ISO 27001
International standard that defines the requirements for establishing, operating and continuously improving an Information Security Management System (ISMS). Certification is delivered by an accredited body after an initial audit followed by annual surveillance audits.
What ISO 27001 is
ISO/IEC 27001 is the reference international standard for information security management. It describes the requirements of an ISMS (Information Security Management System) — risk-based approach, technical and organisational controls, continuous improvement.
The current version is ISO/IEC 27001:2022, which restructured Annex A controls into four categories: organisational, people, physical, technological.
What the certification requires
- Security policy approved by top management.
- Risk analysis documented (often using EBIOS or ISO 27005).
- Statement of Applicability justifying the controls retained.
- Technical and organisational measures deployed and auditable.
- Performance indicators reviewed regularly.
- Annual internal audit and management review.
- External audit by an accredited body (initial + surveillance).
Typical certification timeline
For an SMB of 50 to 200 employees starting from medium maturity, expect 9 to 12 months from kick-off to certification. For a mid-sized firm, 12 to 18 months. Cost splits between internal time, external consulting and the official audit.
ISO 27001 at Hexceos
Hexceos is ISO 27001 and ISO 27005 certified across its full perimeter, and supports clients from gap analysis to certification. See audit & compliance services.
Related terms
Last updated: 19 May 2026