---
title: "ISO Standards Hub FAQ (27001, 27005, 27017, 27018, 27035, 27036, 22301, 42001)"
canonical_url: "https://www.sorena.io/artifacts/global/iso-standards-hub/faq"
source_url: "https://www.sorena.io/artifacts/global/iso-standards-hub/faq"
author: "Sorena AI"
description: "FAQ for ISO standards selection and implementation: what certification means, which standard to start with."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "ISO standards FAQ"
  - "ISO 27001 FAQ"
  - "ISO 27001 certification FAQ"
  - "ISO 27005 risk management FAQ"
  - "ISO 27017 cloud security FAQ"
  - "ISO 27018 PII public cloud FAQ"
  - "ISO 27035 incident response FAQ"
  - "ISO 27036 supplier security FAQ"
  - "ISO 22301 business continuity FAQ"
  - "ISO 42001 AI management system FAQ"
  - "ISO standards evidence"
  - "ISO audit evidence"
  - "GLOBAL compliance"
  - "ISO standards"
  - "FAQ"
  - "Audit evidence"
  - "Implementation"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ISO Standards Hub FAQ (27001, 27005, 27017, 27018, 27035, 27036, 22301, 42001)

FAQ for ISO standards selection and implementation: what certification means, which standard to start with.

*FAQ* *GLOBAL*

## ISO Standards Hub FAQ

Quick answers to common ISO standards and certification questions.

Focused on selection, implementation, evidence, and audit readiness.

Use this FAQ to answer the practical selection questions teams hit after the first web search: which standards are management-system anchors, which are guidance series, what certification actually means, how current editions matter, and how to keep one evidence pack across standards and regulations.

## Which ISO standards in this hub are usually the governance anchors?

In this hub, the clearest governance anchors are ISO/IEC 27001 for security management, ISO 22301 for business continuity management, and ISO/IEC 42001 for AI management systems. Those are the standards you use when you need structured scope, policy, roles, audit, management review, and continual improvement.

Standards like ISO/IEC 27005, 27017, 27018, 27035, and 27036 are then used to sharpen the operating model in specific risk areas.

- Start with the anchor when you need a system that can be governed and audited over time
- Add domain standards when you need deeper practice for cloud, incidents, suppliers, or AI-specific execution
- Avoid implementing only a specialist standard when the real gap is governance discipline

## Why do current editions and multi-part series matter so much?

Because the shorthand name often hides important differences. ISO/IEC 27035 and ISO/IEC 27036 are series, not single short checklists. ISO/IEC 27018 now has an active 2025 edition on the ISO listing, while many teams still reference the earlier 2019 control model.

If you do not pin the edition or part number, teams can end up talking past each other about different requirements, controls, or operating assumptions.

- Write edition and part numbers into policies, evidence indexes, and procurement references
- Recheck whether a standard is current, withdrawn, or revised before major adoption decisions
- Use the series when the risk problem spans planning, operations, supplier depth, or cloud responsibilities

## What does ISO certification mean and what does it not mean?

Certification normally means an accredited certification body audited a defined management-system scope against a certifiable standard. It is evidence of management-system maturity within that scope at the time of audit.

It does not automatically mean all products, suppliers, or legal obligations are covered. It also does not turn a guidance standard into a certification result by itself.

- Always read the scope statement
- Treat certification as one assurance layer, not as a universal compliance claim
- Keep evidence current between audits or certification value degrades quickly

## How should we keep one evidence pack across several standards?

Maintain a single evidence index that maps each standard requirement or control area to the artifacts, owners, cadence, and storage location that prove it. That is how you stop standards work from turning into parallel document stacks.

The same index can usually support audits, customer due diligence, and regulation mapping if it is built with enough specificity.

- Keep scope, inventory, ownership, risk, control-operation, audit, and corrective-action artifacts in one map
- Use periodic refresh plus material-change triggers
- Record which standard edition or series part each artifact supports when that matters

## How do ISO standards help with regulations without replacing them?

Standards are voluntary operating models. Regulations are mandatory legal obligations. The leverage point is evidence reuse: use the ISO operating model to produce governance, risk, monitoring, supplier, and corrective-action artifacts that can also support regulation programs.

That does not remove the need for legal scoping, deadlines, or role-specific regulatory analysis.

- Use ISO 27001 to strengthen baseline security governance
- Use ISO 42001 to strengthen AI governance and documentation discipline
- Still validate scope, timing, and legal obligations against the primary regulation text

*Recommended next step*

*Placement: after the FAQ section*

## Use ISO Standards Hub FAQ as a cited research workflow

Research Copilot can take ISO Standards Hub FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO Standards Hub can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for ISO Standards Hub FAQ](/solutions/research-copilot.md): Start from ISO Standards Hub FAQ and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through ISO Standards Hub](/contact.md): Review your current process, evidence gaps, and next steps for ISO Standards Hub FAQ.

## Primary sources

- [ISO - Standards catalogue](https://www.iso.org/standards.html?ref=sorena.io) - Official ISO standards catalogue and scope statements.
- [ISO/IEC 27001:2022 - ISO standard page](https://www.iso.org/standard/27001?ref=sorena.io) - ISMS requirements and certification context.
- [ISO/IEC 42001:2023 - ISO standard page](https://www.iso.org/standard/81230.html?ref=sorena.io) - AI management system requirements and annexes.
- [Regulation (EU) 2016/679 - GDPR (official text)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Primary legal source for the GDPR.

## Related Topic Guides

- [Choose the Right ISO Standard (27001, 27005, 27017, 27018, 27035, 27036, 22301, 42001)](/artifacts/global/iso-standards-hub/choose-the-right-standard.md): A practical decision guide to choose the right ISO standard by objective: ISMS certification (ISO 27001), risk management (ISO 27005).
- [ISO Standards vs Regulations (How to Combine Both)](/artifacts/global/iso-standards-hub/iso-standards-vs-regulations.md): Standards vs regulations explained: what ISO standards do (governance + controls + evidence) vs what laws require (scope + obligations + enforcement).
- [What's Included in the ISO Standards Hub (Coverage + Bundles)](/artifacts/global/iso-standards-hub/what-is-included.md): Coverage map of key ISO standards for cybersecurity, privacy, resilience, and AI governance: ISO 27001, ISO 27005, ISO 27017, ISO 27018, ISO 27035, ISO 27036.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/iso-standards-hub/faq