ISO 27001: understanding, applying and succeeding in certification
From risk analysis to certification audit: what ISO 27001 really requires.
ISO/IEC 27001 is currently the benchmark for structuring information security management within an organization. It defines the requirements for an Information Security Management System (ISMS) and is, as such, the only certifiable international standard in this field. In a context where cyberattacks are increasing, regulatory obligations are strengthening (particularly with the NIS2 directive), and clients and partners demand increasing assurances, obtaining and maintaining ISO 27001 certification has become a strategic imperative for many organizations.
This article guides you through the fundamentals of the standard, its connections with other frameworks, the concrete steps for certification, and the conditions for maintaining long-term compliance.
What is ISO 27001?
ISO/IEC 27001 defines a framework of requirements for establishing, implementing, monitoring, reviewing, and continually improving an Information Security Management System. Its central objective is to protect three fundamental properties of information: confidentiality (i.e., access only by authorized individuals), integrity (the assurance that data has not been altered in an unauthorized manner), and availability (the accessibility of information at the right time by the right people).
The strength of ISO 27001 lies in its proactive approach. Rather than reacting to incidents, the standard mandates continuous risk assessment and a forward-looking strategy. It structures the approach around a Plan-Do-Check-Act cycle that ensures continuous improvement over time, rather than one-off compliance.
Its certifiable nature distinguishes it from other standards in the ISO 27000 family. An organization that obtains ISO 27001 certification receives official recognition, issued by an accredited body, attesting that its ISMS meets the standard's requirements. This sends a strong signal to clients, partners, regulators, and insurers.
ISO 27001 and Other Frameworks: Complementarities and Distinctions
ISO 27001 is part of an ecosystem of standards and regulations that it is useful to clearly distinguish, as confusion between these texts is common.
ISO 27001 and ISO 27002 form a natural pair. ISO 27001 defines what needs to be done done, i.e., the ISMS requirements, while ISO 27002 describes how implement the controls listed in Annex A. ISO 27002 is not certifiable, but it serves as the reference implementation guide. Its 2022 version reorganizes the measures into four themes: organizational, people, physical, and technological, which facilitates their operational deployment.
ISO 27001 and ISO 27005 are complementary for risk management. ISO 27001 mandates a rigorous risk analysis without prescribing the method. ISO 27005 provides a detailed methodology for conducting this analysis, consistent with ISMS requirements. Using ISO 27005 (or EBIOS Risk Manager, which draws inspiration from it) allows for a robust and auditable response to ISO 27001's risk analysis requirements. To delve deeper into this topic, consult our article dedicated to the ISO 27005 standard.
ISO 27001 and NIS2 operate under distinct frameworks. ISO 27001 is a voluntary process aimed at certification. NIS2 is a regulatory obligation imposed on essential and important entities, with penalties for non-compliance. The two are complementary: ISO 27001 provides a structuring framework that helps demonstrate the implementation of measures expected by NIS2, but it alone is not sufficient to guarantee regulatory compliance. For organizations subject to both, the recommended approach is integration within a common GRC framework. Our article on the NIS2 Directive details these obligations.
The three operational pillars of ISO 27001 certification
Before delving into the steps of the certification process, three structuring elements deserve particular attention as they will determine the success of the audit: the ISMS scope, the Statement of Applicability and audit preparation.
Defining the ISMS Scope
The scope (or scope) defines the processes, sites, systems, and data covered by the certification. Its definition is a strategic exercise, not merely an administrative one. A scope that is too broad unnecessarily complicates the process and increases certification costs. A scope that is too narrow may appear artificial to the auditor and create grey areas at interfaces with third parties.
The practical rule is to target what is truly critical for the organization in terms of information security, to explicitly identify exclusions, and to justify them precisely. Interfaces with partners, subcontractors, and suppliers must be included in the analysis, even if their own scope is out of scope.
Building the SoA (Statement of Applicability)
The Statement of Applicability is one of the central documents required during an ISO 27001 audit. It lists all 93 controls from Annex A in its 2022 version (compared to 114 in the 2013 version), indicates which ones apply to the defined scope, and justifies the choices made. It is not a simple compliance table: the SoA must establish an explicit link between each selected control, the risks identified in the analysis, internal policies, and available operational evidence.
During the audit, the auditor uses it as the primary reference to verify the consistency between documented commitments and actual practices. A Statement of Applicability (SoA) that is incomplete or disconnected from operational reality is one of the most frequent causes of major non-conformity in stage 2.
Preparing for Certification Audits
ISO 27001 certification is based on two successive audit stages conducted by an accredited body. The stage 1 is a documentation review: the auditor analyzes the scope, security policy, SoA, risk assessment, and action plans to ensure that the system is formally consistent. The stage 2 is operational: it includes on-site verifications, interviews with employees, and sampling of concrete evidence to validate that the ISMS is actually implemented. Once certification is obtained, surveillance audits, usually annual, ensure continued compliance. A full re-certification audit takes place every three years.
The 5 Key Steps to Achieving ISO 27001 Certification
Step 1: Initial Risk Analysis
Risk analysis is the starting point and the core of the ISO 27001 process. It dictates all subsequent security decisions: choice of controls, priority setting, and SoA construction. It begins with mapping informational, physical, and intangible assets, followed by identifying associated threats and vulnerabilities, assessing their probability of occurrence and potential impact, and prioritizing risks based on the acceptance criteria defined by the organization.
ISO 27001 does not prescribe a specific method but recommends a structured and documented approach. In France, EBIOS Risk Manager (developed by ANSSI) is the most common method in environments subject to regulatory obligations, particularly because it naturally aligns with the requirements of NIS2 and other sectoral frameworks. ISO 27005 is a recognized international alternative.
The main challenge at this stage is to have a comprehensive view of assets, often dispersed throughout the organization, without overestimating or underestimating critical risks. Appropriate tools help structure this analysis and ensure its traceability during the audit.
Step 2: ISMS Implementation
The ISMS formalizes the organization's policies, security objectives, processes, and technical measures. It forms the documentary and organizational backbone of the ISO 27001 approach. Its implementation involves defining a security policy consistent with identified risks, establishing measurable objectives, and deploying the controls selected in the SoA, whether they originate from Annex A or other sources.
The operational challenge is to strike the right balance between security requirements and operational realities. An ISMS that is too theoretical, disconnected from real practices, will not withstand a stage 2 audit. An ISMS that is too light will not cover the identified risks. The documentation must be both comprehensive and usable by teams on a daily basis.
Step 3: Team Training and Awareness
ISO 27001 explicitly requires that personnel be aware of the security policy and understand their role within the ISMS. This requirement is often underestimated during initial certification processes. A human error (clicking a phishing link, sharing unencrypted data, poor access management) can compromise the entire technical system.
Awareness training must be tailored to profiles and responsibilities. Technical teams do not require the same content as business departments or employees handling sensitive data. Formats can vary: workshops, e-learning, phishing simulations, regular reminders. The goal is not to check a box but to evolve behaviors over time.
Step 4: Conducting Internal Audits
Internal audits are essential milestones before the certification audit. They allow for detecting discrepancies between the documented ISMS and actual practices, correcting non-conformities before they are identified by the external auditor, and verifying that action plans resulting from the risk analysis are progressing according to schedule.
To be effective, internal audits must be conducted by competent auditors who are independent of the functions being audited. Their findings must be documented, and corrective actions tracked until closure. The quality of this documentation is directly assessed during stage 1.
Step 5: Achieving Certification and Maintaining Compliance
Once certified, the challenge is to maintain it over time. ISO 27001 is based on the Plan-Do-Check-Act cycle: compliance is not a static state but a continuous improvement process. This involves implementing ISMS performance indicators, conducting annual surveillance audits, updating risk analyses and policies based on evolving threats and regulatory obligations, and holding regular management reviews.
Burnout after certification is one of the most common risks. Organizations that maintain their certification over time are those that have integrated the ISMS into their operational functioning, rather than treating it as a one-off project.
The Tangible Benefits of ISO 27001 Certification
ISO 27001 certification yields measurable effects across three dimensions.
In terms of trust, it sends a strong signal to clients, partners, and regulators. In many sectors, such as finance, healthcare, defense, and digital services, it has become a selection criterion in tenders and a prerequisite for certain types of contracts. It simplifies supplier evaluation processes by providing an audited documentation base that clients can directly utilize.
In terms of risk management, an ISO 27001 certified organization has a structured risk mapping, formalized action plans, and mechanisms for incident detection and response. The average cost of a data breach exceeds 5 million euros according to sector studies. A rigorous risk management approach significantly reduces the probability and impact of such incidents.
In terms of regulatory compliance, ISO 27001 provides a solid foundation for meeting the requirements of GDPR, NIS2, and other sectoral frameworks. It does not guarantee compliance with these texts but structures security measures to facilitate their demonstration during regulatory audits.
MGEN Client Case Study : In 2023, MGEN integrated the Egerie platform into its ISO 27001 certification process to regain control of its risk analyses, which had previously been managed on Excel. The result: a one-point gain during ISO 27001 audits, an extension of licenses to other teams, and significant time savings on analyses. Florian Bourdon, Cyber GRC Expert at MGEN, summarizes the challenge: the goal was not just to save time, but to put risk analysis back at the heart of the cyber strategy.
Common Challenges in ISO 27001 Implementation
Three obstacles consistently arise in certification processes, regardless of the organization's size.
The first is the lack of internal resourcesImplementing an ISMS requires expertise in risk management, legal compliance, technical architecture, and project management. Small teams often struggle to absorb this workload in parallel with their operational activities. Outsourcing certain steps and using specialized tools can significantly reduce this burden.
The second is the perceived complexity of risk analysisAsset mapping, threat identification, impact assessment, and the development of treatment plans are often perceived as tedious tasks when relying on spreadsheets. Using a structured methodology (EBIOS RM or ISO 27005) and a dedicated tool transforms this step into a managed and auditable process.
The third is maintaining compliance over timeOnce certified, many organizations relax their efforts until the next surveillance audit. However, the ISMS must be continuously maintained: risks evolve, systems change, and threats transform. Regular monitoring, supported by key indicators and periodic reviews, is essential to avoid deviations.
How the Egerie platform supports your ISO 27001 journey
Egerie centralizes the key steps for ISO 27001 compliance: risk mapping, management of Annex A controls, action plan tracking, and dashboards for management reviews and audits. The platform is based on EBIOS RM and ISO 27005 methodologies, ensuring consistency between risk analysis and ISMS requirements.
Want to understand how Egerie can accelerate your ISO 27001 journey? Request a demo and discover how our clients structure their compliance and prepare for their audits.
ISO 27001 FAQ
What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management. It defines the requirements for an Information Security Management System (ISMS) and is the only certifiable standard in the ISO 27000 family by an accredited body. It applies to any organization, regardless of its size or sector.
Is ISO 27001 certification mandatory?
No, ISO 27001 is a voluntary process. It is not legally mandated, except in certain sectors or under specific contracts. However, NIS2 imposes regulatory cybersecurity obligations on essential and important entities, for which ISO 27001 provides a useful structuring framework, though it alone is not sufficient to guarantee compliance.
How long does it take to get ISO 27001 certification?
Between 6 and 18 months, depending on the organization's initial maturity, the scope size, and available resources. The phase of implementing security measures and monitoring action plans represents the most significant portion of the overall effort. Appropriate tools can significantly accelerate this phase.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 defines the ISMS requirements; it is the certifiable standard. ISO 27002 is a guide for implementing the controls listed in Annex A of ISO 27001. It is not certifiable but is essential for practically deploying security measures.
Which risk analysis method should be used for ISO 27001?
ISO 27001 does not prescribe a specific method. In France, EBIOS Risk Manager, a method developed by ANSSI, is the most widely used in environments subject to regulatory obligations. ISO 27005 is an internationally recognized alternative. Both are compatible with ISO 27001 requirements.
Does ISO 27001 cover GDPR?
Not directly. ISO 27001 structures information security measures, which provides a solid foundation for meeting GDPR security requirements. For a comprehensive approach to personal data protection, ISO 27001 can be supplemented by ISO 27701, which extends the ISMS to privacy protection issues.
What is the SoA (Statement of Applicability)?
The SoA is the Statement of Applicability, one of the central documents for ISO 27001 certification. It lists all controls from Annex A, indicates which ones apply to the defined scope, justifies the choices made, and establishes the link between the selected controls, identified risks, and available operational evidence. It serves as the primary reference during the certification audit.
How to maintain ISO 27001 certification long-term?
Maintenance is based on the Plan-Do-Check-Act : annual surveillance audits, updating risk analyses, regular management reviews, monitoring ISMS performance indicators, and adapting policies to evolving threats and regulatory obligations. A full recertification audit is required every three years.
