ISO 27001:2022 is the international standard for information security management. It's not a technical norm with closed mandatory controls, it's a framework to design, implement and continuously improve an Information Security Management System (ISMS). The 2022 version introduces 93 controls in Annex A, organised across 4 domains (organisational, people, physical, technological). Getting certified requires an external audit by an accredited certification body (ENAC in Spain) and is renewed every 3 years, with annual surveillance audits. For an SME of 50-200 employees, full implementation typically takes 5 to 9 months. It's the base on which other frameworks stack: it covers around 70% of NIS2 article 21, around 75% of ENS, and is increasingly required in tenders.
What ISO 27001 is (2022 version)
ISO/IEC 27001:2022 is the current version of the international standard for information security management, published by ISO and IEC in October 2022. It replaces the 2013 version, in force for almost a decade.
ISO 27001 doesn't impose technologies or closed controls. It defines a management framework (the ISMS) that each organisation adapts to its context, risks and risk appetite. The audit checks that the framework exists, is implemented, works and improves continuously.
The two key parts of the standard:
- Clauses 4-10: ISMS requirements (context, leadership, planning, support, operation, performance evaluation, improvement). These clauses are mandatory and non-negotiable.
- Annex A: list of 93 reference controls grouped in 4 categories. Application gets decided in the Statement of Applicability (SoA) based on each organisation's risks.
What is ISO 27001 used for?
Commercial benefits
- Access to tenders: more and more public and private tenders demand it as a prerequisite.
- Access to enterprise clients: banks, insurers, healthcare and public administrations require it from their providers.
- Reduction of security questionnaires: a valid certificate replaces a good chunk of SIG/CAIQ questionnaires.
- Competitive differentiation: in sectors where only a minority is certified, it's a maturity signal.
Security benefits
- Structured framework to manage risks instead of fighting fires.
- Continuous improvement documented (PDCA) that prevents security from degrading over time.
- Leadership involvement formally required by clause 5.
- Defensible evidence in front of incidents, regulatory audits or expert assessments.
Fit with NIS2, DORA, ENS and GDPR
| Framework | Approximate coverage with ISO 27001:2022 |
|---|---|
| NIS2 (article 21) | 65-75% |
| DORA | 50-60% (DORA additionally demands TLPT, provider register, CTPP oversight) |
| ENS Spanish Royal Decree 311/2022 | 70-80% (ENS adds ACIDA categorisation and public sector obligations) |
| GDPR | 60-70% in technical and organisational measures (article 32) |
ISO 27001 is the foundation on which to stack the rest: saves you from redoing work when you enter the next framework.
ISMS: the heart of ISO 27001
The Information Security Management System (ISMS) is the coordinated set of policies, procedures, roles, controls, resources and improvement activities the organisation deploys to manage information security.
Clauses 4-10 the ISMS must cover:
| Clause | What it demands |
|---|---|
| 4. Context | Determination of interested parties, ISMS scope, internal and external context |
| 5. Leadership | Senior management commitment, security policy, roles and responsibilities (including the CISO or formal equivalent) |
| 6. Planning | Risk analysis, treatment, measurable security objectives, change management |
| 7. Support | Resources, competence and training, awareness, communication, documented information |
| 8. Operation | Operational planning, periodic risk assessment, applied treatment |
| 9. Performance evaluation | Monitoring, measurement, internal audit, management review |
| 10. Improvement | Non-conformities, corrective actions, continuous improvement |
These clauses are identical to other ISO management standards (9001, 14001, 22301, 27701). If you already have one of them, you start with 30-40% of the ISMS done.
The 93 Annex A controls (2022 version)
The 2022 version reorganised the old 114 controls in 14 domains into 93 controls grouped in 4 categories, and incorporated 11 new controls aligned with modern threats.
Annex A 2022 structure
| Category | Controls | Focus |
|---|---|---|
| A.5 Organisational controls | 37 | Policies, governance, vendor management, incident management |
| A.6 People controls | 8 | HR, training, discipline, remote work |
| A.7 Physical controls | 14 | Perimeter, secure areas, equipment, maintenance |
| A.8 Technological controls | 34 | Access, cryptography and PKI, operations security, communications, development |
The 11 new controls in 2022
| Control | What it requires |
|---|---|
| A.5.7 Threat intelligence | Collect and analyse intelligence on relevant threats |
| A.5.23 Cloud services security | Specific risk management of cloud providers |
| A.5.30 ICT readiness for continuity | Specific ICT plans within the BCP |
| A.7.4 Physical security monitoring | Intrusion detection on premises |
| A.8.9 Configuration management | Systematic hardening of configurations |
| A.8.10 Information deletion | Secure deletion procedures |
| A.8.11 Data masking | Anonymisation/pseudonymisation in non-production environments |
| A.8.12 Data leakage prevention (DLP) | DLP technology and processes |
| A.8.16 Monitoring activities | SIEM, anomaly detection, alerting |
| A.8.23 Web filtering | Web browsing control |
| A.8.28 Secure coding | Secure SDLC, code review, OWASP |
How to get certified step by step
1. GAP analysis
Duration: 2-4 weeks. Compare the current state against clauses 4-10 + Annex A. Identify which policies, procedures and controls exist, which to create and which to improve.
2. ISMS design
Duration: 4-8 weeks. Define scope, policy, roles, risk analysis methodology (typically Magerit or ISO 27005), risk treatment procedure, Statement of Applicability (SoA) and the procedures required by the clauses (documentary management, internal audit, non-conformities, management review).
3. Control implementation
Duration: 2-4 months. Real deployment of the controls selected in the SoA. The longest phase and the most dependent on prior maturity.
4. Internal audit
Duration: 2-3 weeks. Internal auditor (or subcontracted external, independent from the implementing team) verifies that the ISMS meets requirements before exposing it to the certification body. Identifies non-conformities and improvement opportunities.
5. Certification audit (Stage 1 + Stage 2)
Carried out by an accredited certification body:
- Stage 1: Documentary review: scope, policy, SoA, risk analysis, procedures. Identifies if the organisation is ready for Stage 2.
- Stage 2: On-site audit: control sampling, interviews, evidence verification. If it passes, the certificate valid for 3 years gets issued.
6. Three-year renewal and annual surveillance
- Surveillance audit annually (years 1 and 2 of the cycle): verifies the ISMS continues working.
- Renewal audit at year 3: similar to the initial, renews the certificate for 3 more years.
Project components and duration
Components involved
A full ISO 27001:2022 implementation from scratch typically includes:
- Implementation consulting: GAP analysis, ISMS design, support to deploy the 93 Annex A controls.
- Internal audit: independent of the implementing team; usually outsourced in small organisations.
- Certification audit: Stage 1 (documentary review) + Stage 2 (on-site audit), carried out by an ENAC-accredited body (not Secra; you choose the body: AENOR, Bureau Veritas, TÜV Rheinland, SGS, DNV, LRQA, etc.).
- Annual surveillance audits during the certificate's validity.
- Renewal audit at the end of the three-year cycle.
- Technical investment if there are major gaps (MFA, SIEM, DLP, EDR, document management). This depends entirely on your starting point.
Duration
- Initial implementation: 5-9 months depending on prior maturity.
- Certification: 6-10 additional weeks after finishing implementation.
- If you already have ISO 9001 or another management ISO: the clauses 4-10 part is practically done and duration drops to 3-5 months.
ISO 27001 vs ISO 27002 vs ISO 27017 vs ISO 27018
| Standard | What it is | Certifiable |
|---|---|---|
| ISO/IEC 27001:2022 | ISMS requirements + Annex A of controls | Yes |
| ISO/IEC 27002:2022 | Detailed implementation guide for the 93 Annex A controls | No (guidance) |
| ISO/IEC 27017:2015 | Code of practice for cloud services, complementary to 27001 | Yes (extension) |
| ISO/IEC 27018:2019 | Personal data protection in cloud (PII), complementary to 27001 | Yes (extension) |
| ISO/IEC 27701:2019 | PIMS: Privacy Information Management System, extension of 27001 | Yes |
The usual move: certify in 27001 and then add 27017+27018 if running cloud services, or 27701 if personal data management is critical.
Frequently asked questions
How much does ISO 27001 certification cost?
Depends on four factors: organisation size and complexity, ISMS scope (whole company or a unit/site/service), prior maturity (if you already have ISO 9001 or another management ISO, part of the ISMS is done) and technical gaps to remediate (MFA, SIEM, DLP, EDR, etc.). The external audit is contracted with an ENAC-accredited body and is independent from consulting. For a budget tailored to your case, get in touch. More on related budget logic in penetration testing pricing in Spain.
How long does certification take?
Between 5 and 9 months from start to certification audit, depending on prior maturity and internal dedication. If you already have another management ISO (9001, 14001), it drops to 3-5 months.
Can the internal audit be done in-house?
Yes, as long as the internal auditor is independent from the team that implemented the ISMS. In small organisations it's usually outsourced to guarantee independence.
Which certification body to choose?
Any body accredited by ENAC in Spain (Bureau Veritas, AENOR, TÜV Rheinland, SGS, DNV, LRQA, etc.) or by an equivalent accreditation body from IAF MLA. The difference is in price, scheduling and sectoral reputation.
Does the certificate expire?
The certificate is valid for 3 years, conditional on passing the annual surveillance audits. At the end of the third year the renewal audit is carried out.
If I have ISO 27001 do I comply with NIS2?
Partially. ISO 27001:2022 covers approximately 70% of article 21 obligations of NIS2. Typical gaps are 24/72h notification, supply chain and specific board training. More in NIS2 in Spain: a compliance guide for 2026.
Can I certify only part of the organisation?
Yes. The ISMS scope gets defined in the SoA and can be a business unit, a site, a specific service. You have to be careful not to exclude critical interfaces that compromise ISMS coherence.
Related resources
- NIS2 in Spain: a compliance guide for 2026
- DORA compliance guide for financial entities 2026
- What is a CISO: the leadership role ISO 27001 clause 5 demands.
- What is a SOC: the operation behind control A.8.16.
- What is SIEM and how it works: the platform behind monitoring activities.
- What is PKI (Public Key Infrastructure): supports A.8 controls on cryptography.
- Penetration testing pricing in Spain: related budget context.
ISO 27001:2022 implementation at Secra
At Secra we accompany the full process: GAP analysis, ISMS design, support to deploy the 93 Annex A controls, independent internal audit and support until passing certification. Get in touch through contact or check our GRC consulting services.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.