Straight answers to the ISO 27001 questions teams ask when they are actually building an ISMS.
Focused on current edition facts, audit traceability, and the decisions that usually create confusion.
Structured answer sets in this page tree.
Cited legal and guidance references.
ISO 27001 questions usually sound simple but hide implementation traps. The recurring ones are about scope, what Annex A really means, how the Statement of Applicability should work, and what an auditor is going to expect to see. This FAQ answers those with the current 2022 edition and current certification context in mind.
ISO/IEC 27001:2022 is the current third edition of the requirements standard for information security management systems. It was published in October 2022 and later received Amendment 1 in 2024 for climate action changes.
The standard is a requirements document, not a library of example controls. It specifies what an ISMS has to do and how it has to be managed.
No. ISO 27001 is risk-based. You determine necessary controls through risk treatment, then compare them against Annex A so that no necessary control from the reference set has been omitted by mistake.
That means exclusions are possible, but only with a defensible rationale and clear documentation in the Statement of Applicability.
The Statement of Applicability must identify the necessary controls, justify why they are included, state whether they are implemented, and justify exclusions of Annex A controls. It is one of the main outputs of risk treatment.
In practice, the SoA is the shortest route from risk decisions to audit sampling. If it is sloppy, the whole audit gets slower.
ISO 27001 is the requirements standard. ISO 27002 gives guidance on information security controls, and ISO 27005 gives guidance on managing information security risks in support of the ISMS.
A mature implementation uses ISO 27001 to define what must exist, ISO 27002 to improve control design, and ISO 27005 to strengthen the risk cycle.
Certification work should now be anchored to ISO/IEC 27001:2022. The transition period from the 2013 edition has ended, so the old edition should not be your working assumption for current certification planning.
On the certification-body side, ISO/IEC 27006-1:2024 is the current standard for bodies that audit and certify ISMS.
Auditors typically start with scope, the risk methodology, risk assessment results, risk treatment decisions, the Statement of Applicability, and evidence that the selected controls operate. They then move into internal audits, management reviews, and corrective actions.
What they are really testing is whether the ISMS tells one consistent story from decision to evidence.
Research Copilot can take ISO 27001 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 27001 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from ISO 27001 FAQ and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for ISO 27001 FAQ.