A Tour of ISO 27001

ISO 27001 is the international standard for an Information Security Management System (ISMS). The current version is ISO/IEC 27001:2022. Every certified organisation has been audited against the same clauses, which is what makes the certificate transferable across countries and industries.

Two halves: the ISMS clauses + Annex A

The standard has two distinct parts:

Clauses 4–10 — the management system

Clauses 4 through 10 describe how to run an ISMS:

• Clause 4 — Context of the organisation. Identify interested parties, scope the ISMS.
• Clause 5 — Leadership. Top-management commitment, an information-security policy, defined roles.
• Clause 6 — Planning. Risk assessment, risk treatment, information-security objectives.
• Clause 7 — Support. Resources, competence, awareness, communication, documented information.
• Clause 8 — Operation. Operational planning, risk-treatment-plan execution.
• Clause 9 — Performance evaluation. Monitoring, internal audit, management review.
• Clause 10 — Improvement. Nonconformity handling, continual improvement.

This is the part most people underestimate. You can have technical controls bolted onto a chaotic organisation and still fail certification because clauses 4–10 aren't being run as a system.

Annex A — the control reference set

Annex A is a catalogue of 93 controls organised into 4 themes (in the 2022 version — earlier versions had 14 control domains; if you see those, the org is on the older ISO 27001:2013):

• A.5 — Organisational controls (37 controls). Policy, roles, threat intel, supplier relationships, incident management.
• A.6 — People controls (8 controls). Screening, terms of employment, awareness, disciplinary process.
• A.7 — Physical controls (14 controls). Office security, equipment protection, secure disposal.
• A.8 — Technological controls (34 controls). Access management, cryptography, system security, network security, application security, secure development, supplier security in the technology layer.

The Statement of Applicability (SoA) is where you formally declare which Annex A controls are in scope and how they're implemented. The auditor reads the SoA first.

How Blankitt represents the hierarchy

In Blankitt's itsm_compliance_frameworks and its sections table, ISO 27001:2022 looks like:

ISO/IEC 27001:2022
├── 4. Context
├── 5. Leadership
├── 6. Planning
├── 7. Support
├── 8. Operation
├── 9. Performance evaluation
├── 10. Improvement
└── Annex A
    ├── A.5 Organisational
    ├── A.6 People
    ├── A.7 Physical
    └── A.8 Technological

When you map a Blankitt control to ISO 27001, you typically map it to a leaf node — e.g. "MFA on admin accounts" maps to A.8.5 Secure authentication. Multiple controls can map to one section, and one control can map to multiple sections.

What gets you the certificate

The certifier checks two things:

1. Documentation — your ISMS policies, your risk register, your SoA, your internal audit reports, your management review minutes. They want evidence the system exists.
2. Operational evidence — sample tickets, sample access reviews, sample incident records, sample training records. They want evidence the system is being run.

A clean ISO 27001:2022 first-time pass typically costs 6–9 months and £20–60k for a small SaaS, including the certifier's fee. After year one you have annual surveillance audits and a recertification audit every three years.