Home Standards ✦ AI Assessment Get a Quote →
HomeStandards → ISO/IEC 27001

ISO/IEC 27001 — Information Security Management

The internationally recognised standard for information security management systems (ISMS). ISO 27001 certification demonstrates that your organisation has implemented systematic controls to protect information assets — and is recognised by clients, regulators, and procurement bodies in 100+ countries.

ISO 27001:2022 ISMS IAF MLA recognised 100+ countries

What is ISO/IEC 27001?

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO). The 2022 revision (ISO 27001:2022) introduced a revised Annex A control set aligned with ISO 27002:2022, reducing from 114 to 93 controls across 4 themes.

Certification demonstrates that an organisation has assessed its information security risks and implemented appropriate controls within a systematic management framework — subject to independent third-party audit.

Who Needs ISO 27001?

  • Technology and SaaS companies with enterprise B2B clients
  • Financial services, banking, and payment processing organisations
  • Healthcare and MedTech companies handling patient data
  • Government and public sector contractors
  • Data centres, cloud providers, and managed service providers
  • Any organisation responding to client or procurement security questionnaires

ISO 27001:2022 — Key Changes from 2013

Organisations certified under ISO 27001:2013 are required to transition to the 2022 version. Key changes include:

  • Annex A restructured to 4 themes: Organisational, People, Physical, Technological
  • 11 new controls added, including threat intelligence, cloud security, and data masking
  • Reduced total controls from 114 to 93 (some merged)
  • Increased alignment with other ISO management system standards (High Level Structure)

Scope of an ISO 27001 Certification

Scope definition is a critical step in the certification process. The scope determines which information assets, processes, locations, and organisational units fall within the ISMS boundary. BALTUM's gap analysis phase includes detailed scope definition guidance to ensure the scope is both meaningful to stakeholders and achievable within the target timeline.

The BALTUM Engagement: Stage by Stage

  • Stage 1 — Gap Analysis & Scoping: Current-state assessment against ISO 27001:2022 requirements. Gap register. Scope document. Project roadmap.
  • Stage 2 — ISMS Documentation: Information Security Policy, Risk Assessment & Treatment methodology, Statement of Applicability, procedures, and controls documentation.
  • Stage 3 — Implementation Support: Control implementation guidance, internal audit, and management review facilitation.
  • Stage 4 — Certification Audit: Stage 1 documentary review and Stage 2 on-site/remote audit by accredited certification body.
  • Stage 5 — Surveillance: Annual surveillance audits and triennial recertification planning.

Typical Timeline

For a mid-size organisation (50–500 employees) pursuing first certification: 3–6 months from kick-off to certificate issuance. Timelines depend on organisational size, current maturity, and availability of internal resource. BALTUM provides a milestone-based project plan at the outset of each engagement.

Integration with Other Standards

ISO 27001 is frequently implemented alongside complementary standards. BALTUM offers integrated programmes that share documentation, controls, and audit activities:

  • ISO 27001 + ISO 27701 (Privacy Information Management)
  • ISO 27001 + ISO 22301 (Business Continuity)
  • ISO 27001 + ISO 42001 (AI Management System)
  • ISO 27001 + SOC 2 (unified evidence framework)
  • ISO 27001 + PCI DSS (financial sector)