Continue your mission
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it specifies the requirements for establishing, implementing, maintaining, an
# ISO 27001
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization's overall business risks. The current version is ISO 27001:2022, which replaced the 2013 edition.
ISO 27001 is the most widely recognized information security certification globally. Organizations achieve certification through an independent third-party audit that verifies the ISMS meets the standard's requirements. Certification demonstrates to customers, partners, regulators, and insurers that the organization has a systematic approach to managing information security risk.
The standard operates at two levels. The main body (Clauses 4 through 10) defines the management system requirements: organizational context, leadership commitment, planning, support, operation, performance evaluation, and improvement. Annex A provides a reference set of 93 information security controls (reorganized from 114 in the 2013 edition) grouped into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).
ISO 27001 does not prescribe how to implement controls. It specifies that the organization must assess its risks, select appropriate controls (from Annex A or other sources), implement them, monitor their effectiveness, and improve continuously. The how is determined by the organization's context, risk profile, and operational environment.
ISO 27001 structures the ISMS around a Plan-Do-Check-Act (PDCA) cycle:
Plan. Establish the ISMS scope, policy, risk assessment methodology, and control selection. Identify the risks to information assets, assess their likelihood and impact, determine acceptable risk levels, and select controls to treat unacceptable risks. Document the Statement of Applicability (SoA), which lists every Annex A control and states whether it is applicable, implemented, or excluded (with justification for exclusions).
Do. Implement the selected controls and the processes to manage them. Deploy technical controls (encryption, access management, monitoring). Establish operational processes (incident response, change management, supplier management). Conduct security awareness training. Document everything: policies, procedures, evidence of implementation, and operational records.
Check. Monitor and measure the ISMS performance. Conduct internal audits to verify controls are operating effectively. Perform management reviews where senior leadership evaluates the ISMS's suitability, adequacy, and effectiveness. Measure key performance indicators (KPIs) that track control effectiveness and risk treatment progress.
Act. Address nonconformities identified during audits and reviews. Implement corrective actions. Drive continual improvement based on monitoring data, audit findings, incident trends, and changing risk conditions. The cycle repeats: each iteration improves the ISMS.
ISO 27001 certification involves two audit stages conducted by an accredited certification body:
Stage 1 (documentation review). The auditor reviews the ISMS documentation: scope, policies, risk assessment, Statement of Applicability, procedures, and evidence of management commitment. Stage 1 identifies gaps that must be resolved before Stage 2. It is a readiness check, not a pass/fail assessment.
Stage 2 (implementation audit). The auditor verifies that the documented ISMS is implemented and operating effectively. This involves interviewing staff, examining evidence of control operation, testing controls, and verifying that the PDCA cycle is functioning. Stage 2 produces audit findings: major nonconformities (must be resolved before certification), minor nonconformities (must be resolved within a defined timeframe), and observations (improvement opportunities).
If no major nonconformities remain, the certification body issues the ISO 27001 certificate, valid for three years. Annual surveillance audits verify continued compliance. A full recertification audit occurs at the three-year mark.
ISO 27001:2022 introduced several changes from the 2013 edition:
Restructured Annex A controls. The 114 controls across 14 domains (2013) were reorganized into 93 controls across four themes (2022): Organizational, People, Physical, and Technological. Eleven new controls were added, including threat intelligence (A.5.7), information security for use of cloud services (A.5.23), ICT readiness for business continuity (A.8.14), and monitoring activities (A.8.16). The reorganization reflects a decade of evolution in the threat landscape and technology adoption.
Attribute tagging. Each control in the 2022 edition is tagged with attributes: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (mapped to NIST CSF: Identify, Protect, Detect, Respond, Recover), operational capabilities (governance, asset management, etc.), and security domains (governance, protection, defense, resilience). These attributes enable multi-dimensional filtering and mapping.
Alignment with ISO 27002:2022. The companion standard ISO 27002 (which provides implementation guidance for Annex A controls) was updated simultaneously, providing more current and practical guidance for each control.
Organizations certified to the 2013 edition had until October 31, 2025, to transition to the 2022 edition.
ISO 27001 is recognized in virtually every country and industry. Unlike NIST CSF (which is primarily U.S.-focused) or sector-specific frameworks (HIPAA, PCI DSS, CMMC), ISO 27001 is internationally accepted. For organizations that operate globally, serve international customers, or participate in international supply chains, ISO 27001 certification is often a business requirement, not just a security best practice.
European organizations frequently require ISO 27001 certification from their suppliers. Government procurement in many countries references ISO 27001. International enterprise sales processes commonly include "Are you ISO 27001 certified?" as a qualifying question.
ISO 27001's most distinctive characteristic is that it certifies a management system, not a set of technical controls. The standard requires leadership commitment, defined responsibilities, resource allocation, risk-based decision-making, internal audit, management review, and continual improvement. This systemic approach ensures that information security is embedded in organizational governance, not bolted on as a technical afterthought.
Many organizations deploy technical controls without the management system to sustain them. They purchase a SIEM but do not fund the analysts to operate it. They write security policies but do not audit compliance with them. They conduct risk assessments but do not track risk treatment to completion. ISO 27001's management system requirements prevent this pattern by mandating the governance structures that sustain operational controls over time.
ISO 27001 overlaps significantly with NIST CSF, SOC 2, and other frameworks. Organizations that implement ISO 27001 can map their controls to NIST CSF, satisfying both frameworks with a single control set. The attribute tagging in the 2022 edition explicitly maps each control to NIST CSF concepts, making this cross-framework alignment easier than ever.
For organizations subject to multiple compliance requirements, ISO 27001 can serve as the foundational ISMS with other frameworks mapped onto it. This is the multi-framework alignment approach that CDA's RGA-H01 mission (Multi-Framework Compliance Alignment, 24 hours) implements.
ISO 27001 is a management system standard. It is not a prescriptive security standard. Two organizations can both be ISO 27001 certified with dramatically different security postures because the standard allows organizations to select their own controls based on their own risk assessment. An organization that assesses its risks conservatively and implements controls minimally can achieve certification while remaining operationally vulnerable.
The audit process verifies that the management system functions, not that the organization is "secure" in an absolute sense. Certification is evidence of systematic risk management, not a guarantee of breach prevention. Certified organizations get breached. The difference is that they have the governance structures to detect, respond, recover, and improve.
ISO 27001 and the Planetary Defense Model serve different purposes. ISO 27001 provides a management system framework: it ensures the organization has the governance structures to sustain security operations. The PDM provides an operational architecture: it organizes the security work into six domains with specific methodologies and missions. ISO 27001 ensures you have a system. The PDM tells you what to do within that system.
The mapping between ISO 27001 Annex A themes and PDM domains:
| ISO 27001 Theme | Controls | Primary PDM Domains | |----------------|----------|-------------------| | Organizational (37 controls) | Policies, roles, threat intelligence, asset management, access control policy, supplier relationships, compliance, audit | RGA (governance, policy, compliance, audit), TID (threat intelligence), IAT (access control policy) | | People (8 controls) | Screening, terms of employment, awareness/training, disciplinary process, post-employment, remote working, event reporting | SPH (awareness training), RGA (HR security policy), IAT (access lifecycle tied to employment) | | Physical (14 controls) | Physical perimeters, entry controls, equipment protection, secure disposal, clear desk/screen | DPS (secure disposal), SPH (physical security as posture control) | | Technological (34 controls) | Endpoint devices, access rights, authentication, encryption, malware protection, vulnerability management, logging, monitoring, network security, secure development | DPS (encryption, secure disposal), VSD (vulnerability management, secure development), SPH (endpoint protection, configuration management), IAT (authentication, access rights), TID (logging, monitoring) |
CDA uses ISO 27001 as one of several reference frameworks when building client compliance programs. The operational work, however, is organized by PDM domain, not by ISO 27001 clause. A client pursuing ISO 27001 certification receives a compliance landscape mapping (RGA-R01) that identifies the Annex A controls applicable to their context. Those controls are then addressed through PDM domain missions: DPS missions for encryption and data protection controls, VSD missions for vulnerability management controls, SPH missions for endpoint and configuration controls, IAT missions for access and authentication controls, TID missions for monitoring and detection controls, and RGA missions for governance, audit, and compliance controls.
The advantage of this approach: ISO 27001's four themes group controls by type (organizational, people, physical, technological). The PDM groups controls by what they defend. An "access control" appears in ISO 27001's Organizational theme (the policy) and Technological theme (the implementation). In the PDM, both the policy and the implementation live in IAT, because access control is fundamentally an identity and trust function regardless of whether the specific artifact is a policy document or a technical configuration. This domain-centric view eliminates the organizational silo that ISO 27001's type-based grouping can inadvertently create.
Four TOP missions connect directly to ISO 27001 implementation:
Word count: 2,091
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.