ISO 27001 — ISMS, controls, PDCA cycle, and certification
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It defines requirements for establishing, implementing, maintaining, and continually improving information security within an organization. The current version is ISO 27001:2022, which reorganized Annex A controls into 4 themes: organizational, people, physical, and technological.
What Is an ISMS
An ISMS is not a toolset — it is a management system. It combines policies, processes, people, and technology working together to protect the confidentiality, integrity, and availability of information (CIA triad).
ISMS scope (example):
┌──────────────────────────────────────┐
│ Organization: Example Corp │
│ Scope: customer data systems and │
│ IT infrastructure at São Paulo HQ │
│ Excluded: Rio branch (no customer │
│ data processed there) │
└──────────────────────────────────────┘Defining the scope precisely is the first step — and one of the most critical for certification.
PDCA Cycle Applied to ISMS
| Phase | Action |
|---|---|
| Plan | Define scope, policy, objectives, risk assessment |
| Do | Implement controls, train staff, operate processes |
| Check | Internal audits, metrics, incident analysis |
| Act | Corrective actions, continual improvement, management review |
The management review (clause 9.3) must occur at least once a year and produce formal minutes with documented decisions.
Standard Structure (Clauses 4 to 10)
- 4 — Organizational context (interested parties, scope)
- 5 — Leadership (top management commitment, policy, roles)
- 6 — Planning (risks, objectives)
- 7 — Support (resources, competence, communication, documentation)
- 8 — Operation (control implementation)
- 9 — Performance evaluation (monitoring, internal audit)
- 10 — Improvement (nonconformities, corrective actions)
Annex A Controls (ISO 27001:2022)
The 2022 version has 93 controls across 4 themes:
Organizational (37): policies, asset management, supplier security...
People (8): screening, training, responsibilities, offboarding...
Physical (14): physical access control, equipment security...
Technological (34): identity management, cryptography, backup, logs...Each control must have a Statement of Applicability (SoA) that justifies inclusion or exclusion.
Certification Process
1. Gap analysis → identify the distance from current state to the standard
2. Implementation → address gaps, document evidence
3. Internal audit → validate the system before certification
4. Management review → formalize results
5. Certification audit Stage 1 → document review by the certification body
6. Certification audit Stage 2 → on-site verification
7. Certificate issued → valid for 3 years
8. Surveillance audits → annual (years 1 and 2)
9. Recertification → full audit in year 3Certification bodies must be accredited by the national accreditation body (e.g., UKAS in the UK, ANAB in the US) per ISO/IEC 17021.
Useful ISMS Operational Metrics
- Mean time to respond to incidents (MTTR)
- Percentage of risks treated vs. total identified
- Security training coverage (% of staff)
- Number of open nonconformities from internal audits
- Percentage of Annex A controls with documented evidence