Skip to main content
SWC CRM Logo
Book a Demo
ISO 27001 · Information Security Management System (ISMS)

ISO 27001:2022 — Information Security Management Systems

ISO 27001 is the international standard for an information security management system (ISMS). It provides a risk-based framework for protecting the confidentiality, integrity, and availability of information through a defined set of security controls and continual review.

Who needs ISO 27001?

Software companies, SaaS providers, financial services, healthcare, and any organization that handles sensitive customer data or must answer enterprise security questionnaires.

Software & SaaSFinancial servicesHealthcareTelecomCloud & hostingProfessional services

How does ISO 27001 certification work?

A Stage 1 and Stage 2 initial audit, a three-year certificate, annual surveillance audits, and recertification in year three.

The structure of ISO 27001

  • Clause 4 — Context of the organization
  • Clause 5 — Leadership
  • Clause 6 — Planning (risk assessment and treatment)
  • Clause 7 — Support
  • Clause 8 — Operation
  • Clause 9 — Performance evaluation
  • Clause 10 — Improvement
  • Annex A — 93 information security controls (2022 revision)

How SWC CRM helps you manage ISO 27001 certification

Keep your SoA and risk records together

Store the Statement of Applicability, risk assessment, and risk treatment plan in the evidence library — linked to the clauses and Annex A controls they support.

Audit the ISMS clause by clause

Run internal and certification audits with a configurable ISO 27001 checklist that covers both the management clauses and Annex A controls.

Track nonconformities to closure

Log findings, assign corrective actions and owners, and track every item to verified closure with automatic reminders.

Stay continuously certified

Automated surveillance and recertification scheduling keeps your ISMS certificate valid across the full three-year cycle.

Manage ISO 27001 certification in one platform

Run ISO 27001 projects, clause-by-clause audits, evidence, and renewals in SWC CRM — fully customizable to your team's workflow.

Book a demoExplore the platform

ISO 27001 certification: frequently asked questions

What is the difference between ISO 27001 and SOC 2?

ISO 27001 is an international certification for an information security management system, audited against a fixed standard. SOC 2 is a US attestation report against the AICPA Trust Services Criteria. Many companies pursue both; ISO 27001 is more widely recognized outside North America.

How many controls are in ISO 27001:2022?

The 2022 revision of ISO 27001 lists 93 controls in Annex A, grouped into four themes: organizational, people, physical, and technological. The previous 2013 version had 114 controls across 14 domains.

How long does ISO 27001 certification take?

Most organizations achieve ISO 27001 certification in three to nine months. The timeline depends on the scope, the maturity of existing security controls, and how quickly the risk assessment and documentation are completed.

Related standards

New to certification? Start with our step-by-step certification guide or browse the ISO glossary.