Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

ISO 27001

ISO 27001 is the leading international standard for setting up an information security management system (ISMS). It defines a risk-based approach, governance requirements and a set of security controls, and allows certification by an accredited body.

Updated on July 2, 2026

What is ISO 27001?

ISO 27001 is the international standard that describes the requirements of an information security management system (ISMS). Published by ISO and revised in 2022, it is not just a list of technical controls: it mandates a complete approach to governance, risk assessment and continuous improvement.

The central idea is that you do not secure everything the same way: you identify risks, decide how to treat them, and document those choices in a defensible manner.

Why it matters for your organization

ISO 27001 is recognized worldwide, which makes it a common language with customers, partners and regulators. Certification provides independent evidence that security is managed in a structured way, a strong argument in tenders and vendor assessments.

Beyond the certificate, the approach installs lasting discipline: defined roles, tracked risks, handled incidents, and controls reviewed periodically.

The key elements of the standard

  • Context and scope: define what the ISMS covers and the relevant stakeholders.
  • Leadership: documented management commitment and a security policy.
  • Risk assessment: identify, analyze and treat security risks.
  • Statement of Applicability (SoA): justify the inclusion or exclusion of each Annex A control.
  • Continuous improvement: internal audits, management reviews and corrective actions.

Where organizations most often fall short

The most common trap is building an ISMS "for the certificate": abundant documentation disconnected from real operations. The risk assessment is sometimes treated as a formality, when it is the heart of the standard. An ISMS that truly lives links every control to an identified risk and to up-to-date evidence.

Frequently asked questions

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 holds the certifiable management-system requirements, that is, what you must do. ISO 27002 is a best-practice guide that details how to implement the security controls listed in the Annex of 27001. You get certified against 27001 and rely on 27002 for implementation.

How long does ISO 27001 certification take?

For an organization starting from scratch, it usually takes six to twelve months to build the ISMS, gather evidence and run it long enough for the audit. Certification happens in two stages, followed by annual surveillance audits and renewal every three years.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.