ISO 27001
ISO/IEC 27001 is the international standard for an information security management system (ISMS). It is the certification European enterprise procurement most commonly asks software vendors for, and the framework most NIS 2 entities use to demonstrate alignment.
The 2022 revision restructured Annex A into 93 controls grouped under four themes (organisational, people, physical, technological), down from 114 in the 2013 version. Certification involves a Stage 1 documentation audit, a Stage 2 operational audit, annual surveillance, and a three-year recertification cycle. European buyers treat ISO 27001 as table stakes for software vendors handling regulated data, and NIS 2 obligations map heavily onto Annex A controls.
Definitions
Practical guides
ISO 27001 Annex A: the 93 controls in the 2022 revision
Annex A of ISO/IEC 27001:2022 lists 93 reference controls in four themes: 37 organisational, 8 people, 14 physical, 34 technological. The previous 2013 version had 114 controls in 14 domains. The change is structural, not a relaxation of scope.
ISO 27001 certification path: from gap assessment to recertification
ISO 27001 certification follows a fixed path: gap assessment (optional), ISMS implementation, internal audit and management review, Stage 1 and Stage 2 audit by an accredited body, annual surveillance audits, recertification in year three.