Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Common Cybersecurity Frameworks

ISO 27001 / ISO 27002

A GRC practitioner's guide to the ISO/IEC 27000 series — covering the ISMS requirements of ISO 27001, the control implementation guidance of ISO 27002, industry adoption, and the documentation practices required for certification and sustained conformity.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Common Controls Framework™

The SCF maps to ISO/IEC 27001 and ISO/IEC 27002, enabling organizations to align their cybersecurity programs with the world's most widely recognized information security management standard. ISO 27001 certification is available through accredited third-party certification bodies.

Framework Overview

GRC-Focused Overview of ISO 27001 / ISO 27002

The ISO/IEC 27000 series has become a foundational cornerstone in global information security governance. Among them, ISO/IEC 27001 and ISO/IEC 27002 are the most widely recognized and implemented.

Together, these standards offer a practical framework for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). While ISO/IEC 27001 defines the requirements for a certifiable ISMS, ISO/IEC 27002 provides the implementation guidance for security controls.

This page provides a cybersecurity-focused summary of ISO 27001 and ISO 27002 from a GRC practitioner's perspective, including the history of these frameworks, practical compliance strategies, and the role of high-quality documentation to be secure, compliant and resilient.

Name
ISO/IEC 27001 and ISO/IEC 27002
Type
Framework
Authoritative
Source
ISO.org
Current Version
ISO/IEC 27001:2022 & ISO/IEC 27002:2022
Cost To Use
Standards must be purchased from ISO
Certification
Available
Yes. ISO has a conformity program maintained by accredited certification bodies.
TL / DR — Too Long / Didn't Read

ISO/IEC 27001 and ISO/IEC 27002 offer more than just a security checklist — they combine to build an Information Security Management System (ISMS). An ISMS is a way for organizations to demonstrate that cybersecurity is not a one-time project, but a structured, ongoing and accountable enterprise function.

Origins & Purpose

ISO 27001 / ISO 27002 — Origins and Purpose

The origins of ISO/IEC 27001 and ISO/IEC 27002 can be traced back to the British Standard BS 7799, first published in 1995 by the British Standards Institution (BSI). BS 7799 was one of the first formalized attempts to create a structured, policy-driven approach to information security.

Recognizing the value of a universal framework, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) adopted and expanded the standard: 2005: ISO/IEC 27001 was first published, replacing BS 7799-2 — the formal specification for an ISMS. ISO/IEC 17799 was renamed and published as ISO/IEC 27002, providing implementation guidance. 2013: Major revisions introduced to align with ISO’s Annex SL structure. 2022: The most recent versions introduced updated terminology, control categories and a more agile approach to risk-based control implementation.

The ISO/IEC 27000 series is now maintained as a globally accepted framework for managing the Confidentiality, Integrity and Availability (CIA) of information assets. ISO/IEC 27001 and ISO/IEC 27002 are industry-agnostic, but their adoption is especially prominent in sectors where data sensitivity is high, regulatory scrutiny is intense, and client trust is essential.

Financial Services

Banks, credit card processors, fintech companies and insurers often use ISO 27001 to reinforce internal governance and meet regulatory obligations such as GLBA, PCI DSS, or SOX.

Healthcare

Healthcare providers and service vendors adopt ISO 27001 to demonstrate compliance with privacy and security regulations such as HIPAA, GDPR and country-specific health data laws.

Technology and Cloud Services

SaaS, IaaS and PaaS providers use ISO/IEC 27001 as a contractual differentiator and compliance benchmark for customers in regulated sectors.

Government and Defense Contractors

Though frameworks like NIST SP 800-171 are often mandated, ISO/IEC 27001 certification is frequently accepted as an international standard of due care, particularly for non-US-based defense and aerospace firms.

Legal, Consulting and Professional Services

Entities handling sensitive client data (legal records, intellectual property, merger and acquisition documentation) use ISO 27001 to reduce liability and align with clients’ security expectations.

Framework Structure

ISO/IEC 27001 and ISO/IEC 27002 — Framework Overview

ISO/IEC 27001: Framework Overview

ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving an ISMS. It is organized around a Plan-Do-Check-Act (PDCA) lifecycle and contains the following core elements:

Context of the Organization

Organizations must define internal and external issues, identify interested parties (e.g., customers, regulators) and understand legal and contractual obligations. This contextual understanding drives the design of the ISMS.

Leadership and Governance

Top management must demonstrate leadership and commitment to information security, assign roles and responsibilities (e.g., CISO, ISMS lead), and integrate ISMS goals with business strategies.

Risk Assessment and Risk Treatment

A formalized information security risk assessment methodology is required. Based on risk findings, organizations select appropriate controls from Annex A, supported by an up-to-date Statement of Applicability (SoA).

Support and Awareness

ISO/IEC 27001 requires robust documentation practices, competency programs, internal awareness training and communication strategies to ensure effective implementation.

Operational Controls

This includes change management, supplier security management, incident response, access controls, and business continuity.

Performance Evaluation

Ongoing monitoring, measurement, internal auditing and management reviews are required to verify effectiveness and track non-conformities.

Continuous Improvement

Organizations must respond to incidents, internal audit findings, or shifts in risk with corrective actions and continuous improvement strategies.

ISO/IEC 27002: Control Implementation Guidance

While ISO/IEC 27001 contains high-level requirements, ISO/IEC 27002 provides specific guidance for implementing the controls listed in Annex A of ISO/IEC 27001. The 2022 revision reorganized the previous 14 control categories into four core themes:

Organizational Controls (37 controls)

Information security roles and responsibilities; policies, procedures and third-party risk management; asset classification and data handling rules; and secure development lifecycle (SDLC).

People Controls (8 controls)

Background checks, security awareness and training, and disciplinary processes for policy violations.

Physical Controls (14 controls)

Facility access controls, environmental protections, and equipment security.

Technological Controls (34 controls)

Cryptographic controls, logging and monitoring, secure configuration, network segmentation and endpoint protection, and threat intelligence and information sharing.

ISO/IEC 27002 also introduces attributes for each control, which help organizations tailor controls based on maturity, business objectives and regulatory obligations.

Go to the SCF Download Page

Common Methods to Achieve and Maintain Conformity With ISO 27001 / ISO 27002

Implementing ISO/IEC 27001 and ISO/IEC 27002 involves the following steps:

Conduct a Gap Analysis

Organizations typically begin with a gap assessment comparing their existing security program to the ISO/IEC 27001:2022 requirements and ISO/IEC 27002 implementation guidance. This identifies deficiencies and establishes a roadmap for ISMS development.

Define the ISMS Scope

Clearly delineating the boundaries of the ISMS (geographies, departments, technologies) ensures controls are contextually appropriate and avoids overextension.

Develop Required Documentation

Essential documents include: ISMS Policy and Objectives; Risk Assessment and Risk Treatment Methodology; Statement of Applicability (SoA); Risk Register and Treatment Plans; Control Procedures and Technical Guidelines; Audit Reports and Management Reviews; and Evidence of Competence and Awareness.

Select and Implement Controls

From the 93 controls in ISO/IEC 27002:2022, organizations must determine which are applicable based on risk, implement them in operational systems and processes, and document their selection rationale and effectiveness.

Train and Build Awareness

Regular training and organizational awareness are required under ISO/IEC 27001. It must be role-based, measurable and repeated periodically.

Perform Internal Audits and Management Reviews

Senior leadership must review ISMS performance and drive decisions from audit results. Annual internal audits are essential to assess ISMS conformity, identify systemic weaknesses, and provide input for corrective action and continual improvement.

Undergo Certification (Optional but Common)

Surveillance audits are typically conducted annually, with recertification every three years. Accredited certification bodies audit the ISMS against ISO/IEC 27001 standards. Organizations seeking certification should demonstrate compliance with each requirement, control effectiveness, and operational evidence.

Documentation Value

Understanding The Value of Quality Cybersecurity Documentation To Conform With ISO 27001 / ISO 27002

ISO/IEC 27001 and ISO/IEC 27002 are documentation-intensive standards. Unlike some frameworks that allow for implied controls, ISO requires explicit, maintained and auditable evidence of conformity.

Documentation is required for: Defining the ISMS framework (scope, policies, risk methodology); Articulating how each Annex A control is applied or excluded (via the Statement of Applicability); Demonstrating control implementation (procedures, logs, records); Tracking audit findings and management responses; and Recording security events, training and asset management.

Audit Readiness

Well-maintained documentation accelerates certification and reduces audit fatigue.

Legal Defense

In breach scenarios, documentation can demonstrate due diligence and mitigate liability.

Operational Maturity

Policies and procedures create consistency in security operations across teams and geographies.

Client Assurance

ISO 27001-aligned documentation often serves as the foundation for responding to customer security questionnaires, RFPs and vendor assessments.

Weak or templated documentation is a common source of non-conformity findings during ISO audits. Organizations that treat documentation as a living asset — where it is regularly reviewed, updated and integrated into security operations — are better positioned to sustain compliance and reduce enterprise risk.

Download the SCF — Free

The SCF is the Common Controls Framework™ — 1,400+ controls mapped to ISO 27001, ISO 27002, NIST CSF 2.0, and 200+ other laws and frameworks. Free under Creative Commons. No registration required.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap