Question 1

What is ISO 27001?

Accepted Answer

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It provides a systematic framework for managing information security risks through policies, processes, controls, and evidence. Organizations certify their ISMS — not individual security controls — through a two-stage audit conducted by an accredited certification body (CB).

Question 2

How much does ISO 27001 certification cost?

Accepted Answer

ISO 27001 costs vary by organization size, scope, and current readiness. Typical ranges: $10,000-$50,000 for small organizations (under 50 employees), $25,000-$100,000 for mid-size. This includes internal time, optional consultant fees, and CB audit fees ($5,000-$20,000 for Stage 1 + Stage 2). Annual surveillance audits cost $1,500-$7,500. Organizations with existing SOC 2 can expect 30-40% reduction in implementation effort.

Question 3

What are the ISO 27001 mandatory clauses?

Accepted Answer

ISO 27001:2022 has 7 mandatory clauses (4-10): Context of the Organization (Clause 4), Leadership (Clause 5), Planning (Clause 6 — includes risk assessment and the Statement of Applicability), Support (Clause 7), Operation (Clause 8), Performance Evaluation (Clause 9 — includes internal audit and management review), and Improvement (Clause 10). Clauses 1-3 contain no requirements.

Question 4

What is the Statement of Applicability (SoA)?

Accepted Answer

The SoA is the central document in an ISO 27001 ISMS. It maps each of the 93 Annex A controls to the organization's risk treatment decisions — marking each as applicable or not applicable with justification, implementation status, and references to implementing documentation. The SoA is mandatory (Clause 6.1.3d) and is the auditor's primary reference during Stage 1.

Question 5

How long does ISO 27001 certification take?

Accepted Answer

Timeline depends on current readiness. Fast track (3-6 months): organizations with existing SOC 2, ISO 9001, or strong security programs. Typical (6-12 months): organizations starting from scratch with 50-500 employees. Complex (12-18 months): multi-site, regulated industries, or resource-constrained organizations. The certification audit itself has two stages: Stage 1 (documentation review, 1-2 days) and Stage 2 (implementation audit, 2-5 days).

Question 6

What are the 93 Annex A controls?

Accepted Answer

Annex A of ISO 27001:2022 contains 93 security controls organized into 4 themes: Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), and Technological (A.8, 34 controls). Organizations evaluate all 93 controls for applicability but only implement those justified by their risk assessment. Exclusions must be documented in the SoA.

Question 7

Is there a free ISO 27001 readiness assessment tool?

Accepted Answer

PlainAudit offers a free ISO 27001 readiness assessment that evaluates your preparedness across all 7 mandatory clauses and 93 Annex A controls. Unlike surface-level checklists, it maps documentation gaps to specific template documents you need for certification. No signup required — results with gap analysis in about 15 minutes.

Free ISO 27001 Readiness Assessment