--- title: "ISO 27001 FAQ" canonical_url: "https://www.sorena.io/artifacts/global/iso-27001/faq" source_url: "https://www.sorena.io/artifacts/global/iso-27001/faq" author: "Sorena AI" description: "Clear answers to common ISO/IEC 27001:2022 questions on the Statement of Applicability, Annex A, risk treatment, certification, audit evidence." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "ISO 27001 FAQ" - "ISO 27001 questions" - "Statement of Applicability" - "SoA" - "ISO 27001 Annex A" - "ISO 27001 certification" - "ISO 27001 audit" - "ISO 27002 vs ISO 27001" - "ISO 27005 risk management" - "GLOBAL compliance" - "ISO/IEC 27001" - "FAQ" - "ISMS" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO 27001 FAQ Clear answers to common ISO/IEC 27001:2022 questions on the Statement of Applicability, Annex A, risk treatment, certification, audit evidence. *FAQ* *GLOBAL* ## ISO 27001 FAQ Straight answers to the ISO 27001 questions teams ask when they are actually building an ISMS. Focused on current edition facts, audit traceability, and the decisions that usually create confusion. ISO 27001 questions usually sound simple but hide implementation traps. The recurring ones are about scope, what Annex A really means, how the Statement of Applicability should work, and what an auditor is going to expect to see. This FAQ answers those with the current 2022 edition and current certification context in mind. ## What is ISO/IEC 27001:2022? ISO/IEC 27001:2022 is the current third edition of the requirements standard for information security management systems. It was published in October 2022 and later received Amendment 1 in 2024 for climate action changes. The standard is a requirements document, not a library of example controls. It specifies what an ISMS has to do and how it has to be managed. - Current core edition: third edition, 2022-10 - If you claim conformity, requirements in Clauses 4 to 10 cannot be excluded - Use it as the governing requirements layer for the ISMS ## Do we have to implement every Annex A control? No. ISO 27001 is risk-based. You determine necessary controls through risk treatment, then compare them against Annex A so that no necessary control from the reference set has been omitted by mistake. That means exclusions are possible, but only with a defensible rationale and clear documentation in the Statement of Applicability. - Annex A is a normative reference set, not a blanket mandate to implement every item - The 2022 reference structure aligns to 93 controls used in ISO/IEC 27002:2022 - Weak exclusion reasoning is one of the most common audit issues ## What exactly must the Statement of Applicability include? The Statement of Applicability must identify the necessary controls, justify why they are included, state whether they are implemented, and justify exclusions of Annex A controls. It is one of the main outputs of risk treatment. In practice, the SoA is the shortest route from risk decisions to audit sampling. If it is sloppy, the whole audit gets slower. - Keep every SoA line tied to a risk treatment decision and a named owner - Implementation status in the SoA should match current records, not intention - Use one SoA, not multiple local copies with different truth states ## How do ISO 27002 and ISO 27005 fit in? ISO 27001 is the requirements standard. ISO 27002 gives guidance on information security controls, and ISO 27005 gives guidance on managing information security risks in support of the ISMS. A mature implementation uses ISO 27001 to define what must exist, ISO 27002 to improve control design, and ISO 27005 to strengthen the risk cycle. - Use ISO 27002 when teams need better control implementation guidance - Use ISO 27005 when teams need a stronger method for identifying, assessing, treating, communicating, monitoring, and reviewing risk ## What is current for certification in 2026? Certification work should now be anchored to ISO/IEC 27001:2022. The transition period from the 2013 edition has ended, so the old edition should not be your working assumption for current certification planning. On the certification-body side, ISO/IEC 27006-1:2024 is the current standard for bodies that audit and certify ISMS. - Expect certification and surveillance activity to be framed against the 2022 edition - Check certification status through accredited channels such as IAF CertSearch where applicable - If you operate across sites, multi-site rules can materially affect audit planning ## What do ISO 27001 auditors usually ask for first? Auditors typically start with scope, the risk methodology, risk assessment results, risk treatment decisions, the Statement of Applicability, and evidence that the selected controls operate. They then move into internal audits, management reviews, and corrective actions. What they are really testing is whether the ISMS tells one consistent story from decision to evidence. - Prepare scope, risk method, SoA, risk treatment plan, and a small set of traceability walkthroughs - Have management review and internal audit outputs ready, not just calendar placeholders - Be able to show current evidence for the controls you claim are implemented *Recommended next step* *Placement: after the FAQ section* ## Use ISO 27001 FAQ as a cited research workflow Research Copilot can take ISO 27001 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 27001 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for ISO 27001 FAQ](/solutions/research-copilot.md): Start from ISO 27001 FAQ and answer scope, timing, and interpretation questions with cited outputs. - [Talk through ISO 27001](/contact.md): Review your current process, evidence gaps, and next steps for ISO 27001 FAQ. ## Primary sources - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Primary current ISO/IEC 27001 page, including amendment and lifecycle details. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Current controls guidance standard aligned with the ISO 27001 Annex A reference set. - [ISO/IEC 27005:2022 standard page](https://www.iso.org/standard/80585.html?ref=sorena.io) - Current information security risk guidance standard. - [ISO/IEC 27006-1:2024 standard page](https://www.iso.org/standard/82908.html?ref=sorena.io) - Current certification-body requirements for ISMS certification. ## Related Topic Guides - [ISO 27001 Audit Readiness](/artifacts/global/iso-27001/audit-readiness.md): Prepare for ISO/IEC 27001 audits with a structured evidence pack, SoA traceability, internal audit and management review outputs. - [ISO 27001 Compliance Playbook](/artifacts/global/iso-27001/compliance.md): Implement ISO/IEC 27001:2022 with a practical ISMS playbook for scope, risk assessment, risk treatment, Statement of Applicability, Annex A alignment. - [ISO 27001 Implementation Roadmap](/artifacts/global/iso-27001/implementation-roadmap.md): A practical ISO/IEC 27001:2022 implementation roadmap with phases, gates, scope decisions, risk and SoA milestones, control rollout priorities. - [ISO 27001 Requirements and Evidence](/artifacts/global/iso-27001/requirements.md): Understand ISO/IEC 27001:2022 requirements across Clauses 4 to 10, Annex A, risk treatment, and the Statement of Applicability. - [ISO 27001 vs NIS2](/artifacts/global/iso-27001/iso-27001-vs-nis2.md): See how ISO/IEC 27001:2022 supports NIS2 cybersecurity governance and where NIS2 adds legal obligations for incident reporting, supervision. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27001/faq