The international standard for information security management systems, published jointly by ISO and IEC, with more than 70,000 certified sites worldwide and broad regulatory recognition.
ISO 27001.
ISO/IEC 27001 is developed jointly by ISO/IEC JTC 1 SC 27, the Information security, cybersecurity and privacy protection subcommittee. The current edition, ISO/IEC 27001:2022, was published October 25, 2022 and superseded the 2013 edition. The 2022 revision aligned with the Annex SL high-level structure shared across ISO management-system standards, simplified the language of the management-system clauses, and replaced the Annex A controls list with a reference to the newly restructured ISO/IEC 27002:2022 controls catalog. The transition deadline for certificates issued under the 2013 edition was October 31, 2025, by which date all existing certifications had to migrate to the 2022 edition.
The standard structure follows ten clauses (scope, normative references, terms and definitions, context of the organization, leadership, planning, support, operation, performance evaluation, improvement) plus Annex A. The 2022 Annex A reorganized 93 controls into four themes: Organizational (37), People (8), Physical (14), and Technological (34). Twelve controls are new in 2022, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and prevention of data leakage on cloud and digital workspace.
Certification is performed by certification bodies accredited under the IAF Multilateral Recognition Arrangement. Major accreditation bodies include UKAS (UK), DAkkS (Germany), ANAB (US), JAB (Japan), and SCC (Canada). The certification cycle is three years: an initial Stage 1 documentation review, Stage 2 implementation audit, and annual surveillance audits in years one and two, with recertification audit in year three. The ISMS scope is defined by the certified organization and is documented on the certificate; partial-scope certifications (covering specific business units or services) are common.
For a foreign-headquartered firm entering the US enterprise market, ISO/IEC 27001 is the international counterpart to SOC 2 Type II for cybersecurity attestation. US enterprise procurement increasingly accepts either ISO 27001 or SOC 2; some sectors (federal procurement, US healthcare, US financial services) lean toward SOC 2 and FedRAMP, others (multinational accounts, European-headquartered US buyers) lean toward ISO 27001. Many firms maintain both in parallel to address the full US procurement spectrum.
For a US-headquartered firm selling to EU, UK, and global enterprise buyers, ISO 27001 is widely required and is the de facto international ISMS standard. The reciprocal recognition under IAF MLA means a US ISMS certified by an ANAB-accredited certification body is accepted by EU buyers on the same footing as a DAkkS- or UKAS-accredited certificate. The substantive controls overlap heavily with SOC 2, NIST 800-171, and NIST CSF; the gap-to-bridge for a SOC 2 Type II-certified US firm targeting ISO 27001 is typically 3 to 6 months of documentation work.
ISO 27001 sits on the SaaS, cloud, IT-services, and infrastructure trajectory work in the Operators entering the US book, on the Answers hub for cybersecurity-attestation questions, and alongside SOC 2, NIST 800-171, and ISO 9001. The presentation work covers how the firm names its ISO 27001 certification, its scope, its accreditation body, its surveillance-audit history, and its 2022-edition transition status on US-facing surfaces. The implementation, internal audit, and certification work belongs with the firm's information-security function and an IAF-accredited certification body.
Global Marketing Agency does not provide ISO 27001 implementation, internal audit, certification, or transition planning services. Those activities belong to the firm's information-security function and an IAF-accredited certification body. GMA works on how the firm's ISO 27001 posture is presented, sequenced, and read on US-facing surfaces.