Question 1

What is ISO 27001?

Accepted Answer

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It defines how organisations must systematically manage information security risks to protect the confidentiality, integrity, and availability of information. The standard provides a risk-based management framework and is certifiable by an accredited certification body.

Question 2

Who needs ISO 27001?

Accepted Answer

ISO/IEC 27001 is relevant for any organisation that manages sensitive, confidential, or business-critical information, regardless of sector or size. It is increasingly expected in sectors where trust, security, and accountability are essential, including technology providers, cloud and SaaS companies, financial services, and healthcare organisations.

Question 3

What are Annex A controls?

Accepted Answer

Annex A of ISO/IEC 27001 contains the set of reference information security controls that organisations can select to treat identified risks. In the 2022 revision, Annex A consists of 93 controls grouped into four categories: organisational, people, physical, and technological controls.

Question 4

What evidence is required?

Accepted Answer

ISO/IEC 27001 requires organisations to demonstrate the effective design, implementation, and operation of their ISMS through documented and verifiable evidence. This includes policies and procedures, risk assessments, operational evidence like system configurations and access control records, and governance records.

Question 5

How does Basenorm support ISO 27001?

Accepted Answer

Basenorm supports ISO/IEC 27001 by providing a centralised, control-first governance platform that helps organisations implement, manage, and demonstrate their Information Security Management System in a consistent and auditable way, with unified controls and continuous monitoring.

Question 6

What is the difference between ISO 27001 and ISO 27002?

Accepted Answer

ISO 27001 defines the formal requirements for establishing and maintaining an Information Security Management System (ISMS) and is certifiable. ISO 27002 is a code of practice providing implementation guidance for the controls referenced in Annex A of ISO 27001.

Question 7

How often must ISO 27001 be audited?

Accepted Answer

ISO/IEC 27001 certification follows a three-year certification cycle with annual surveillance audits. After initial certification, organisations undergo surveillance audits each year and a full recertification audit every three years.

ISO 27001 Compliance for Information Security Management

Automated Annex A Mapping

Annex A Control Families

ISMS Certification Cycle

Continuous Certification Readiness

Unified Risk and Governance Alignment

Risk Treatment Status

Frequently Asked Questions