Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

ISO 27001 Overview

What ISO 27001 actually certifies, the Plan-Do-Check-Act cycle, the Statement of Applicability, and how the certification audit process works.

5 min read

ISO 27001 is frequently described as a security standard, which is true but incomplete in a way that causes real confusion during implementation. What ISO 27001 actually certifies is a management system — a defined, repeatable process for managing information security risk — not simply a checklist of technical controls. This article covers what that distinction means in practice, the Plan-Do-Check-Act cycle at the core of the standard, the Statement of Applicability, and how the certification audit process actually works.

What ISO 27001 certifies

ISO/IEC 27001 certifies an organization's Information Security Management System (ISMS) — the formal, documented process by which the organization identifies information security risks, decides how to treat them, implements controls, and continually reviews and improves the whole system over time. This is a meaningfully different thing from certifying that a specific list of technical controls is in place. Two organizations can both be ISO 27001 certified with genuinely different technical control implementations, because the standard certifies that each organization has a sound, risk-based process for choosing and managing its own controls — not that both organizations chose identical ones.

A management system, not a control checklist

This is the most common misconception about ISO 27001. The certification audit evaluates whether the ISMS process itself is sound and consistently followed — risk assessment, control selection, monitoring, internal audit, management review — not merely whether a fixed set of technical safeguards exists. An organization with excellent technical controls but no functioning ISMS process around them will not pass a Stage 2 audit.

The Plan-Do-Check-Act cycle

ISO 27001 is built on the Plan-Do-Check-Act (PDCA) cycle, a continual improvement model rather than a one-time implementation project.

ISMScontinual cyclePlan
  • Establish the ISMS
  • Risk assessment
  • Statement of Applicability
Do
  • Implement controls
  • Treat identified risks
Check
  • Monitor performance
  • Internal audit
  • Management review
Act
  • Corrective action
  • Continual improvement
ISO 27001's ISMS runs on a continual PDCA cycle — each pass through Check and Act feeds directly back into the next Plan stage rather than treating certification as a one-time finish line.
The ISO 27001 PDCA cycle
PhaseWhat Happens
PlanEstablish the ISMS scope, conduct risk assessment, select controls, and produce the Statement of Applicability
DoImplement the selected controls and the operational processes that support the ISMS
CheckMonitor, measure, and internally audit the ISMS to verify it's operating as designed
ActTake corrective and improvement action based on audit findings, incidents, and management review

The cycle repeats continuously rather than concluding once certification is achieved — this is why ISO 27001 certification includes ongoing surveillance audits rather than a single point-in-time evaluation. An ISMS that stalls after initial certification, with no further risk reviews or internal audits, is not actually operating the standard it was certified against, even if the original technical controls remain unchanged.

Annex A controls and the Statement of Applicability

Annex A of ISO 27001 lists a reference set of roughly 93 information security controls spanning organizational, people, physical, and technological categories. Critically, an organization is not required to implement every Annex A control — it is required to produce a Statement of Applicability (SoA), a document that goes through each Annex A control and states whether it applies to the organization, and if so how it's implemented, or if not, why it was excluded based on the organization's own risk assessment.

The SoA is the artifact that connects the abstract risk assessment work in the Plan phase to concrete, auditable control decisions. An auditor reviewing the SoA is checking whether each inclusion and exclusion is actually justified by the organization's documented risk assessment — not whether the organization simply checked every box or copied a template from elsewhere.

The certification audit process

ISO 27001 certification audit stages
StageFocus
Stage 1 — Documentation reviewThe auditor reviews the ISMS scope, policies, risk assessment, and Statement of Applicability for completeness and readiness before proceeding
Stage 2 — Implementation auditThe auditor verifies that the documented ISMS is actually operating in practice — interviewing staff, sampling evidence, and testing whether controls function as described
Surveillance auditsConducted annually (typically) after initial certification, sampling parts of the ISMS to confirm it continues operating and improving

Certification is typically valid for three years, with annual surveillance audits in between and a full recertification audit at the end of the cycle. This structure reinforces that ISO 27001 is meant to certify an ongoing management discipline, not a static, one-time project.

Common mistakes

  • Treating the Statement of Applicability as a formality. Auditors expect genuine, risk-based reasoning behind each inclusion and exclusion — a copied or generic SoA is one of the most common Stage 1 findings.
  • Building an ISMS purely for the audit rather than for actual risk management. An ISMS that exists only as documentation, disconnected from how the organization actually manages risk day to day, tends to fail Stage 2 or degrade quickly after certification.
  • Stopping meaningfully after initial certification. PDCA is continuous; organizations that treat certification as a finish line rather than an operating discipline often struggle at their next surveillance audit.
  • Assuming every Annex A control must be implemented. The standard explicitly allows justified exclusions through the SoA — forcing implementation of controls that don't fit the organization's actual risk profile wastes effort without improving genuine security posture.

FAQ

Is ISO 27001 the same as SOC 2? No. ISO 27001 certifies the information security management system itself, through an internationally recognized certification process — it's a statement about how an organization manages risk. SOC 2 is an attestation that a defined set of controls operated effectively over a specific period of time, and is more common in US B2B SaaS contexts. Some organizations pursue both, since they serve different audiences and different due-diligence expectations.

How long does ISO 27001 certification typically take? It varies with organizational size and starting maturity, but building a functioning ISMS, completing risk assessment and the SoA, and passing both audit stages commonly takes several months to a year for organizations starting without an existing formal security management process.

Do we need to implement all ~93 Annex A controls? No. The Statement of Applicability process specifically allows an organization to exclude controls that don't apply to its risk profile, provided the exclusion is documented with genuine risk-based reasoning rather than convenience.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT