Cutting Through the Complexity of ISO27001

Often considered the preeminent information security standard, ISO27001 is becoming an increasingly popular certification. Upon first look, it is a prescriptive, complex and time-consuming standard consisting of detailed requirements and an annex of 114 controls. AssuranceLab is here to cut through the complexity of ISO27001 and help anyone interested in certification gain a holistic view of what the standard expects of your organisation.


The simplest way to breakdown ISO27001 is to break it into two lists; Mandatory Requirements and Annex A Controls.


Mandatory Requirements

The ISO27001 requirements are the mandatory portion of the standard. The outcome of any certification audits is dependant upon these requirements being met through functional processes, adequate documentation and a management-led culture of commitment to information security. The requirement wording is prescriptive and the standard itself provides extensive detail around the expectations of each process implemented. These details are what auditors will be looking for when it comes to certification, and therefore each must be in place for an organisation to be eligible for certification.


The core documents that must be in place for the mandatory requirements to be met include:

  • Information Security Management System (ISMS) (Including scope of the ISMS)
  • Information Security Policy
  • Information Security Risk Assessment
  • Information Security Risk Treatment Plan
  • Internal Audit Programme
  • Statement of Applicability


Annex A Controls

The key difference between the ISO27001 requirements and the Annex A Controls is that not all the 114 controls are mandatory for certification to be achieved. Prior to a stage 1 or stage 2 certification audit, an organisation must create a Statement of Applicability, whereby they assess the controls from Annex A that are and are not relevant to their implemented ISMS. For example, control A.11.1.6 speaks to the physical security of delivery and loading areas. If you are a cloud-based company that does not have any delivery or loading areas, this control is deemed not applicable. An auditor will still, however, assess the fairness and accuracy of the provided rationale against any control that is listed as not applicable. If you’re feeling stuck or overwhelmed around how to create the Statement of Applicability, our ISO27001 readiness assessment will prove a valuable tool and help provide a clear view of the work required!


Next Steps


If you are new to ISO27001, this article should give you a high level understanding of what the standard requires of organisations, and how to prioritise the design and implementation of both the mandatory requirements and the annex A controls. If this still seems daunting, AssuranceLab partners with consultants who have expertise in ISO27001 implementation and can help your organisation implement processes and controls that will gain you certification.


If you have the core documents from the mandatory requirements list in place and have implemented the controls applicable to your organisation in Annex A, you are ready to begin the certification journey with AssuranceLab! Reach out to us to discuss our agile and collaborative approach to both stage 1 and stage 2 audits.

Some additional information in one line