ISO 27001 is the international standard for information security management systems. The current edition, ISO 27001:2022, was published in October 2022 and replaced ISO 27001:2013. This section of the Knowledge Base covers every clause of the standard in plain language, explaining what each requirement means in practice and what you need to do to comply.
For the Annex A controls of ISO 27001:2022, see ISO 27001 Annex A Controls.
The standard provides a framework for an organisation to manage the confidentiality, integrity and availability of the information it holds. That includes information about the organisation itself, its staff, its customers and its suppliers, in whatever form it takes. The aim is not to lock everything down, but to make conscious, risk-based decisions about what needs protecting and how.
An information security management system (ISMS) built to ISO 27001 sits across the business rather than inside the IT function. It pulls together the policies, processes, people and technology needed to keep information safe, and gives top management a way to see whether those arrangements are actually working.
The 2022 edition kept the main clause structure (Clause 4 through Clause 10) almost unchanged from ISO 27001:2013. The biggest shift is in Annex A, the catalogue of reference controls. The 2013 version listed 114 controls in 14 categories. The 2022 version condenses these into 93 controls grouped under four themes: organisational, people, physical and technological. Eleven new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity and data masking.
Organisations already certified to the 2013 version were given a transition period to move across to the 2022 edition. From 1 November 2025, all certificates issued must be against ISO 27001:2022.
The alphaZ ISO 27001 Toolkit provides a complete set of policies, procedures, registers and audit checklists that map to the requirements of the standard. The toolkit is built around the IMS1 Integrated Management System Manual, which can be used on its own or alongside other ISO standards in a single integrated system. Each clause article in this section signposts the specific alphaZ documents that help demonstrate compliance with that clause.
The 2022 edition has not changed the fundamentals - top management still has to set the direction, risks still have to be assessed and treated, and internal audits and management reviews still have to happen. What has changed is the language around controls, which is more flexible, and the focus on information in all its forms rather than just IT systems.
When I audit against ISO 27001 I want to see that the organisation has thought about its information seriously and made deliberate decisions, rather than just bought a policy pack and filed it. The Statement of Applicability is the document that tells me what is in scope and what has been excluded, with reasons. It is the first thing I ask for and the document I keep coming back to throughout the audit.