ISO/IEC 27001 is an internationally recognized standard for Information Security Management Systems (ISMS). It helps organizations and businesses build a structured approach to managing information security, reducing risks, and increasing trust. For any organization, achieving ISO/IEC 27001 certification is an important milestone, showing that its information security management meets international standards.
Before you start applying for ISO/IEC 27001 certification, it’s helpful to understand a few key organizations involved in the process:
- ISO:develop standards (such as ISO/IEC 27001).。
- IAF (International Accreditation Forum): Sets global accreditation rules to ensure that certification systems from different countries are mutually recognized.
- AB (Accreditation Body): National or regional bodies that accredit Certification Bodies (CBs). Examples include:
Taiwan: TAF (Taiwan Accreditation Foundation)
USA: ANAB (ANSI National Accreditation Board)
Japan:TAD(The Japan Accreditation Board for Conformity Assessment)
Germany: DAkkS (Deutsche Akkreditierungsstelle)
UK: UKAS (United Kingdom Accreditation Service)
France: COFRAC (Comité Français d’Accréditation) - CB (Certification Body): These are the organizations that, once accredited by an AB, can perform ISO 27001 audits and issue certificates. Examples: SGS, A‑LIGN, BSI, TÜV.,JQA
The role of an AB in ISO/IEC 27001 is to ensure that the CBs are credible and internationally recognized—but the AB itself does not issue certificates.
In simple terms:
ISO sets the standard → IAF sets accreditation rules → AB accredits CB → CB audits → Organization receives ISO 27001 certificate
Before going for ISO/IEC 27001 certification, it’s helpful to have a basic understanding of how the standard’s clauses, documented procedures, and actual implementation relate to each other.
ISO 27001 Standard Clauses
The standard is mainly divided into two parts:
1. Management System Requirements (Clauses 4–10)
- Clause 4 – Context of the Organization: Define the scope, stakeholders, and ISMS boundaries.
- Clause 5 – Leadership: Top management commitment and information security policy.
- Clause 6 – Planning: Risk assessment and risk treatment plan.
- Clause 7 – Support: Resources, personnel competence, documented information.
- Clause 8 – Operation: Implement risk treatment measures.
- Clause 9 – Performance Evaluation: Monitoring, internal audits, management review.
- Clause 10 – Improvement: Continual improvement and corrective actions.
2. Annex A – Control Objectives and Controls
- 93 controls in the 2022 version, covering areas like:
- Information security policies
- Human resource security
- Asset management
- Access control
- Cryptography
- Supplier relationships
- Incident management
- Business continuity
- Compliance with legal requirements
Key Documents to Prepare
- ISMS Scope Statement
- Information Security Policy
- Risk Assessment Report
- Risk Treatment Plan
- Statement of Applicability (SoA) – lists which controls are applicable or excluded
- Procedure documents – e.g., access control, backups, incident management
- Records – e.g., internal audit reports, management review minutes, evidence of process execution
How Implementation Works
- Risk Management: Identify assets, threats, and vulnerabilities, then define controls.
- Technical Controls: Firewalls, encryption, access permissions.
- Organizational Controls: Employee training, roles and responsibilities.
- Continual Improvement: Regular audits and corrective actions.
In simple terms:
ISO/IEC 27001 clauses → organization creates corresponding procedures → execute processes and keep records
(Say it, write it, do it – all consistent)
About the “Four-Level Documents”
Some people ask if you must create the classic four-level documents (Policy → Procedure → Work Instruction → Records).
The short answer: ISO/IEC 27001 does not require a strict four-level structure.
It’s not mandatory, but many organizations adopt a similar hierarchy for clarity and ease of implementation.
Exploring the meeting point of technology and the inner world is often a solitary journey—but a meaningful one.
If this article has brought you a moment of clarity or inspiration, you’re welcome to buy me a cup of coffee and support me in continuing this kind of thoughtful, in-depth writing.
[ ☕ Buy me a coffee ]
