The short version
ISO/IEC 27001 is the international standard for managing information security. If your business handles confidential data — customer details, contracts, financial records, intellectual property — and you want a recognised way to prove you take security seriously, this is the certification. The 2022 revision is the current version. Getting certified is a real project that takes 6-12 months and costs £10,000-£30,000 for a small business; alignment without certification is achievable in a fraction of that.
What is ISO 27001?
ISO 27001 is one of a series of international standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The full title is Information security, cybersecurity and privacy protection — Information security management systems — Requirements. People shorten it to "ISO 27001" or just "27001".
The standard tells you how to set up and run a structured approach to information security — called an Information Security Management System or ISMS. It doesn't tell you which firewall to buy or which password policy to use. It tells you to have a security policy, to have a risk management process, to have procedures for handling incidents, and to have trained your staff. The specifics are up to you; the discipline of doing them properly and writing them down is what the standard requires.
The current version is ISO/IEC 27001:2022 — published in October 2022, replacing the 2013 edition. The 2022 version reorganised the famous Annex A controls (more on those below) from 114 down to 93, grouped into four themes instead of fourteen. If anyone is selling you a service against "ISO 27001:2013", the standard they're referencing is two revisions old; insist on 27001:2022.
Why does it exist?
In the 1990s, every large organisation had its own way of doing information security and no two ways were quite the same. When a customer asked a supplier "are you secure?", the supplier could say anything they liked and the customer had no consistent yardstick to measure against. ISO 27001 (and its predecessor, BS 7799 from the British Standards Institution) was designed as a common language: a checklist that any organisation could be audited against, and a badge that meant the same thing whether you were comparing a UK estate agent to a German manufacturer to a Singaporean bank.
That's why the standard is so widely cited in procurement: it's the lingua franca of "we take security seriously" in business-to-business sales.
Who needs it?
Three groups of organisations end up pursuing 27001:
- Suppliers who sell to enterprise or government. Most large customers will ask for it in their RFP. Government procurement in the UK frequently lists it as a requirement. Without it, you may not be allowed to bid.
- Organisations in regulated sectors — financial services, healthcare, defence, legal — where the regulator expects (or requires) a formal ISMS.
- Anyone who wants the discipline. Even without a customer asking, going through the process forces you to document your security practices, find your gaps, and fix them. Many businesses come out of the certification process more secure simply because of the audit.
If none of these apply to you, you almost certainly don't need to be certified. Alignment with the standard — following its controls, being able to show your work — is useful even without the formal badge.
What's an Information Security Management System?
An ISMS sounds intimidating but it's just three things working together:
- A set of written policies and procedures that say how you do security
- A process for assessing and managing risk — what could go wrong, how bad would it be, what are you doing about it
- A rhythm of monitoring, internal audit, and management review — actually checking that your policies are being followed and adjusting when they're not
The standard's structure mirrors this. Clauses 4 through 10 describe the management system: context, leadership, planning, support, operation, performance evaluation, improvement. If you've worked with ISO 9001 (quality management) or ISO 14001 (environmental management), the format will feel familiar — it's the same "plan-do-check-act" cycle wrapped around security.
The famous Annex A controls
Annex A is the part of the standard everyone talks about. It's a catalogue of 93 security controls (in the 2022 version) grouped into four themes:
| Theme | Number of controls | Examples |
|---|---|---|
| 5 — Organisational | 37 | Information security policy; supplier relationships; threat intelligence; access control |
| 6 — People | 8 | Screening; awareness training; non-disclosure agreements |
| 7 — Physical | 14 | Physical entry controls; secure areas; clear desk policy |
| 8 — Technological | 34 | Authentication; encryption; logging; secure development; data masking |
You don't have to implement all 93. You have to consider all 93, document which ones apply to you and which don't, and justify the exclusions. The document where you do this is called a Statement of Applicability (SoA) and it's the thing your auditor will spend the most time on.
A few controls that matter especially in 2026 because of AI use:
- A.8.11 Data masking — automated removal or replacement of personal data before processing
- A.8.12 Data leakage prevention — controls to detect and prevent unauthorised disclosure of sensitive data
- A.5.23 Information security for use of cloud services — relevant any time you're using an LLM provider
Trinito implements all three by design. If you're pursuing 27001 certification and you've not yet thought about your AI use, these controls are where the auditor will press.
What does certification involve?
Certification is a real project. Here's the realistic shape of it for a small UK business:
| Phase | Time | Cost (indicative, small business) |
|---|---|---|
| Gap analysis — work out where you are vs the standard | 2-4 weeks | £2,000-£5,000 (consultant) or DIY |
| Implementation — write policies, document procedures, fix gaps | 3-6 months | £5,000-£15,000 (consultant time, software, training) |
| Internal audit — check your own work before the certification body arrives | 2-4 weeks | £1,000-£3,000 (consultant or internal time) |
| Stage 1 audit — certification body reviews your documentation | 1-2 days | £2,000-£4,000 |
| Stage 2 audit — certification body checks the documentation matches reality | 2-3 days | £4,000-£8,000 |
| Surveillance audits — annual check-ins for the next two years | 1-2 days/year | £2,000-£4,000/year |
| Re-certification — full audit every three years | Similar to initial audit |
Total first-year cost for a small business with no prior security investment: roughly £15,000-£35,000, depending on how much consultancy you use. The certification body must be accredited by UKAS (United Kingdom Accreditation Service) for the certificate to carry weight. Bodies like BSI, LRQA, BM Trada and SGS are the well-known ones; many smaller specialists exist too.
ISO 27001 versus its relatives
If you're getting into the 27000 series, you'll quickly hit related standards. Here's how they fit together in 2026:
| Standard | What it covers |
|---|---|
| ISO/IEC 27001:2022 | The main management-system standard. The one you actually certify against |
| ISO/IEC 27002:2022 | The implementation guide for the Annex A controls. Not certifiable; a reference document |
| ISO/IEC 27018:2025 | Extension covering protection of personal data in public clouds |
| ISO/IEC 27017:2015 | Extension covering security for cloud services more broadly |
| ISO/IEC 27701:2025 | Privacy management. Now a stand-alone standard since the 2025 revision (see our 27701 explainer) |
| ISO/IEC 27006 | The standard that auditors of 27001 themselves must follow |
You don't need to engage with most of these directly. 27001 is the centre of gravity; the others extend it for specific scenarios.
Do you actually need ISO 27001?
For a UK SMB the answer is often no, not in the formal certified sense, at least not yet. The cost is meaningful and the benefit only materialises when a customer or regulator specifically asks. For many businesses the practical path is:
- Cyber Essentials Plus first — a UK-government-backed scheme that costs £1,500-£3,000, takes a few weeks, and signals security baseline competence
- Alignment with ISO 27001 without certification — follow the controls, document your work, be able to answer security questionnaires with confidence
- Full ISO 27001 certification when a customer or regulator demands it, or when your business is large enough that the audit cycle pays for itself in faster sales conversations
Trinito's own approach: aligned with the 2022 controls today, Cyber Essentials Plus in progress with an IASME-accredited certifying body, ISO 27001 audit cycle targeted for 2027. We document the mapping in our Statement of Applicability on request and have it ready for any procurement officer who asks.
Further reading
| Resource | What it covers |
|---|---|
| ISO official page for 27001:2022 | The standard itself — buyable for a few hundred pounds. Worth having if you're serious |
| NCSC guidance on 27001 for SMEs | The UK's National Cyber Security Centre takes on the same problem from a practical perspective |
| Our ISO 27701 explainer | The privacy-management sibling standard |
| Our GDPR explainer | The legal regime that ISO 27001 helps you evidence |
The one-sentence summary
ISO/IEC 27001:2022 is the international standard for managing information security — useful as a discipline for any organisation that handles confidential data, essential as a certified badge if you sell to enterprises or government, and worth aligning with as soon as you can even if you don't certify yet.