Skip to main content
ISO/IEC 27001

ISO/IEC 27001

The globally recognized standard for Information Security Management Systems (ISMS). Available on the Premium plan.

Try it Yourself Blog Posts

The world's most recognized
information security standard

ISO/IEC 27001 is an international standard for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). It specifies requirements for assessing and treating information security risks and provides a framework of 93 controls in Annex A.

ISO 27001 certification is awarded by accredited certification bodies after a two-stage audit. It requires annual surveillance audits and full re-certification every three years.

Unicis supports both ISO/IEC 27001:2013 (114 controls, 14 domains) and ISO/IEC 27001:2022 (93 controls, 4 themes) — the current version. Organizations on 27001:2013 have until October 2025 to transition to the 2022 version.

ISO 27001 blog posts Resources

ISO/IEC 27001:2022

Current version. 93 controls across 4 themes (Organizational, People, Physical, Technological). Mandatory transition from 2013 by October 2025.

Three-year certification cycle

Initial certification audit → annual surveillance audits → re-certification every three years. Continuous evidence collection required.

Any industry, any size

ISO 27001 is industry-agnostic and scales from 5-person startups to global enterprises. Scope can be limited to reduce initial certification effort.

Why organizations pursue
ISO 27001 certification

Win enterprise deals

ISO 27001 certification is the most recognized security credential globally. Most enterprise procurement teams treat it as a minimum requirement for vendors handling sensitive data.

Globally recognized standard

Unlike SOC 2 (US-focused), ISO 27001 is recognized by enterprise customers, regulators, and partners worldwide — including the EU, UK, Germany, Japan, and Australia.

Reduces cyber insurance costs

Certified organizations consistently report lower cyber insurance premiums. ISO 27001 demonstrates the structured risk management that insurers reward with better terms.

Satisfies GDPR and NIS2 requirements

ISO 27001 controls overlap significantly with GDPR Article 32 and NIS2 Article 21. EU companies with ISO 27001 already have the technical foundation for both regulations.

93 controls across
4 control themes

ISO 27001:2022 restructured controls from 14 domains (2013) into 4 themes. Unicis tracks all 93 controls with automated GAP analysis and maturity scoring.

Clause 5

Organizational Controls

37
  • Information security policies
  • Roles and responsibilities
  • Supplier relationships
  • Information security incident management
Clause 6

People Controls

8
  • Screening
  • Terms of employment
  • Security awareness training
  • Remote working
Clause 7

Physical Controls

14
  • Physical security perimeters
  • Clear desk and clear screen
  • Equipment security
  • Secure disposal
Clause 8

Technological Controls

34
  • Access control
  • Cryptography
  • Network security
  • Secure development lifecycle

The 6-phase path to
ISO 27001 certification

Most organizations achieve ISO 27001 certification in 6–9 months. Automation significantly reduces preparation time.

Phase 1 · Weeks 1–4

Scope & gap analysis

Define your ISMS scope. Run an automated GAP analysis across all 93 ISO 27001:2022 controls. Identify your starting point.

Phase 2 · Weeks 4–8

Risk assessment

Identify information assets, assess threats and vulnerabilities, score risks using likelihood × impact methodology. Produce a formal Risk Treatment Plan.

Phase 3 · Months 2–5

Control implementation

Implement required controls from Annex A. Write policies, technical controls, and procedures. Collect implementation evidence continuously.

Phase 4 · Month 5–6

Internal audit & management review

Conduct an internal audit against all ISO 27001 requirements. Present findings to management and document the review.

Phase 5 · Months 6–9

Stage 1 & Stage 2 audit

Stage 1: documentation review by certification body. Stage 2: evidence audit and site visit. Resolve any nonconformities.

Phase 6 · Ongoing

Maintain & improve

Annual surveillance audits. Continuous control monitoring. Re-certification every three years. Automate with Unicis to reduce ongoing maintenance effort.

Which standard do you need?

Most B2B SaaS companies end up needing both. Unicis supports both — map controls once, get coverage credit in both frameworks.

CriteriaISO 27001SOC 2
Geographic recognitionGlobalPrimarily US
Certification typeThird-party certificateAuditor's report
Control specificity93 explicit controls (2022)Principles-based criteria
EU regulatory alignmentStrong (GDPR, NIS2)Limited
SME feasibilityYes — scalable scopeYes — scalable scope
Unicis supportPremium planUltimate plan

Learn about SOC 2 on Unicis →

How Unicis supports ISO 27001

ISO 27001 across industries

ISO 27001 is applicable to all industries. It is particularly common in technology, finance, healthcare, government, manufacturing, and any sector where customers, partners, or regulators require demonstrable information security management.

B2B SaaSFinancial ServicesHealthcareGovernmentManufacturingLegalCloud ServicesConsulting
Blog Posts Resources Try it Yourself Atlassian Marketplace

Multi-Framework Support

11 Compliance Frameworks Supported

From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.

MVSP v1.0 Community GDPR Community
ISO/IEC 27001 Premium Current
EU NIS2 Premium CIS CSC v8.1 Premium C5 Premium OWASP ASVS v5 Premium ISO/IEC 42001 Premium NIST CSF 2.0 Ultimate SOC 2 Ultimate PCI DSS v4.0.1 Ultimate
Community (Free) Premium Ultimate
View All Frameworks Try it Free

Start your ISO 27001 journey with Unicis

Automated GAP analysis, risk management, evidence collection, and audit reporting — all aligned to ISO/IEC 27001:2022. Start with MVSP on the free Community plan, then upgrade to Premium for full ISO 27001 support.

Try it Yourself View Platform Docs