Yes! There is a lot of buzz going on in information security. Questions like ‘is our company secure in terms of Information security?’, ‘How can we check?’, ‘Is there a Checklist?’, ‘What are the information security criteria?’ etc. The solution to all these questions can be found in the basics of an ISO 27001 certification.

What is ISO 27001 Certification?

ISO 27001 standard stands for Information Security Management System (ISMS). It gives a specification for information security. It is the basic framework of a set of policies, practice & procedure that include a regulatory requirement (physical, technical & administrative controls). When we speak about controls, we can simply classify it under three ways along with the department responsible for it.


  Dept Responsible Examples
Physical or Admin controls Admin or facility manager Locks, Alarm systems, Video surveillance
Digital or Technical controls IT Support or IT Manager  
Administrative controls Human Resource or Management Heads  

What are the simple steps to Implement IT security, Is there an ISO 27001-ISMS Checklist?

Yes, there are a number of ISMS checklists which you can download for reference. Also, you can reach out to our CertPro professionals for such ISMS checklists.

Based on our research which is generally practiced by top companies, we have simplified the standards to 7 steps and they are given below;

Step 1: Identify the key areas of the organization.

Step 2: Classify information simply as confidential, internal, and public.

Step 3: Define the access for the above and identify the risk involved with it.

Step 4: Invest your resources on securing the most valuable assets and confidential information by selecting the right controls.

Step 5: Monitor the controls implemented.

Step 6: Define your back-ups as a Business Continuity Plan

Step 7: Conduct multiple iterations of audits to narrow down the process.

What are the areas of control for ISO 27001 ISMS & what do ISMS clauses mean?

There are 10 clauses in the ISO 27001:2013 version and they represent the following; Clause 1 to clause 3 are non-auditable clauses and clause 4 to clause 10 are auditable clauses. All areas of control are explained from clause 4 to clause 10.

Clause 1- Scope

Clause 2- Normative reference

Clause 3- Terms & definition

Clause 4- Context of organization- Organization context, the scope of work, needs 7 expectations from interested parties, the need of an ISMS and management commitment towards implementing ISMS.

Clause 5- Leadership- defining roles & responsibility, defining ISMS policy, Commitments for implementing ISMS, a person (CISO- Chief Information Security Officer) or a team (Core Team) to look after all ISMS activities.

Clause 6- Planning – ISMS objectives (Setting short term and long term goals) and a plan to achieve those objectives.

Clause 7- Support – Identify the resources, train your team on ISMS, evaluate the skills and increase knowledge of the current system and its requirement. Besides these, you also need to define the internal and external communications and the documentation management system.

Clause 8- Operations – Core business activity and the plans to achieve it, risk identification while planning & choosing the appropriate methodology to treat the risk.

Clause 9- Performance evaluation- Verify, validate, analyze and conduct internal audits and management review meetings.

Clause 10- Improvement- Identifying the areas to be improved, prioritizing & finding the corrective actions and setting new objectives and goals for continual improvement.

Annex A is a reference control objectives and controls

ISO 27001 Certification

So what is Annex A? Is Annex A and Statement of Applicability (SOA) the same? What does it say?

Annex A is also known as Statement of Applicability (SOA).

A5– Polices for ISMS (Administrative Controls- ISMS policy)

A6– Organization commitment for Information Security (Administrative Controls – Internal duties, Mobile device policies, etc.)

A7– Human Resource security-  on before hiring, during tenure and after exit (Administrative controls- Non Disclosure Agreement, Back Ground verification, etc.)

A8– Asset management (Administrative, Physical and Technical controls – Asset responsibility, Classify, label & data handling & disposal)

A9– Limitation on Access (Administrative, Physical and Technical controls – Access Control Policy, User management, Access Responsibility, System & application-level access controls)

A10– Cryptography (Technical control – Policy and key management)

A11– Physical security (Admin controls – Locks, Barriers, surveillance camera, Asset security, etc.)

A12– Operation Security (Administrative, Physical and Technical controls – Document controls, Software & Applications controls, Backups and Logging, Vulnerability Assessment and Penetration Testing VAPT)

A13– Security on Communication (Administrative, Physical and Technical controls- Internal & external Network segregation control, security on sharing data within the network, etc.)

A14– Security on development & the core system (Administrative, Physical and Technical controls- Engineering principles, trusted applications, Test criteria, Back up plans, roll-back procedure, etc.)

A15– Vendor Management (Administrative, Physical and Technical controls- Vendor agreements, Service level agreements, Operational level agreements, Information security in supplier relationship, Response & resolution time, delivery principles, etc.

A16– Incident Management (Administrative, Physical and Technical controls- Procedure, responsibility, Awareness and Disaster management, etc.)

A17– Business Continuity Management (Administrative, Physical and Technical controls- Plan, implement, review & availability)

A18– Compliance (Administrative, Physical and Technical controls- Legal, NDA, Customer agreement, third party audits inputs and output review, administrative and technical compliance)

Now you have the above items as a reference, what to implement, which area to address for information security. You can always reach out to CertPro, our team been technically implementing ISO 27001 and are happy to assist you with implementing, guide you by providing sufficient knowledge and templates.

Who can have ISO 27001? What is the current version? Is there any revision, if so when will it be released?

Organizations operating on huge amounts of data with security of this data as their primary concern. Some of the major sectors are Banking for securing their customer financial data and other company transactions, Hospitals – for securing their patients’ health data & other methodologies of treatment,  Software product & service-based companies, Government Offices as most of the citizens’ data is processed and stored, etc.

The latest version is 2013, last reviewed in 2019 and is confirmed to hold the same as the 2013 version.


As there has been a revision in 2019, further reviews and updates usually take on a year to be released. Major changes will be identified and the standard will be revised and released, 2024-25 is the expectated new release year of the standard.



In today's digital landscape, ensuring the safeguarding of client data is paramount for businesses. Adhering to recognized compliance standards is vital to meeting this demand. ISO 27001 vs. SOC 2 represent two prominent benchmarks in the realm of data security with...

read more


The esteemed ISO 27001 security framework is designed to evaluate the effectiveness of an organization's Information Security Management System (ISMS) in safeguarding its data. Obtaining ISO 27001 certification is a practical way for a corporation to demonstrate its...

read more

Get In Touch 

have a question? let us get back to you.