ISO/IEC 27001:2022

Overview#

ISO/IEC 27001 is the international standard that specifies requirements for an Information Security Management System (ISMS). It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) — the IEC joins because the standard sits at the intersection of information technology and security engineering, both of which fall within the IEC's remit. The standard is part of the ISO 27000 family, which includes ISO 27002 (implementation guidance for the Annex A controls), ISO 27005 (risk management methodology), ISO 27017 (cloud-service controls), ISO 27018 (PII processor controls), and approximately a dozen sector-specific overlays.

The standard defines the management framework around information security, not the security controls themselves. That distinction matters. ISO 27001 tells you what governance, risk management, control selection, monitoring and continual improvement processes must be in place; ISO 27002 provides the implementation guidance for the specific Annex A controls; and the organisation's own Statement of Applicability (SoA) declares which controls are in scope, which are excluded, and why. An organisation can be ISO 27001 certified with a Statement of Applicability that excludes a third of Annex A — provided the exclusions are justified against the documented risk assessment.

The current edition, ISO/IEC 27001:2022, was published in October 2022 and replaced the 2013 edition. The substantive change was Annex A: the previous 114 controls across 14 domains were consolidated into 93 controls across four themes (Organisational, People, Physical, Technological), and 11 new controls were introduced to reflect the operational realities of cloud, supply chain, threat intelligence and secure development. Organisations certified to the 2013 edition were given a three-year transition window to migrate to the 2022 edition, ending 31 October 2025 — meaning as of June 2026 every current certificate is on the 2022 edition.

ISO 27001's importance is global, but its weight varies by region. In the United Kingdom and the European Union it is effectively the international security floor for any cloud or SaaS provider — mandatory in most public-sector tenders, expected in private-sector enterprise procurement, and cross-referenced by virtually every adjacent framework (NCSC Cloud Security Principles, G-Cloud, GDPR Article 32, NIS2 Directive, EUCS). In the United States, SOC 2 Type II has historically dominated, but ISO 27001 adoption is growing rapidly as US-headquartered SaaS sells into EU markets and as US enterprise buyers begin to demand both. Across the Asia-Pacific region, Australia, Japan, Singapore and India all treat ISO 27001 as the working security floor.

Yobitel UK Sovereign and the broader Yobitel platform hold ISO/IEC 27001:2022 with ISO 27017 (cloud-services controls) and ISO 27018 (PII processor controls) overlays as part of the customer-facing compliance posture — UKAS-accredited certificate, three-year cycle aligned to the company financial year, current Statement of Applicability available under NDA — so customers building on Yobitel inherit the supplier-relationship and infrastructure-layer evidence as a baseline rather than starting their own ISMS from scratch.

This entry treats ISO 27001:2022 as a working reference for an organisation standing one up. The Reference section enumerates the ISMS clauses (4-10) and the Annex A control themes. The Evidence section lays out the artefacts an auditor will sample. The Audit & Accountability section describes the three-year certification cycle and the role of the accredited certification body. The Mapping section cross-references ISO 27001 to NCSC, SOC 2, NIST CSF 2.0, HIPAA and GDPR. The Cost section is honest about what a defensible ISO 27001 posture costs in USD, and the closing section makes plain how Yobitel UK Sovereign discharges ISO obligations as part of its managed compliance posture. This entry helps you assemble defensible ISO 27001 evidence for your customers, auditors, or supervisory authorities — and explains where Yobitel's own posture inherits, so a customer's own ISMS can cite Yobitel UK Sovereign under Annex A.5.19-A.5.23 (supplier relationships) without re-auditing the platform layer.

Scope — who needs ISO 27001#

ISO 27001 binds the certified organisation — the legal entity named on the certificate — for the scope declared in the ISMS scope statement. The actor that asks for the certificate is the customer, regulator or counterparty whose risk depends on the organisation's security posture. The standard is technology-agnostic, sector-agnostic and size-agnostic by design: a 30-person SaaS start-up, a multinational managed-service provider, a hospital trust, a financial institution and a government department can all certify to the same standard with appropriately scoped ISMSs.

In the United Kingdom, ISO 27001 is mandatory or strongly expected in three procurement contexts. Public-sector tenders run via G-Cloud (Crown Commercial Service framework RM1557.x) typically demand ISO 27001 certification as supporting evidence for several NCSC Cloud Security Principles, particularly Principle 4 (governance), Principle 5 (operational security) and Principle 8 (supply chain). NHS Data Security and Protection Toolkit submissions accept ISO 27001 + 27018 as evidence for most technical-control questions. FCA-regulated firms expect their material-outsourcing vendors to hold ISO 27001 under SYSC 8 third-party risk assessments. Private-sector UK enterprise procurement (FTSE 350, mid-market technology buyers) routinely lists ISO 27001 as a hard prerequisite.

In the European Union, ISO 27001 carries even greater weight. EU public procurement is bound by Regulation (EU) 1025/2012 (which establishes the European standardisation framework) and Directive 2014/24/EU (the public procurement directive) — both of which favour ISO standards as the default reference for technical specifications. Member-state procurement (BAFA in Germany, AgID in Italy, DGCCRF in France) routinely cites ISO 27001 in cloud-services tenders. The upcoming EUCS scheme (European Cybersecurity Certification Scheme for Cloud Services), developed under the EU Cybersecurity Act, uses ISO 27001 + 27017 + 27018 as its substantive control baseline.

Beyond formal procurement, ISO 27001 has become the international lingua franca for processor-to-controller assurance under GDPR Article 28 and Article 32. A controller asking a processor 'what is your security posture' will accept an ISO 27001 + 27018 certificate as substantive answer; without it, the controller will run its own questionnaire, which costs both sides materially more time. The standard's combination of independent audit, public certificate, three-year cycle and Statement of Applicability gives a counterparty everything it needs to make a vendor-risk decision without sending its own auditors on-site.

• Cloud and SaaS providers — international markets effectively require ISO 27001 + 27017 + 27018 as the baseline security posture.
• UK public-sector suppliers — G-Cloud framework treats ISO 27001 as core supporting evidence for NCSC principles.
• NHS-supply-chain vendors — DSP Toolkit submissions reference ISO 27001 + 27018 as primary evidence for technical controls.
• FCA-regulated and EU financial-services firms — material-outsourcing vendors expected to hold ISO 27001 under SYSC 8 and DORA-aligned regimes.
• EU public-sector vendors — ISO 27001 is the default reference in cloud-services tenders across major member states.
• GDPR processors — ISO 27001 + 27018 is the standard processor-side answer to controller Article 28/32 due diligence.
• Healthcare and life-sciences vendors — ISO 27001 supplements HIPAA (US) and MHRA / EMA expectations for personal-data systems.
• Boundary case — start-ups under 30 people frequently certify with a tightly-scoped ISMS (single product, single environment); scope expansion happens at the next surveillance audit as the business grows.

The framework — clauses 4-10 and Annex A#

ISO 27001:2022 has two halves. The operative ISMS requirements live in clauses 4 through 10 — these are the process requirements the auditor will read first. Annex A is the control catalogue (93 controls across four themes) that the organisation selects from in its Statement of Applicability. ISO 27002:2022 then provides the implementation guidance for each Annex A control; ISO 27002 is not certifiable on its own but is the reference text for how each control should be implemented.

• Annex A.5 — Organisational controls (37 controls): information security policies, roles, segregation of duties, contact with authorities and special interest groups, threat intelligence, project management, asset inventory, acceptable use, return of assets, classification, labelling, information transfer, access control policy, identity management, authentication information, access rights, supplier relationships, supplier service-delivery management, ICT supply chain, monitoring/review/change management of supplier services, information security in supplier agreements, addressing security in cloud services, incident management planning and preparation, assessment and decision on information-security events, response to incidents, learning from incidents, collection of evidence, ICT readiness for business continuity, legal/statutory/regulatory/contractual requirements, IPR, records, privacy/PII, independent review, compliance with policies/rules/standards, documented operating procedures.
• Annex A.6 — People controls (8 controls): screening, terms and conditions of employment, awareness/education/training, disciplinary process, responsibilities after termination/change of employment, confidentiality/NDA, remote working, information-security event reporting.
• Annex A.7 — Physical controls (14 controls): physical security perimeters, physical entry, securing offices/rooms/facilities, monitoring physical security, protecting against physical/environmental threats, working in secure areas, clear desk and clear screen, equipment siting, security of assets off-premises, storage media, supporting utilities, cabling security, equipment maintenance, secure disposal/re-use.
• Annex A.8 — Technological controls (34 controls): user endpoint devices, privileged access rights, information access restriction, access to source code, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, information backup, redundancy of IT facilities, logging, monitoring activities, clock synchronisation, use of privileged utility programs, installation of software on operational systems, networks security, security of network services, segregation of networks, web filtering, use of cryptography, secure development life cycle, application security requirements, secure system architecture and engineering principles, secure coding, security testing in development and acceptance, outsourced development, separation of development/test/operational environments, change management, test information, protection of information systems during audit testing.

The Statement of Applicability and evidence patterns#

The Statement of Applicability (SoA) is the single most important document in an ISO 27001 ISMS. It lists every Annex A control, states whether it is applicable, the justification, and a reference to where the control is implemented (or why it is excluded). The SoA is read first by every auditor, every customer security team, every regulator and every downstream insurer. It is the map from the standard to the organisation's actual environment.

The evidence patterns below are the working artefacts an ISO 27001 auditor will sample at stage 2 and at every subsequent surveillance audit. The list is not exhaustive — Annex A has 93 controls and each implies its own evidence — but it covers the core ISMS process artefacts and the highest-weight Annex A controls.

Customers running their own ISO 27001 ISMS and using Yobitel UK Sovereign as a sub-processor can reuse Yobitel-supplied evidence to close the platform-layer half of the pack: the Yobitel ISO 27001 + 27017 + 27018 certificate and Statement of Applicability (under NDA via the customer security portal) cover the supplier-relationship controls under A.5.19-A.5.23; sovereignty-pinning to UK regions covers the data-location evidence under A.5.34 and A.8.10; the platform sub-processor register covers A.5.21 (managing information security in the ICT supply chain); the customer-readable audit-stream config covers A.8.15-A.8.16. The customer's own ISMS still owns the workload-layer evidence (workload RBAC, in-application authentication, application-layer cryptography keys, customer-side change management) but the supplier-relationship evidence is shipped, not rebuilt.

Audit and accountability — the three-year certification cycle#

ISO 27001 certification runs on a three-year cycle. Year 0 is the initial certification audit (stage 1 + stage 2). Years 1 and 2 are surveillance audits — narrower scope, focused on continued conformity and on the highest-risk controls. Year 3 is the recertification audit — full scope, equivalent to the initial certification audit. Each cycle costs progressively less than the first because the auditor builds familiarity with the environment and the documentation matures.

Stage 1 (documentation review) typically runs over one to two days, on-site or remote. The auditor reviews the ISMS documentation — scope statement, policy, risk-assessment methodology, risk register, risk treatment plan, Statement of Applicability, internal-audit programme, management-review minutes — and identifies any documentation gaps that must be closed before stage 2 can proceed. Stage 1 is a readiness check; failing it is not catastrophic but delays stage 2 until the gaps are closed.

Stage 2 (implementation audit) runs over three to ten days depending on scope, typically on-site for at least one site per certificate. The auditor samples evidence across the Annex A controls in scope, interviews control owners, observes operations, and tests effectiveness. The audit produces a list of findings: major nonconformities (must be closed before certification can be granted), minor nonconformities (closure plan acceptable; certificate is granted contingent on remediation), and observations (not nonconformities but areas for improvement).

After stage 2, the certification body issues the certificate. The certificate is valid for three years, subject to satisfactory surveillance audits in years 1 and 2. Each surveillance audit samples a subset of the Annex A controls and re-tests the highest-risk areas; surveillance audits are typically half the duration and cost of the initial stage 2. In year 3, a full recertification audit equivalent to the initial stage 2 is performed and the next three-year cycle begins.

• Accreditation matters — the certification body must be accredited by a member of the International Accreditation Forum (UKAS in the UK, DAkkS in Germany, ANAB in the US, IAS in the US, JAS-ANZ in Australia/New Zealand). Non-accredited certificates are not accepted by sophisticated buyers.
• Top three accredited bodies by UK market share (June 2026) — BSI, LRQA, DNV. Top three by EU market share — TÜV SÜD, TÜV Rheinland, BSI. Top three by US market share — Schellman, Coalfire, A-LIGN.
• Auditor independence — the certification body cannot also provide consulting on building the ISMS; this is a hard separation under ISO 17021. Use a separate readiness consultant (or do the readiness internally).
• Major nonconformity — defined as a control absent where it should be present, a control fundamentally ineffective, or a systemic ISMS failure. Must be closed within 90 days or the certificate is withheld.
• Minor nonconformity — defined as an isolated lapse in an otherwise effective control. Closure plan with target dates accepted; certificate granted contingent on closure.
• Observation — auditor's professional opinion that an area could be improved; not a nonconformity; closure is voluntary but tracked for the next audit.

Mapping to other frameworks#

ISO 27001 overlaps substantially with every adjacent security framework. The mapping below is the working cross-reference most security architects use to avoid duplicating control work across frameworks. Most organisations that hold ISO 27001 + 27017 + 27018 can evidence two-thirds of any other framework from existing artefacts; the gap is typically in framework-specific artefacts (SOC 2's user-entity controls, GDPR's DPIA, HIPAA's business associate agreements).

• NCSC Cloud Security Principles — ISO 27001 + 27017 + 27018 covers approximately 75% of the 14 principles; the gap is typically Principle 2 (UK location evidence) and Principle 13 (customer-readable audit schema). G-Cloud buyers accept ISO 27001 as core supporting evidence.
• SOC 2 — ISO 27001 covers approximately 70% of SOC 2 Common Criteria from existing artefacts; the gap is typically in CC7 (operational monitoring evidence at SOC 2's sampling depth) and CC9 (vendor-management evidence). The two frameworks complement rather than substitute.
• NIST CSF 2.0 — ISO 27001 covers approximately 80% of CSF subcategories; CSF is a framework rather than a certifiable standard, so the relationship is one of mapping rather than substitution.
• HIPAA Security Rule — ISO 27001 + 27018 covers most technical and administrative safeguards but does not displace the HIPAA-specific business-associate agreement obligation under § 164.308(b).
• GDPR Article 32 — ISO 27001 is explicitly cited under Article 32(3) as an approved certification mechanism. ISO 27001 + 27018 forms the standard processor-side evidence pack but does not displace the controller's DPIA obligation under Article 35.
• EU AI Act — ISO 27001 covers the security-management baseline expected for high-risk AI systems under Article 15; sector-specific AI standards (ISO/IEC 42001 AI management system, ISO/IEC 23894 AI risk management) layer on top.

UK, EU and US considerations#

ISO 27001 is an international standard, but the accreditation framework, the buyer expectations and the cross-framework recognition vary materially by region. The differences are jurisdictional rather than substantive — the standard itself is identical worldwide — but a posture that ignores them will fail at the deal-review stage even where the certificate is sound.

In the United Kingdom, certificates issued by UKAS-accredited certification bodies (BSI, LRQA, DNV, Bureau Veritas, Intertek and others) are the gold standard. UKAS is the sole national accreditation body for the UK and a signatory to the International Accreditation Forum Multilateral Recognition Arrangement (IAF MLA), meaning UKAS-accredited certificates are recognised globally. UK certificates were not affected by Brexit because UKAS accreditation is recognised under the IAF MLA, not under EU law; a UK-issued certificate is fully recognised in the EU and vice versa. G-Cloud buyers expect UKAS accreditation specifically; non-UKAS certificates raise eyebrows.

In the European Union, certificates issued by certification bodies accredited by any IAF MLA signatory are mutually recognised under the IAF arrangement. DAkkS (Germany), Cofrac (France), Accredia (Italy), ENAC (Spain) and other national accreditation bodies issue cross-recognised accreditations. EU public-sector procurement and EU enterprise procurement treat any IAF-recognised certificate as equivalent. The upcoming EUCS scheme — under the EU Cybersecurity Act, finalised by ENISA in 2026 — uses ISO 27001 + 27017 + 27018 as the substantive control baseline for the Basic and Substantial assurance levels; the High level requires additional sovereignty-of-operation controls beyond ISO scope.

In the United States, ISO 27001 adoption is growing alongside SOC 2 Type II rather than replacing it. ANAB (the ANSI National Accreditation Board) is the dominant accreditation body for ISO certifications issued in the US; A-LIGN, Coalfire, Schellman and several others issue ANAB-accredited certificates. US enterprise buyers have historically asked for SOC 2 Type II; as US-headquartered SaaS sells into EU markets, the bidirectional pressure (US wants SOC 2, EU wants ISO 27001) has produced a market norm of holding both. FedRAMP authorisation does not require ISO 27001 but accepts it as substantive supporting evidence; HIPAA does not require ISO 27001 but the major US healthcare providers increasingly ask for it from cloud and SaaS sub-processors.

• UK — UKAS-accredited certificates are the expected standard; G-Cloud buyers specifically expect UKAS; UK certificates are fully recognised in the EU under IAF MLA.
• EU — IAF MLA mutual recognition means any IAF-accredited certificate is recognised across member states; EUCS scheme uses ISO 27001 + 27017 + 27018 as the substantive baseline.
• US — ANAB-accredited certificates dominate the US market; ISO 27001 adoption is growing alongside SOC 2 rather than replacing it; FedRAMP and HIPAA accept ISO 27001 as supporting evidence.
• International — IAF MLA covers approximately 80 national accreditation bodies; certificates issued by an IAF MLA signatory are mutually recognised worldwide.
• Cross-jurisdictional — a single ISO 27001 + 27017 + 27018 certificate plus a SOC 2 Type II report covers virtually every enterprise procurement question on the planet; most mature cloud vendors run both annually with overlapping audit windows.

Common implementation gaps#

ISO 27001 readiness assessments and surveillance audits surface the same handful of operational gaps with striking regularity. The list below is the failure-mode catalogue most readiness consultants apply on day one; each item is the kind of deficiency that produces an audit finding unless caught in advance. None is novel. All are tractable. Most cost meaningfully more to remediate during an audit than to close before stage 1.

The single most common cause of ISO 27001 nonconformities is Statement of Applicability scope drift: the certificate covers 'the platform' but the SoA was last updated 18 months ago, before the new region launch, before the new sub-processor onboarding, before the new product line. The auditor compares the SoA against the operating environment and finds gaps that are not control failures but documentation failures. Treat the SoA as a living document tied to the change-management process — every material change should trigger an SoA review and an update if needed.

The second most common cause is internal-audit independence: Clause 9.2 requires that internal audits are performed by someone who does not have direct responsibility for the area being audited. Many start-ups and small organisations have a single security lead who runs the ISMS and also performs the internal audit — that fails the independence requirement. Remediation is straightforward: rotate internal auditors across functions, use an external internal-audit partner (different firm from the certification body), or have the engineering lead audit the security function and vice versa.

• SoA scope drift — Statement of Applicability not updated to reflect new products, regions or sub-processors; remediate by tying SoA review to the change-management process with a quarterly forced review.
• Internal-audit independence — single security lead performs both ISMS operation and internal audit; remediate by rotating auditors, using external internal-audit support, or cross-auditing across functions.
• Management-review cadence drift — Clause 9.3 management review missed or under-attended; remediate by anchoring the review to a standing executive meeting (e.g. quarterly board security update) with mandatory inputs documented in advance.
• Risk-treatment plan execution lag — risks identified but treatments not progressed; remediate by tying risk-treatment milestones to OKRs or quarterly business reviews with named owners and SLA escalation.
• Awareness training completion gap — Clause 7.3 awareness training not completed by all staff in the in-scope functions; remediate by HRIS-integrated training-completion tracking with line-manager escalation at 30 days overdue.
• Supplier-risk-assessment gap — A.5.19-A.5.23 due diligence not performed before vendor onboarding; remediate with a vendor-onboarding gate in procurement requiring due-diligence completion before SOW is signed.
• Vulnerability-management closure trend missing — A.8.8 scans run but no evidence of mean-time-to-remediation trend; remediate by exporting scan results to a tracking dashboard with the GRC tool as the system of record.
• Change-management exception trail — A.8.32 emergency changes made outside normal process without documented post-hoc approval; remediate with an emergency-change runbook and mandatory post-incident review.
• Cryptography policy gap — A.8.24 cryptography policy not documented or not aligned with implementation; remediate by writing a single cryptography policy that names approved algorithms, key sizes, key-rotation cadence and KMS architecture, then cross-referencing implementation evidence per system.
• Logging gap on Annex A.8.15 — events logged but retention shorter than the documented policy; remediate by enforcing retention at the log-storage layer (S3 object lock, immutable index) rather than relying on application-level retention policy.

Cost of compliance#

ISO 27001 cost has three layers: the certification body's audit fees, the readiness and remediation effort, and the ongoing compliance tooling. The table below states typical USD ranges for a mid-sized cloud or SaaS vendor in 2026, covering a single site and a tightly-scoped ISMS. Big-Four-equivalent pricing (BSI, LRQA, DNV at the higher end) is roughly 1.5-2x mid-tier pricing for the same scope. ISO 27017 and ISO 27018 overlays are typically bundled with the ISO 27001 audit at incremental cost.

Where this fits in the Yobitel stack#

Yobitel UK Sovereign and the broader Yobitel platform hold ISO/IEC 27001:2022 certification covering all production cloud services, with ISO 27017 (cloud-service controls) and ISO 27018 (PII processor controls) layered as audited overlays. The certificate is issued by a UKAS-accredited certification body on a three-year cycle aligned to the company financial year, with surveillance audits in years 1 and 2 and a full recertification audit in year 3. The current Statement of Applicability and certificate are available under NDA via the customer security portal.

Yobibyte — the self-serve AI platform — inherits the Yobitel UK Sovereign ISO 27001 posture for all workloads running on Yobitel-managed infrastructure. A Yobibyte customer that needs ISO 27001 evidence to discharge its own user-side controller or processor obligations requests the Yobitel ISO 27001 + 27017 + 27018 certificate plus the current Statement of Applicability via the security portal; the artefacts are delivered electronically. Customers operating their own ISO 27001 ISMS and using Yobibyte as a sub-processor cite Yobitel UK Sovereign in their supplier-relationships register under Annex A.5.19-A.5.23.

Omniscient Compute, the federated marketplace for compute capacity, treats ISO 27001 as a provider-eligibility filter rather than a default. Providers participating in Omniscient Compute declare their ISO 27001 posture (current certificate with cloud overlays, current certificate without overlays, in-progress, or none) against the workload classes they are willing to host; the marketplace surfaces only ISO-27001-certified providers when a workspace is flagged as requiring it. A buyer building on Yobibyte can absorb the ISO 27001 evidence chain without contracting separately with the underlying provider — the marketplace contract carries the obligation through.

InferenceBench, the Yobitel benchmarking and evaluation platform, contributes Annex A.8.16 (monitoring activities) and A.8.29 (security testing in development) evidence by maintaining a continuous, automated regression suite against model and infrastructure baselines. Benchmark runs are emitted into the same audit stream as control-plane events, supporting the operational-monitoring evidence the ISO 27001 auditor samples at every surveillance audit.

Where Yobitel UK Sovereign and the customer share responsibility for ISO 27001 evidence — as in every multi-tenant cloud relationship — the boundary is documented in the published shared-responsibility matrix. The matrix names the controls the customer must operate on its own side (typically: workload-level RBAC, in-application authentication, application-layer encryption keys, customer-side change management, customer-side incident response). Customers running their own ISO 27001 ISMS cite the Yobitel certificate as supplier-relationship evidence and operate their own SoA against the controls they retain.