GRC Insights

The official blog of the founder of The Fragile Seam.

ISO 27001: A Practical, High‑Level Guide for GRC Professionals

This blog post will cover the fundamentals of ISO 27001. In short, ISO 27001 is a global standard used to create, maintain, and improve what the ISO (International Organization for Standardization) refers to as the ISMS (Information Security Management System).

Introduction

The latest version of ISO 27001 is the 2022 version, so it can also be referred to as ISO 27001:2022. The standard was initially introduced in 2005. It was updated in 2013 and then again in 2022, which as of March 2026 is the latest version. The standard’s goal is to manage information security by preserving the CIA (Confidentiality, Integrity, Availability) triad. Compared to earlier versions, the 2022 update provides more emphasis on data masking, physical security monitoring, and threat intelligence.

The ISMS is a comprehensive framework of policies and procedures that evaluates the organization’s cybersecurity readiness. Auditors should not only look at what an organization’s ISMS says. They should also require evidence that the organization is actually improving the ISMS over time. The ISMS needs to take into consideration the following components: people, process, and technology.

Not checking for all of these components is a common mistake among junior GRC professionals. They commonly only look at technology, such as for example, whether a SIEM (Security Information and Event Management) is installed. But they should also check what logs are ingested in the SIEM, the types of alerts that the SIEM generates, whether these alerts have been fine-tuned to reduce the amount of false positives, and whether there are people to actually check the SIEM and investigate its alerts.

Framework Benefits

As mentioned in previous posts on this blog, organizations use frameworks because they provide a comprehensive overview of information security and ensure critical controls haven’t been forgotten.

Because of how comprehensive these frameworks are, organizations may not need to implement all of the listed controls. For instance, there doesn’t need to be protection for physical hardware if the company is fully cloud-based. But if an organization doesn’t use a control, they need to have documented justification for why they don’t use it. For the ISO 27001 in particular, these controls come in the form of 93 Annex A controls.

ISO also offers the ISO 27001 certification, where organizations can be ISO 27001 certified if they meet the ISO 27001 requirements. This certification can be used to provide stakeholders and customers assurance that the information on their app is secure, serving as a strong competitive advantage. There are 2 stages of certification: Stage 1 (which assesses documentation readiness) and Stage 2 (which verifies the effective implementation of the ISMS). The ISO 27001 certification is valid for 3 years. In addition, during certification, there are annual surveillance audits.

Normative vs. Informative

One aspect of ISO documentation that may stand out as peculiar is the use of the terms normative and informative. Simply put:

  • Normative refers to mandatory requirements that must be implemented to achieve ISO 27001 certification
  • Informative refers to non-mandatory guidance or supplemental context

These are important terms to know especially since they appear frequently in ISO 27001 documentation.

Clauses

ISO 27001 has 11 clauses, numbered from 0 to 10. Clauses 0 to 3 are informative clauses, which provide foundational information about the standard.

  • Clause 0 describes the ISO 27001 framework, why it is used, and the fact that an ISMS must be implemented and maintained
  • Clause 1 talks about the scope, which says that any organization can use this framework
  • Clause 2 says there is a standard called ISO 27000 which is the primary reference for terms, definitions, and ISMS concepts
  • Clause 3 establishes key definitions to ensure consistency across the standard

Clauses 4 to 10 are mandatory clauses. The requirements for each of these clauses must be satisfied if an organization wants to be ISO 27001 certified. These clauses follow what is known as the Plan-Do-Check-Act (PDCA) cycle. To help executives visualize this as a business process, these clauses map to the following phases: Clauses 4, 5, and 6 fall under the Plan phase, 7 and 8 fall under the Do phase, 9 falls under the Check phase, and 10 falls under the Act phase.

  • Clause 4 is about understanding the context of the organization. What must be done to satisfy this clause includes identifying internal and external issues, identifying key stakeholders, and identifying the scope of the ISMS. The scope is important and can range from a single application the organization has created to the entire organization.
  • Clause 5 is about leadership. In short, top management must endorse and improve the ISMS. After all, if top management are not on board with implementing a standard, it cannot be implemented. What must be done to satisfy this clause includes appointing someone from top management to oversee the implementation of the ISMS, creating a clear information security policy that is aligned to business objectives, and clearly defining the roles and responsibilities of information security.
  • Clause 6 is about planning. This is where the organization must plan for risks and assessments. What must be done to satisfy this clause is to first conduct a comprehensive risk assessment (which can be qualitative or quantitative, though quantitative is the industry-preferred method as it is more objective) to identify risks, threats, and vulnerabilities within the scope of the ISMS, to then develop a risk treatment plan (which is not just about fixing risks but also about deciding what risks the business is willing to accept), and to then define information security objectives that align with the organization’s mission.
  • Clause 7 is about support. This clause simply says that the ISMS should have sufficient support within the organization to operate effectively. What must be done to satisfy this clause includes ensuring that the staff involved within the scope of the ISMS have the skills and awareness necessary to manage the security risks identified, that there is sufficient ISMS documentation, and that the ISMS processes are clearly and effectively communicated.
  • Clause 8 is about operation. This clause requires the organization to actually implement the ISMS plan, not just document it. Auditors don’t just want to see that the organization has all of this documentation. They want evidence that the organization follows its documented processes.
  • Clause 9 is about performance evaluation. This clause says that the performance of the ISMS should be constantly monitored and improved. To satisfy this clause, organizations should conduct regular internal audits, get senior management to evaluate the progress, and use key performance indicators.
  • Clause 10 is about improvement. This means organizations must continuously improve their ISMS through corrective action. This involves implementing improvements based on audit findings, security incidents, or discovery of nonconformities (something mandatory for ISO 27001 the organization is not doing yet, such as no evidence of risk treatment). In short, it is not enough to just identify problems; they must also be fixed. Major nonconformities prevent certification while minor nonconformities require a corrective action plan.

Note that the explanations for the mandatory clauses above are a brief overview of the clauses. What is done in-depth to satisfy the requirements of each clause is outside the scope of this blog post.

In the real world, GRC professionals are creating the documentation that proves to auditors that the requirements for each clause are satisfied. For example, a GRC professional would create a document called ISMS Scope for Clause 4 and documents for the Information Security Policy and ISMS Roles and Responsibilities for Clause 5. Also, in practice, the requirements for the clauses are usually done in order. For instance, a risk assessment cannot be conducted if the scope is not known, and the ISMS plan cannot be executed until it is created. Finally, GRC professionals should not be trying to memorize these clauses to learn them. Instead, they should understand what each clause does, and then when they need to use the ISO 27001 framework, they can look up the clauses and go over them.

Statement of Applicability

As part of Clause 6, organizations must select Annex A controls. They must justify any controls they don’t select. This is done through a document called the Statement of Applicability: which contains the list of controls the organization selected and then a justification for the ones they didn’t select. The Statement of Applicability can be thought of as the Executive Summary of an organization’s security posture. It is the first document a partner, customer, or auditor will ask to see to verify compliance.

There are a total of 93 Annex A controls in the 2022 update categorized into:

  • organizational controls – focusing on governance and policies affecting the organization
  • people controls – used to ensure staff are fully aware of security
  • physical controls – used to protect physical assets
  • technological controls – which are digital and technical security measures to protect systems, networks, and data

Note that this list of controls in its official form is not free; it must be paid for. However, it is worth checking for read-only versions that are sometimes available through national standard bodies. While ISO 27001 dictates what must be done, the Annex A controls are listed in ISO 27002, which is the how-to guide on implementing these controls.

Types of Auditors

There are four different types of auditors in the context of ISO 27001:

  • Internal Auditors: personnel auditing the organization to ensure the ISMS is operating as intended and remains compliant with ISO 27001 (required by Clause 9)
  • External Auditors: an individual outside an organization auditing it for something specific (such as a GRC professional auditing a third-party vendor)
  • Third Party Auditors: an accredited external auditor who conducts formal audits to assess if the ISMS is meeting ISO 27001 requirements (these auditors ultimately give the ISO 27001 certification to an organization)
  • Lead Auditor: a qualified auditor who leads a team of auditors during a formal ISO 27001 audit (required for a certification audit) and holds the ultimate responsibility for the audit’s conclusions

Conducting an Audit

When conducting an ISO 27001 audit, best practice dictates following a structured approach:

  1. Define the audit scope (what parts of the ISMS will be audited) and audit objectives.
  2. Create a detailed audit plan that includes the dates and schedule, individuals involved, and the access needed.
  3. Create the audit checklist aligned with the ISO 27001 mandatory clauses, the Statement of Applicability, and the organization’s own policies.
  4. Conduct an opening meeting with the individuals involved to set all the ground rules to encourage open communication.
  5. Perform the audit activities by interviewing individuals, reviewing policies, and observing activities. Focus on collecting objective evidence, not assumptions or claims.
  6. For each audit activity, determine whether requirements are met or not. Even if a requirement is met for ISO 27001 purposes, note opportunities for improvement.
  7. Conduct a closing meeting with the same individuals to summarize the findings and discuss nonconformities and opportunities for improvement.
  8. Afterwards, create an audit report containing the audit scope, objectives, findings, and nonconformities and recommendations. This should be discussed with top management.
  9. If nonconformities were found, create a correction plan where the nonconformities get corrected and evidence is given that corrective actions were done.

Notes

There are two additional things to know regarding the ISO 27001 certification:

  • Not every organization needs to have an ISO 27001 certification. For example, if an organization is new or has so many cybersecurity problems (like not implementing two-factor authentication or having a SIEM), they should focus on fixing these problems instead of trying to aim for an ISO 27001 certification.
  • Not all ISO 27001 certifications are made equal. If the auditor is inexperienced, an organization could get certified despite having tons of gaps. This is reflected in ads that guarantee ISO 27001 certification in a short time period. To avoid this scenario, stick to brands that are globally trusted like SAI Global.

Conclusion

This blog post provided a high-level overview of the ISO 27001 certification. GRC professionals who understand the content of this blog post and have worked through the entire process of building an ISMS at least once could try to become an ISO 27001 Certified Lead Auditor or leverage these skills to secure an entry-level GRC role.

Finally, ISO is not the only major framework that cybersecurity GRC professionals need to know. Other frameworks to look at include NIST CSF and SOC 2. But in nature, frameworks are similar, so understanding one framework makes it much easier to understand the rest. And as a reminder, do not try to memorize anything in these frameworks: they can always be looked up when they are used.

Discover more from GRC Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading