ISO 27001 Frequently Asked Questions (FAQs)

What is ISO 27001?

ISO 27001 is the international standard for information security management. It provides a structured framework that organizations can use to protect sensitive data, manage risks, and demonstrate to customers and partners that security is a top priority.

At its core, ISO 27001 helps you:

• Identify risks to your information (like cyber threats, data loss, or unauthorized access).
• Put safeguards in place (technical, physical, and organizational).
• Continually improve your security practices.

What does it take to achieve ISO 27001 Certification?

Watch this short video from Core Business Solutions to learn more.

Is ISO 27001 suitable for small businesses?

Absolutely. ISO 27001 isn’t just for large corporations—it’s designed to scale. Even small organizations can implement an Information Security Management System (ISMS) that fits their size. You’ll need to:

• Identify your stakeholders (who cares about your information security).
• Assess your risks.
• Put the right policies and safeguards in place.

With the right guidance, small businesses can achieve certification and show customers they take security seriously.

What is the current version of the ISO 27001 ISMS standard?

ISO 27001:2022 is the current version of the standard. It went into effect in 2022 and all companies previously certified need to update to the 2022 version by October 31, 2025.

Can we skip or replace ISO 27001 measures?

Yes. ISO 27001 Annex A lists a wide range of information security controls, but you don’t need to apply all of them. You’re expected to:

• Identify your risks.
• Determine which controls are most suitable for your business.
• Document why you included or excluded specific measures.

While you can use controls from other frameworks, most organizations stick with the Annex A measures—they’re practical, widely recognized, and make audits easier.

How long must we operate before we can receive certification?

There’s no “age requirement” for ISO 27001. What matters is that your ISMS is up and running long enough to prove it works. Typically, it takes 6–12 months from setup to certification. Even startups can obtain certification if they implement and test their system for a reasonable period.

What are the three pillars of ISO 27001 information security standard?

The foundation of the ISO 27001 standard rests on three core principles:

1. Confidentiality – Information is accessible only to those authorized.
2. Integrity – Information remains accurate and trustworthy.
3. Availability – Information is available when needed.

Together, these create a balanced approach to managing risk.

What are the four themes of ISO 27001?

Think of ISO 27001 as being built on four pillars of security:

• Organizational – leadership, roles, and processes.
• People – training, awareness, and accountability.
• Physical – protecting your facilities and equipment.
• Technological – securing your IT systems and data.

What are the 6 key security areas under ISO 27001?

These are the practical areas small businesses usually focus on first:

1. Policies – clear guidelines for managing information security.
2. Organization – defined responsibilities and leadership.
3. Human Resources – training employees to recognize risks.
4. Asset Management – protecting information assets.
5. Access Control – restricting data access to the right people.
6. (Other key areas extend into monitoring, compliance, and continual improvement.)

What is the Statement of Applicability (SoA)?

The SoA is one of the most important documents in ISO 27001. It lists all possible controls from Annex A and shows:

• Which ones you’ve chosen.
• Which ones you’ve excluded.
• Why you made those decisions.

It’s essentially your roadmap for proving that your security decisions are risk-based and justified.

What is Annex A?

Annex A is the heart of ISO 27001—it contains 93 security controls, grouped into four domains. These controls are practical steps you can take to secure your business, ranging from access management to supplier security.

What are the 14 categories of controls in Annex A?

Annex A covers a wide range of security areas, including:

• Policies (A.5) – aligning security policies with business practices.
• Organization (A.6) – assigning security roles and managing remote work.
• Human Resources (A.7) – ensuring employees and contractors know their responsibilities.
• Asset Management (A.8) – identifying and classifying information assets.
• Access Control (A.9) – limiting data access.
• Cryptography (A.10) – protecting sensitive data with encryption.
• Physical & Environmental Security (A.11) – preventing unauthorized facility access and equipment damage.
• Operations Security (A.12) – safeguarding IT systems from threats.
• Communications Security (A.13) – protecting data in transit.
• System Acquisition & Maintenance (A.14) – building security into new systems.
• Supplier Relationships (A.15) – securing third-party interactions.
• Incident Management (A.16) – preparing for and handling breaches.
• Business Continuity (A.17) – ensuring operations continue during disruptions.
• Compliance (A.18) – meeting legal and regulatory requirements.

What are the 10 clauses of ISO 27001?

Beyond Annex A, ISO 27001 has a management system structure built around 10 clauses:

• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement
• (Clauses 1–3 are introductory and not auditable.)

Final Thought

At Core Business Solutions, we specialize in helping small businesses achieve ISO 27001 certification without unnecessary complexity. Our consultants walk you through every step—risk assessment, documentation, training, and audit preparation—so you can focus on running your business while knowing your information is secure.