ISO 27001
Also known as: ISO/IEC 27001, Information Security Management System standard
ISO/IEC 27001 is the international standard for an information security management system (ISMS). It is the certification European enterprise procurement most commonly asks software vendors for, and the framework most NIS 2 entities use to demonstrate alignment.
What ISO 27001 actually certifies
ISO 27001 certifies an Information Security Management System: the policies, processes, and controls an organisation operates to manage information security risk. Certification is issued by an accredited certification body after a two-stage audit and is renewed on a three-year cycle with annual surveillance.
The standard has two structural halves. Clauses 4 to 10 (the management system clauses) cover context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A lists reference controls the organisation selects from based on its risk assessment.
The 2022 revision
ISO/IEC 27001:2022 restructured Annex A to 93 controls grouped under four themes (organisational, people, physical, technological), down from 114 controls in the 2013 version. The management system clauses are largely unchanged. Organisations on the 2013 version had until October 2025 to transition.
Why European buyers ask for it
European enterprise procurement teams treat ISO 27001 as table stakes for software vendors handling regulated or sensitive data. Three reasons: it is a certification (not a self-attestation), it is internationally recognised, and the obligations of NIS 2 and the cybersecurity requirements of the EU AI Act map heavily onto Annex A controls. An ISO 27001 certificate often shortens the security review by weeks.