Skip to content
Singahi
Get an assessment

Compliance · guide

ISO 27001: a practical guide to information security management

Share
The ISO 27001 information security management process

ISO/IEC 27001:2022 is the global standard for an information security management system, or ISMS. Companies of every size use it to take a systematic, risk-based approach to protecting information, systems, suppliers and people. It has moved from a nice-to-have to something regulators, customers and partners expect, and it is often written straight into contracts.

What the standard actually asks for

Leadership owns it

Security needs visible commitment from the top. Leaders set the policy, fund the work and stay involved in improving it. It cannot live in IT alone; it takes the whole organisation.

Scope it to real risk

Your ISMS scope is more than internal systems. Define it to cover your critical operations, suppliers and partners, cloud and third-party services, HR functions and physical sites. A clear scope avoids both audit gaps and wasted effort.

Manage risk, don't tick boxes

Risk assessment is the foundation. Identify your valuable assets, the threats and weaknesses against them, and rate the risk by real business impact. Then keep reassessing as threats, technology and rules change.

Pick controls that fit

Choose controls against your ranked risks. ISO 27002 gives the control set, now covering modern problems like targeted attacks, supply-chain risk, distributed work and cloud. Put in real, tested policies and technical measures rather than generic ones.

Document, and stay audit-ready

Keep practical, current documentation: policies, the control set, an asset inventory, risk treatment, incident records and governance minutes. Internal audits should check both the paperwork and how things actually run, and they should lead to real improvements.

Keep improving

Plan-Do-Check-Act is the rhythm. As your business and the rules around it change, keep refining controls, policies, supplier arrangements and training. Standing still is itself an audit risk.

What changed in the 2022 version

  • The control groups are streamlined into four clear categories: organizational, people, physical and technological.
  • New and revised controls address current realities: threat intelligence, configuration hardening, secure development, information lifecycle and cloud-provider assessment.
  • Controls now carry attributes that map to frameworks like GDPR and sector rules, which makes compliance easier to show.

For a closer look at those, see ISO 27002:2022: the 11 new controls.

The 2024 climate amendment

In February 2024 ISO added Amendment 1 (climate action changes) to the 2022 standard. It updates clauses 4.1 and 4.2 so you must consider whether climate change is a relevant issue for your information security management system, and account for any climate-related expectations your interested parties have. It is a small addition rather than a new control set, but certification bodies now check for it at surveillance and recertification audits, so a current ISMS should address it.

A seven-step path to certification

The ISO 27001 certification timeline, from leadership buy-in to surveillance audits
  1. Leadership buy-in. Get executives to grant authority, fund the work and stay visibly involved.
  2. Gap analysis and scoped planning. Compare where you are against the standard. Cover the business units, systems, partners and regulations that matter, and set a scope that is ambitious but achievable.
  3. Asset inventory and risk assessment. Catalogue your technology, sites and people. Assess threats and weaknesses, and rank risks by likelihood and impact.
  4. Control selection and documentation. Put in place the technical and operational controls that address your risks, built into how you work. Write policies that are genuinely useful and kept current.
  5. Training and security culture. Give role-specific training to everyone, run incident-response drills, and make security a shared responsibility.
  6. Internal audit and management review. Check documentation, technical implementation, incident records and behaviour, then use the findings to improve the ISMS.
  7. Certification and surveillance audits. Go through the independent audit, then keep your evidence current for the ongoing surveillance audits.

What auditors look for

External auditors want evidence of:

  • leadership involvement and oversight
  • a documented scope and asset inventory
  • current risk assessments and treatment plans
  • working policies, process documentation and logs
  • managed third-party, cloud and supplier risk, with real agreements and recovery plans
  • regular governance reviews, with issues actually closed out

Working alongside other frameworks

Many companies run their ISMS next to other ISO standards, such as ISO 9001 for quality and ISO 22301 for continuity, on one governance base. Regulations like GDPR, HIPAA and Reserve Bank of India guidance all expect security controls, contracts and oversight to cover several frameworks at once, and ISO 27001 gives you a single way to handle that.

Common pitfalls

The ones we see most often:

  • under-scoping, leaving out suppliers or cloud services
  • over-scoping, trying to cover more than you realistically can
  • risk assessments and policies that never get updated
  • treating security as an IT-only job
  • shallow awareness training and drills

The fix is usually the same: automate where you can, run cross-team exercises, and make sure incidents lead to real change.

Where Singahi fits

We take ISO 27001 from gap assessment to certificate and keep you audit-ready afterwards, with certified people doing the work. See our ISO 27001 service, or get an assessment.

References

How we can help

Working toward this?

If a certification or a customer's security questionnaire is what brought you here, tell us where you are. We'll give you an honest read on the work and the timeline, with no obligation.

Get an assessment