise procurement processes require ISO 27001 from suppliers, particularly SaaS vendors handling sensitive data. Government contracts frequently list it as a prerequisite. And for organisations subject to DORA, NIS2, or UK GDPR, ISO 27001 provides a framework that demonstrates compliance with regulatory expectations.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the certifiable standard that defines the requirements for an ISMS. ISO 27002 is the companion guidance document that provides detailed implementation advice for each Annex A control. You certify against ISO 27001, not ISO 27002. ISO 27002 is a reference guide that helps you understand how to implement controls effectively.
Do we need to implement all 93 ISO 27001 controls?
No. ISO 27001 requires a risk assessment to determine which controls are appropriate for your organisation. The Statement of Applicability documents which controls are selected and justifies exclusions. Auditors will scrutinise exclusions to ensure they are risk-based and defensible. In practice, most organisations implement the majority of controls but may exclude a small number that are not applicable to their context.
Related reading:
