What is ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is the international management-system standard for information security, jointly published by ISO and IEC in October 2022 (third edition). It specifies requirements for an Information Security Management System (ISMS) — how an organisation manages information-security risks across people, processes and technology. The standard is certifiable by an accredited third-party body and follows the Annex SL harmonized structure shared with ISO/IEC 42001, ISO/IEC 27701 and ISO 9001.

What changed in the 2022 edition vs the 2013 edition?

The 2022 edition restructured Annex A: the 114 controls of the 2013 edition were consolidated and modernised into 93 controls organised under four themes (5 Organizational, 6 People, 7 Physical, 8 Technological), with the addition of 11 new controls (notably around threat intelligence, cloud security, ICT readiness and configuration management). The Annex SL backbone in Clauses 4–10 was updated to the 2021 harmonized structure (introducing the planning-of-changes sub-clause and clarifying competence and documented-information language). Accredited certificates against the 2013 edition were sunset by the late-2025 transition deadline; ISO/IEC 27001:2022 is the current edition.

Is the Statement of Applicability mandatory under ISO 27001?

Yes. Under Clause 6.1.3 d, the Statement of Applicability is mandatory documented information. It records the necessary controls (from Annex A and any additional controls the organisation has selected), the justification for inclusion or exclusion, whether each is implemented, and whether the exclusions are appropriate. The SoA is one of the first documents an accredited certification body reviews in Stage 1 and is sampled throughout Stage 2 and surveillance audits. Unlike ISO/IEC 42001 (where Annex A is informative and the SoA is a strong expectation rather than a strict standard requirement), ISO/IEC 27001 Annex A is normative and the SoA is mandatory.

What is the ISO 27001 certification process?

Five steps: (1) scope the ISMS and run a gap analysis against Clauses 4–10 and the Annex A controls; (2) implement the ISMS — information-security policy, risk assessment, risk treatment, Statement of Applicability, controls, internal audit, management review; (3) operate the ISMS long enough to produce evidence of effectiveness (typically three to six months minimum); (4) engage an accredited certification body for a two-stage audit — Stage 1 documentation review, Stage 2 on-site audit of operational effectiveness; (5) maintain with annual surveillance audits and full recertification every three years.

How does ISO 27001 support AI governance?

AI governance fails most often for operational reasons — unclear access control, vendor sprawl, weak incident handling, missing documentation discipline. ISO 27001 provides the proven operating model for those fundamentals. The shared Annex SL clauses (4–10) carry over; ISO 27001 Annex A controls provide reusable security-control evidence but do not become ISO 42001 Annex A controls. ISO/IEC 42001 (AIMS) adds AI-specific risk, impact and lifecycle controls on top of the ISMS spine. Most organisations operate ISO 27001 + ISO 42001 as a single integrated management system.

How long does ISO 27001 certification take?

For organisations starting from scratch: 9–12 months to Stage 2 is typical, driven mainly by the evidence window — the ISMS has to run long enough to produce real records of internal audit, management review and continual improvement. Organisations with existing security programs (SOC 2, ISO 9001) often reach Stage 2 in 6–9 months. Surveillance audits are annual; full recertification is every three years.

Which Modulos templates implement ISO/IEC 27001:2022?

Two framework templates: OFF-9 (org) with 28 mapped ORF requirements mapped to Clauses 4–10, and MFF-9 (app) with 2 MRF requirements mapped to the per-AI-system overlap with the ISMS (information-security risk assessment + treatment under Clause 8.2 / 8.3). Annex A controls are tracked through evidence linked to the Clause 6.1.3 risk treatment requirement and the Statement of Applicability.

ISO/IEC 27001:2022 — Information Security Management System (ISMS)

ISO/IEC 27001:2022 — published October 2022 — is the international management-system standard for information security. It specifies requirements for an organisation to establish, implement, maintain and continually improve an Information Security Management System (ISMS) under a certifiable management-system framework with the Annex SL backbone shared by ISO/IEC 42001, ISO/IEC 27701 and ISO 9001.

In this guide, "ISO 27001" is shorthand for ISO/IEC 27001:2022.

Quick decision

You need a certifiable security baseline → ISO 27001 is the canonical management-system option. See ISMS foundations for what auditors test.
You need a structured way to govern AI security controls → ISO 27001 is the security backbone; pair it with ISO 42001 for AI-specific risk, impact and lifecycle controls. See Integration with AI governance.
You need to write the Statement of Applicability → Annex A is normative under ISO 27001; the SoA is mandatory under Clause 6.1.3 d. See Annex A (controls reference).
You want a deep read of the management-system clauses → see Clauses 4–10.
You are rolling out the ISMS in Modulos → see Operationalizing in Modulos — the OFF-9 + MFF-9 framework templates.

TL;DR

Third edition published October 2022. Accredited certificates against the 2013 edition were sunset by the late-2025 transition deadline; ISO/IEC 27001:2022 is the current edition.
Annex SL backbone — Clauses 4–10 shared with ISO 42001, 27701, 9001.
Annex A is normative — 93 controls under four themes (5 Organizational, 6 People, 7 Physical, 8 Technological). The Statement of Applicability (Clause 6.1.3 d) is mandatory documented information.
Certification cycle: Stage 1 + Stage 2 audit by an accredited body; annual surveillance; recertification every 3 years.
IMS-ready — operates naturally alongside ISO 42001 (AIMS) and ISO 27701 (PIMS) on a shared Clauses 4–10 spine.
Modulos operationalises ISO 27001 through the OFF-9 (org, 28 ORF requirements) and MFF-9 (app, 2 MRF requirements) framework templates.

Primary source

ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition, October 2022). Available via the ISO Online Browsing Platform. © ISO.

Key facts

Publisher

ISO/IEC (joint)

Edition

ISO/IEC 27001:2022 (Oct 2022)

Type

Certifiable management-system standard

Scope

Information-security management (ISMS)

Annex A

Normative — 93 controls, 4 themes

Outcome

Accredited ISO 27001 certificate

What the ISMS actually requires

ISO 27001 expects the organisation to:

determine the ISMS scope (Clause 4.3) and its interactions with the rest of the organisation (4.4);
maintain a documented information-security policy (5.2);
assign roles, responsibilities and authorities (5.3);
perform a structured information-security risk assessment (6.1.2) and risk treatment (6.1.3) — producing the Statement of Applicability (6.1.3 d);
set and pursue information-security objectives (6.2);
operate the Annex A controls selected in the SoA;
monitor, measure, internally audit and review (Clause 9) and continually improve (Clause 10).

The defining ISO 27001 artefact is the Statement of Applicability — the record of which Annex A controls apply, the justification for inclusion or exclusion, and the implementation status. Under Clause 6.1.3 d, the SoA is mandatory documented information.

Go deeper: Clauses 4–10 (implementation guide) · Annex A (controls reference).

Annex A — 93 controls, four themes

ISO/IEC 27001:2022 Annex A organises the 93 information-security controls into four themes:

Theme	Focus	Control count
5 Organizational controls	Policies, roles, supplier relationships, incident management, business continuity, legal and compliance	37
6 People controls	Screening, terms and conditions, awareness, disciplinary process, remote working	8
7 Physical controls	Physical security perimeter, equipment, secure disposal, clear desk / clear screen	14
8 Technological controls	Endpoint security, identity and access management, cryptography, network security, secure development, logging, vulnerability management	34

The 2022 edition introduced 11 new controls at A.5.7, A.5.23, A.5.30, A.7.4, A.8.9, A.8.10, A.8.11, A.8.12, A.8.16, A.8.23 and A.8.28 — covering cloud services, configuration management, modern data-protection techniques and threat intelligence.

Go deeper: Annex A (controls reference).

How ISO 27001 supports AI governance

AI governance fails most often for operational reasons that ISO 27001 explicitly addresses:

Unclear access control → Annex A theme 8 (Technological) covers identity and access management.
Vendor sprawl → Annex A theme 5 (Organizational) covers supplier relationships.
Weak incident handling → Annex A theme 5 covers incident management.
Missing documentation discipline → Clause 7.5 covers documented information.

The ISMS provides the security backbone on which an AI management system (ISO/IEC 42001) layers AI-specific risk, impact and lifecycle controls. Organisations that already operate ISO 27001 typically reach ISO 42001 Stage 2 in 6–9 months instead of 9–15.

How to operationalise ISO 27001 in Modulos

Modulos models ISO 27001 through two framework templates:

Template	Scope	Mapped requirements
OFF-9 (org)	Clauses 4–10 ISMS spine	ORF-196…ORF-223 (28 requirements)
MFF-9 (app)	Per-AI-system overlap with the ISMS	MRF-221 (Clause 8.2 risk assessment), MRF-222 (Clause 8.3 risk treatment)

The Statement of Applicability is owner-authored documented information stored as evidence on the Clause 6.1.3 risk-treatment requirement; Annex A controls are tracked through control-level evidence linked to that requirement.

Standard rollout in Modulos:

One organisation project for the ISMS itself — scope statement, information-security policy, risk-management process, Statement of Applicability, internal audit, management review. Apply OFF-9.
AI-system projects for the per-system security overlap (information-security risk assessment + treatment for the AI deployment). Apply MFF-9.
Where the same organisation runs ISO/IEC 42001 (AIMS) or ISO/IEC 27701 (PIMS), both share Clauses 4–10 with the ISMS — only the standard-specific risk, control and Annex A content is unique to each.

Go deeper: Operationalizing in Modulos.

Framework mapping

Four layers, one reusable spine.

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Controls

The reusable spine

One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.

Risk assessment process

Data validation checks

Reusable

Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.

Cross-framework mapping (preview)

ISO 27001 element	Adjacent provision
Clause 4.3 ISMS scope	ISO 42001 Clause 4.3 AIMS scope; ISO 27701 Clause 4.3 PIMS scope
Clause 5.2 information-security policy	ISO 42001 Clause 5.2 AI policy; ISO 27701 Clause 5.2 privacy policy
Clause 6.1.2 information-security risk assessment	ISO 42001 Clause 6.1.2 AI risk assessment; ISO 31000 risk-management process
Clause 6.1.3 information-security risk treatment + SoA	ISO 42001 Clause 6.1.3 AI risk treatment; EU AI Act Article 9 RMS
Annex A theme 5 supplier relationships	EU AI Act Article 25 value chain; NIS2 Article 21(2)(d); ISO 42001 Annex A.10
Annex A theme 8 cryptography (A.8.24)	EU AI Act Article 15(5) cybersecurity for high-risk AI; NIS2 Article 21(2)(h)
Annex A theme 8 logging (A.8.15)	EU AI Act Article 12 logging; EU AI Act Article 26(6) deployer log retention
Clause 9.1 monitoring	ISO 42001 Clause 9.1; ISO 9001 Clause 9.1

ISMS foundations (scope + auditor expectations)

What an ISMS is, what auditors test, how the certification cycle works

Clauses 4–10 (implementation guide)

Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement

Annex A (controls reference)

93 controls in four themes — organizational, people, physical, technological

Operationalizing in Modulos

OFF-9 + MFF-9 rollout, ISMS evidence patterns, Statement of Applicability

Integration with AI governance

How ISO 27001 supports ISO 42001 AIMS and the EU AI Act

ISO 42001 vs ISO 27001

Side-by-side comparison — AIMS vs ISMS

Source attribution

ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements (third edition, published October 2022). © ISO/IEC. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

ISO/IEC 27001:2022 — Information Security Management System (ISMS)

Quick decision

TL;DR

What the ISMS actually requires

Annex A — 93 controls, four themes

How ISO 27001 supports AI governance

How to operationalise ISO 27001 in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

ISO/IEC 27001:2022 — Information Security Management System (ISMS) ​

Quick decision ​

TL;DR ​

What the ISMS actually requires ​

Annex A — 93 controls, four themes ​

How ISO 27001 supports AI governance ​

How to operationalise ISO 27001 in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

ISO/IEC 27001:2022 — Information Security Management System (ISMS)

Quick decision

TL;DR

What the ISMS actually requires

Annex A — 93 controls, four themes

How ISO 27001 supports AI governance

How to operationalise ISO 27001 in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution