Decision GuideGLOBAL

ISO Standards Hub Choose the Right Standard

Pick the ISO standard that matches your objective and evidence needs.

Fast guide for security, procurement, resilience, and AI governance teams.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

Most teams waste months implementing the wrong standard first or treating a guidance standard like a certification standard. Use this guide to start with the real objective: certification-ready governance, risk method, cloud controls, incident response, supplier assurance, business continuity, or AI governance. Then choose the standard or bundle that creates the most reusable structure and evidence.

Section 1

Start with the objective, then check whether you need a management system or guidance standard

The fastest way to choose well is to separate management-system needs from deep-practice needs. If you need a certifiable governance backbone, start with a management-system standard such as ISO/IEC 27001, ISO 22301, or ISO/IEC 42001.

If you already have that backbone and need depth in a specific domain, add the right guidance standard or multi-part series rather than forcing one standard to do everything.

Management-system backbone: ISO/IEC 27001 for security governance, ISO 22301 for continuity, ISO/IEC 42001 for AI governance
Domain depth: ISO/IEC 27005 for risk method, ISO/IEC 27017 and 27018 for cloud, ISO/IEC 27035 for incident management, ISO/IEC 27036 for supplier security
Decision rule: choose the standard that creates the evidence the next audit, customer review, or governance decision will actually require

Section 2

Use the current series reality, not the short marketing label

Several standards in this hub are series, not single-document answers. ISO/IEC 27035 is currently grounded here as Part 1:2023, Part 2:2023, and Part 3:2020. ISO/IEC 27036 is grounded here as Part 1:2021, Part 2:2022, Part 3:2023, and Part 4:2016.

Cloud and AI standards also need version awareness. The ISO listing now shows ISO/IEC 27018:2025 as the active edition, while much operational guidance in practice still maps closely to the 2019 control themes. ISO/IEC 42001 is the 2023 AI management-system standard.

Do not buy or implement a standard from memory - verify the edition and whether it is a multi-part series
Use the series when the risk problem spans process, operations, contracts, or cloud allocation
Document edition assumptions in your evidence pack when your operating model depends on them

Section 3

Recommended bundles that produce reusable evidence

Bundles work best when each standard contributes a clear layer instead of overlapping blindly. The right bundle creates a single evidence index with shared owners, cadence, and review triggers.

The most useful bundles are the ones that mirror how real audits and customer assurance requests land on the team.

SaaS and public cloud: ISO/IEC 27001 + ISO/IEC 27005 + ISO/IEC 27017 + ISO/IEC 27018 when you process PII in public cloud
Incident-driven environment: ISO/IEC 27001 + ISO/IEC 27035 to connect governance, incident logs, playbooks, and lessons learned
Supplier-heavy environment: ISO/IEC 27001 + ISO/IEC 27036 for tiering, contracts, indirect suppliers, and monitoring cadence
AI governance: ISO/IEC 42001 plus your security baseline and, where relevant, legal mapping such as the EU AI Act
Resilience-led environment: ISO/IEC 27001 + ISO 22301 when service continuity and recovery governance are core business requirements

Recommended next step

Use ISO Standards Hub Choose the Right Standard as a cited research workflow

Research Copilot can take ISO Standards Hub Choose the Right Standard from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on ISO Standards Hub can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow

Open Research Copilot for ISO Standards Hub Choose the Right Standard

Start from ISO Standards Hub Choose the Right Standard and answer scope, timing, and interpretation questions with cited outputs.

Explore next step

Talk to Sorena

Talk through ISO Standards Hub

Review your current process, evidence gaps, and next steps for ISO Standards Hub Choose the Right Standard.

Explore next step

Primary sources

References and citations

ISO - Standards catalogue

iso.org

Referenced sections

Browse official ISO standards, scope statements, and publication information.

ISO/IEC 27001:2022 - ISO standard page

iso.org

Referenced sections

ISMS requirements and certification context.

ISO/IEC 27005:2022 - ISO standard page

iso.org

Referenced sections

Information security risk management guidance.

ISO/IEC 27017 - ISO standard page

iso.org

Referenced sections

Cloud security controls.

ISO/IEC 27018 - ISO standard page

iso.org

Referenced sections

PII protection in public cloud acting as a PII processor.

ISO/IEC 42001:2023 - ISO standard page

iso.org

Referenced sections

AI management system requirements and annexes.

Related guides

Explore more topics

ISO Standards Hub FAQ (27001, 27005, 27017, 27018, 27035, 27036, 22301, 42001)

FAQ for ISO standards selection and implementation: what certification means, which standard to start with.

ISO Standards vs Regulations (How to Combine Both)

Standards vs regulations explained: what ISO standards do (governance + controls + evidence) vs what laws require (scope + obligations + enforcement).

What's Included in the ISO Standards Hub (Coverage + Bundles)

Coverage map of key ISO standards for cybersecurity, privacy, resilience, and AI governance: ISO 27001, ISO 27005, ISO 27017, ISO 27018, ISO 27035, ISO 27036.