How to Implement ISO 27001:2022 — A Complete, Plain-Language Guide

If your organisation is considering ISO 27001 certification — or has been told by a client, regulator, or insurer that you need it — this guide is for you. We will walk through every requirement in the current version of the standard (ISO/IEC 27001:2022, Third edition) and explain what it means in practice, not in audit language.

No jargon. No hand-waving. Every requirement referenced here comes directly from the published standard.

What ISO 27001 Actually Is

ISO/IEC 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full title is Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

In plain terms, it is a set of requirements for building and maintaining an Information Security Management System (ISMS) — a structured way of managing the security of information across your organisation. The standard does not tell you which firewall to buy or which encryption algorithm to use. Instead, it tells you how to identify risks, decide how to treat them, and prove that you are doing so consistently.

The 2022 edition is the third version. It cancels and replaces the 2013 edition (ISO/IEC 27001:2013) and incorporates its two Technical Corrigenda (Cor 1:2014 and Cor 2:2015). The International Accreditation Forum (IAF) set October 31, 2025 as the transition deadline for existing certificates (IAF MD 26:2022), after which all ISO 27001:2013 certificates were invalidated.

Who Is It For?

The standard is deliberately generic. According to Clause 1 (Scope), the requirements "are intended to be applicable to all organizations, regardless of type, size or nature." A 15-person fintech, a 500-bed hospital, and a 10,000-employee manufacturer can all be certified — and the standard is designed to scale to each.

Why Bother?

There are several concrete reasons organisations pursue certification:

• Client requirements — increasingly, enterprise buyers and government agencies require ISO 27001 from their vendors
• Regulatory alignment — ISO 27001 aligns closely with requirements in the EU's NIS2 Directive and DORA Regulation
• Insurance — cyber insurers are increasingly requesting evidence of a formal ISMS
• Competitive advantage — certification signals maturity to prospects and partners
• Operational benefit — the process forces you to understand your own risks, which most organisations have never done systematically

The Standard at a Glance

ISO 27001:2022 is organised into two parts: the main body (Clauses 4 through 10), which contains the management system requirements, and Annex A, which contains a reference list of information security controls.

A critical point from the Introduction to the standard: "The order in which requirements are presented in this document does not reflect their importance or imply the order in which they are to be implemented." You do not need to implement Clause 4 before Clause 5. Many activities run in parallel.

Phase 1: Understand Your Context and Define the Scope

Standard references: Clauses 4.1, 4.2, 4.3, 4.4

Before building anything, you need to understand two things: where you operate and what you are protecting.

Clause 4.1 — Understanding the Organisation and Its Context

The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its ISMS.

In practice, this means documenting:

• External issues — regulatory environment (GDPR, NIS2, DORA), market conditions, supplier landscape, threat landscape
• Internal issues — organisational structure, existing IT systems, corporate culture, strategic direction

This is not a one-time exercise. The standard's Introduction notes that "all of these influencing factors are expected to change over time."

Clause 4.2 — Understanding the Needs of Interested Parties

You need to identify who cares about your information security and what they expect. A note in Clause 4.2 clarifies that "the requirements of interested parties can include legal and regulatory requirements and contractual obligations." While this note is non-normative guidance rather than a mandatory requirement, it signals the breadth of what "interested parties" means in practice.

Common interested parties include: customers, regulators, shareholders, employees, insurers, and supply chain partners.

Clause 4.3 — Determining the ISMS Scope

This is one of the most consequential decisions you will make. The scope defines the boundaries of your ISMS — which parts of your organisation, which locations, which systems, and which processes are included.

When defining the scope, the standard requires you to consider:

• The external and internal issues from Clause 4.1
• The requirements of interested parties from Clause 4.2
• Interfaces and dependencies between your activities and those performed by other organisations

The scope must be documented and available.

Practical tip: A common mistake is making the scope too broad. If you are a 200-person company and only your SaaS platform handles sensitive data, you do not need to certify the entire organisation on day one. Scope it to the platform and the teams that support it. You can always expand later.

Clause 4.4 — The ISMS Itself

This clause is short but foundational: "The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document."

This is the standard telling you: you are building a management system, not a project. It does not end when you get the certificate.

Phase 2: Get Leadership Committed

Standard references: Clauses 5.1, 5.2, 5.3

Clause 5.1 — Leadership and Commitment

ISO 27001 places explicit responsibility on top management. This is not delegable to the IT department. The standard lists eight specific ways top management must demonstrate commitment (Clause 5.1, items a–h):

• Ensuring the information security policy and objectives are established and compatible with the strategic direction
• Ensuring the integration of ISMS requirements into the organisation's processes
• Ensuring that the resources needed are available
• Communicating the importance of effective information security management
• Ensuring the ISMS achieves its intended outcomes
• Directing and supporting persons to contribute to the effectiveness of the ISMS
• Promoting continual improvement
• Supporting other relevant management roles to demonstrate their leadership in their areas of responsibility

This is where many implementations falter. If your CEO or managing director treats this as "an IT thing," the certification auditor will notice.

Clause 5.2 — The Information Security Policy

Top management must establish a policy that:

• Is appropriate to the purpose of the organisation
• Includes information security objectives (or provides a framework for setting them)
• Includes a commitment to satisfy applicable requirements
• Includes a commitment to continual improvement

Additionally, the standard requires that the policy shall:

• Be available as documented information
• Be communicated within the organisation
• Be available to interested parties, as appropriate

What this looks like in practice: A 1–2 page document, approved by the CEO or board, stating the organisation's commitment to information security, the scope of the ISMS, and the principles that guide security decisions. It does not need to be technical. It needs to be real.

Clause 5.3 — Roles, Responsibilities, and Authorities

Top management must assign and communicate who is responsible for:

• Ensuring the ISMS conforms to the standard's requirements
• Reporting on ISMS performance to top management

This is often a CISO, Head of Security, DPO, or in smaller organisations, the CTO or an appointed ISMS Manager.

Phase 3: Plan Your Approach to Risk

Standard references: Clauses 6.1, 6.2, 6.3

This is the heart of ISO 27001. The standard is risk-based — everything flows from your risk assessment.

Clause 6.1.1 — General Planning

When planning the ISMS, you must consider the context (Clause 4.1) and interested parties (Clause 4.2), then determine risks and opportunities that need to be addressed to:

• Ensure the ISMS can achieve its intended outcomes
• Prevent or reduce undesired effects
• Achieve continual improvement

Clause 6.1.2 — Information Security Risk Assessment

This is where you build your risk assessment process. The standard requires a process that:

1. Establishes and maintains risk criteria — including risk acceptance criteria and criteria for performing assessments
2. Produces consistent, valid, and comparable results when repeated
3. Identifies risks — by applying the process to identify risks associated with the loss of confidentiality, integrity, and availability of information within the ISMS scope, and by identifying risk owners
4. Analyses risks — by assessing the potential consequences if identified risks materialise, assessing the realistic likelihood of occurrence, and determining the levels of risk
5. Evaluates risks — by comparing the results with your risk criteria and prioritising risks for treatment

You must retain documented information about this process.

In plain terms: You need a repeatable method for answering three questions about each risk: How bad would it be? How likely is it? Do we need to do something about it?

Clause 6.1.3 — Information Security Risk Treatment

Once you have assessed your risks, you decide what to do about them. The standard requires you to:

1. Select appropriate risk treatment options — taking account of the risk assessment results
2. Determine all controls necessary to implement the chosen treatment options
3. Compare your controls with Annex A to verify that no necessary controls have been omitted
4. Produce a Statement of Applicability (SoA) containing the necessary controls, justification for their inclusion, whether the necessary controls are implemented or not, and the justification for excluding any Annex A controls

The Statement of Applicability is one of the most important documents in your ISMS. It is the bridge between your risk assessment and the controls you have chosen. Auditors will scrutinise it closely.

5. Formulate a risk treatment plan — documenting how you will implement the chosen treatment
6. Obtain risk owner approval — risk owners must approve the risk treatment plan and formally accept the residual risks

ISO 27001 requires you to "select appropriate information security risk treatment options" but does not enumerate specific options by name. Risk management practice — drawing on frameworks such as ISO/IEC 27005 and ISO 31000 — commonly groups treatment into four categories:

Clause 6.2 — Information Security Objectives

You must set measurable security objectives at relevant functions and levels. These objectives must:

• Be consistent with the policy
• Be measurable (if practicable)
• Take into account applicable requirements and risk assessment results
• Be monitored, communicated, and updated as appropriate
• Be available as documented information

For each objective, you must determine: what will be done, what resources are needed, who is responsible, when it will be completed, and how results will be evaluated.

Clause 6.3 — Planning of Changes

When you need to change the ISMS, the changes must be carried out in a planned manner. This clause aligns ISO 27001 with the harmonised structure for management system standards (Annex SL), which requires planned change management across all ISO management systems.

Phase 4: Build the Support Structure

Standard references: Clauses 7.1, 7.2, 7.3, 7.4, 7.5

Clause 7.1 — Resources

The organisation must determine and provide the resources needed for the ISMS. This includes budget, people, tools, and time.

Clause 7.2 — Competence

Anyone doing work that affects information security performance must be competent — based on education, training, or experience. You must:

• Determine the necessary competence
• Ensure people are competent
• Take actions to acquire competence where needed (and evaluate effectiveness)
• Retain documented evidence of competence

Clause 7.3 — Awareness

Everyone working under the organisation's control must be aware of:

• The information security policy
• Their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance
• The implications of not conforming to ISMS requirements

This is why security awareness training exists. But the standard does not prescribe the format — it could be e-learning, workshops, onboarding sessions, or regular briefings.

Clause 7.4 — Communication

You must determine what to communicate about the ISMS, when, with whom, and how. This covers both internal communication (staff updates, incident notifications) and external communication (regulatory notifications, client assurance).

Clause 7.5 — Documented Information

The ISMS must include documented information required by the standard and whatever additional documentation the organisation determines is necessary for effectiveness.

The standard specifies requirements for:

• Creating and updating documentation — with proper identification (title, date, author, reference number), format, and review/approval
• Controlling documentation — ensuring it is available when needed, adequately protected, and subject to version control, retention, and disposition

Key insight: The extent of documentation varies from organisation to organisation. The standard explicitly acknowledges this depends on the size of the organisation, the complexity of its processes, and the competence of its people. You do not need a 500-page manual. You need documentation that is useful, current, and controlled.

Mandatory Documented Information

The standard requires you to retain documented information for the following (at minimum):

Phase 5: Operate the ISMS

Standard references: Clauses 8.1, 8.2, 8.3

Clause 8.1 — Operational Planning and Control

This is where planning meets execution. You must:

• Establish criteria for the processes determined in Clause 6
• Implement control of those processes in accordance with the criteria
• Retain documented information to the extent necessary to have confidence that processes were carried out as planned
• Control planned changes and review the consequences of unintended changes
• Ensure externally provided processes, products, or services that are relevant to the ISMS are controlled

Clause 8.2 — Information Security Risk Assessment

You must perform risk assessments at planned intervals or when significant changes are proposed or occur. This is not a one-time activity — the standard requires it to be ongoing.

Clause 8.3 — Information Security Risk Treatment

You must implement the risk treatment plan and retain documented information of the results.

What this looks like day-to-day: Once your ISMS is live, you are running the processes you defined — monitoring controls, processing incidents, tracking risk treatment actions, and keeping documentation current. The ISMS is not a binder on a shelf. It is how you operate.

Phase 6: Measure and Evaluate Performance

Standard references: Clauses 9.1, 9.2, 9.3

Clause 9.1 — Monitoring, Measurement, Analysis, and Evaluation

You must determine:

• What needs to be monitored and measured
• The methods to ensure valid results (comparable and reproducible)
• When monitoring and measuring will be performed
• Who will monitor and measure
• When results will be analysed and evaluated
• Who will analyse and evaluate

This is how you prove the ISMS is working. Examples include tracking incident response times, measuring policy compliance rates, and monitoring control effectiveness.

Clause 9.2 — Internal Audit

The organisation must conduct internal audits at planned intervals to determine whether the ISMS conforms to its own requirements, the standard's requirements, and is effectively implemented and maintained.

The standard requires you to:

• Plan, establish, implement, and maintain an audit programme
• Define the audit criteria and scope for each audit
• Select auditors who ensure objectivity and impartiality
• Report audit results to relevant management

Common question: Can we audit ourselves? Yes — but the auditors must be objective and impartial. They cannot audit their own work. In small organisations, this often means cross-departmental auditing or bringing in an external auditor for the internal audit programme.

Clause 9.3 — Management Review

Top management must review the ISMS at planned intervals. The review must consider:

• Status of actions from previous reviews
• Changes in external and internal issues
• Changes in needs of interested parties
• Feedback on information security performance, including trends in: nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfilment of information security objectives
• Feedback from interested parties
• Risk assessment results and risk treatment plan status
• Opportunities for continual improvement

The outputs must include decisions related to improvement opportunities and any needs for changes to the ISMS. These results must be documented.

Phase 7: Improve Continuously

Standard references: Clauses 10.1, 10.2

Clause 10.1 — Continual Improvement

The organisation must "continually improve the suitability, adequacy and effectiveness of the information security management system." This continual improvement requirement is what makes the ISMS a living system rather than a one-time compliance exercise.

Clause 10.2 — Nonconformity and Corrective Action

When something goes wrong (a nonconformity), the standard requires you to:

1. React — take action to control and correct it, and deal with the consequences
2. Evaluate — determine the root cause and whether similar nonconformities exist or could potentially occur
3. Implement — take any action needed
4. Review — evaluate whether the corrective action was effective
5. Make changes — update the ISMS if necessary

Corrective actions must be proportionate to the effects of the nonconformities. You must document: the nature of the nonconformity, actions taken, and the results of those actions.

Annex A: The 93 Controls

Annex A is normative — meaning it is a required part of the standard, not optional guidance. It contains 93 information security controls organised into four themes:

How Annex A Works

You do not need to implement all 93 controls. The standard requires you to:

1. During risk treatment (Clause 6.1.3), determine the controls necessary for your chosen treatment options
2. Compare your selected controls with the Annex A list to verify you have not overlooked anything
3. Document which controls you are applying, why, and — critically — the justification for excluding any Annex A controls

This comparison is captured in the Statement of Applicability (SoA), which is one of the most scrutinised documents during a certification audit.

Notable Controls for Modern Organisations

Some of the 93 controls are particularly relevant to today's threat landscape. ISO/IEC 27002:2022 (the companion implementation guidance) identifies 11 controls that did not exist in the 2013 edition — these are marked below. ISO 27001 itself does not label controls as "new," but understanding which controls were added helps organisations focus their gap analysis.

The remaining new control identified by ISO 27002:2022 is 6.8 — Information security event reporting, which requires a mechanism for personnel to report observed or suspected security events through appropriate channels.

Common Mistakes That Auditors Flag

Based on publicly available guidance from certification bodies and accreditation forums, these are the areas where organisations most frequently encounter findings:

1. Statement of Applicability Gaps

The SoA must justify both inclusions and exclusions. Auditors flag SoAs that exclude controls without a documented rationale linked to the risk assessment. Saying "not applicable" without explaining why is a nonconformity.

2. Risk Assessment Is a Spreadsheet Exercise

The standard requires a process that produces "consistent, valid and comparable results" when repeated. If your risk assessment is a one-time spreadsheet that no one updates, it does not meet the standard.

3. Top Management Is Absent

Clause 5.1 has eight specific requirements for top management. If the CEO cannot describe the information security policy or explain how the ISMS relates to business strategy, the auditor will raise it.

4. No Evidence of Monitoring

Clause 9.1 requires you to determine what to monitor, how, and when. If you cannot show evidence that monitoring is happening and that results are being analysed, you have a gap.

5. Corrective Actions Do Not Address Root Cause

Clause 10.2 requires you to evaluate "the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere." Quick fixes without root cause analysis are flagged.

6. Awareness Is a Checkbox

Clause 7.3 requires that everyone under the organisation's control is aware of the policy, their contribution, and the implications of non-conformance. An annual email is rarely sufficient evidence.

Realistic Certification Timeline

Every organisation is different, but here is a realistic timeline based on the standard's requirements:

Total: approximately 6 to 12 months for most mid-market organisations, depending on size, complexity, existing maturity, and resource allocation.

The certification cycle is three years. After the initial certification, you will undergo surveillance audits (typically annually) and a full recertification audit before the certificate expires.

The Relationship with Other Standards and Regulations

ISO 27001 does not exist in isolation. Understanding how it connects to other frameworks helps you avoid duplicate work:

Getting Started

Implementing ISO 27001 is not a technology project — it is an organisational change programme with technology components. The standard is deliberately designed to be scaled to any organisation's size and complexity.

The most successful implementations share three characteristics:

1. Genuine management commitment — not just a signature on a policy, but active involvement in reviews, resource allocation, and strategic alignment
2. A risk-based approach — starting from actual business risks rather than trying to implement every control at maximum maturity
3. Integration with existing processes — embedding security into how the organisation already operates, rather than building a parallel bureaucracy

The standard itself acknowledges this: "It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization."

ISO/IEC 27001:2022 is published by the International Organization for Standardization. This article provides educational guidance based on the standard's requirements but does not reproduce the standard's full text. Organisations pursuing certification should obtain the official standard from ISO or their national standards body.

If your organisation needs help scoping, implementing, or preparing for an ISO 27001 certification audit, get in touch. Orizon's compliance team works with mid-market organisations across Europe to build practical, audit-ready ISMS implementations.